Today, the highly anticipated ECJ decision on the GDPR conformity of the EU-US Privacy Shield - triggered by the Irish Data Protection Authority in the proceedings of Schrems and Facebook - was issued (C 311/18 - "Schrems II"). In a nutshell, the adequacy decision by the EU Commission on the Privacy Shield (2016/1250) has been declared being invalid – just like its predecessor, the Safe Harbor agreement back in 2015. DORDA's data protection experts have summarized the practical implications of this decision, particularly if it is still possible to rely on EU standard contractual clauses as an alternative:
History and former situation
Back in 2013 Max Schrems filed a complaint with the Irish Data Protection Authority requesting the authority to prohibit Facebook Ireland from transferring his personal data to the US. Facebook Ireland had based the respective data transfer on the Safe Harbor Agreement concluded between the EU and the US. Max Schrems argued that US law and practice would not sufficiently protect personal data stored in the US from surveillance activities of local authorities. The ECJ shared this view and declared on 6th October 2015 in its decision C 362/14 the Safe Harbor Agreement being invalid.
Subsequently, a follow-up agreement, the Privacy Shield, was entered into between the EU and the US. This was now on trial. Max Schrems again argued that the extensive surveillance possibilities and the lack of legal protection against such interference in the US would not be compatible with Art 7, 8 and 47 of the Charter of Fundamental Rights. Accordingly, the adequacy decision of the EU Commission - which treats transfers to recipients certified by Privacy Shield in the US as equivalent to a data transfer within the EEA - should be repealed.
Privacy Shield invalid
Today, the ECJ followed - unsurprisingly - Max Schrems' concerns and declared the EU-US Privacy Shield being invalid. In terms of content, the ECJ emphasized that the well-known surveillance possibilities pursuant to US law, in particular according to Sec 702 of the FISA, E.O. 12333 and PPD-28, (i) are not appropriate and not limited to the extent strictly necessary and, in addition, (ii) do not ensure a level of protection and provide guarantees and remedies for persons outside the US who might be covered by respective surveillance measures.
Even if the decision triggers immediate need for action by European companies due to the largely integration of US providers - especially in the field of outsourcing and cloud services - it is not a complete show stopper for US data transfers since there are (still?) effective alternatives available. This differs the current situation substantially from the situation after the declaration of invalidity of the Safe Harbor Agreement. In those days, the only option under the Austrian Data Protection Act 2000 was the conclusion of standard contractual clauses, which then needed to be on top approved by the Austrian Data Protection Authority. This procedure took at least months - often even years. Thus, the annulment of the Safe Harbor Agreement could not be quickly substituted. Whereas today, based on the framework of Art 46 GDPR, it is quickly possible to rely on other suitable guarantees for the data transfer to the US: Pursuant to Art 46 Par 2 GDPR, data may be transferred to third countries without appropriate safeguards - which from now on also includes Privacy Shield certified US recipients - without the need for an authorization if one relies inter alia on binding corporate rules (BCR) or standard contractual clauses (SCC).
The SCCs are fully and directly effective. The former local requirement for an additional official authorization was thus dismissed with application of the GDPR. Many IT providers have thus already concluded SCCs in parallel as lessons learned from the Safe Harbor case and the well known vulnerability of the Privacy Shield. Wherever this is not yet the case, one may on short notice enter into SCC's creating an alternative legal basis for the data transfer substituting the Privacy Shield. In practice, it is thus most important to immediately check all contracts with US providers if (i) they at least potentially allow the transfer of personal data and (ii) SCC had already been agreed upon. If latter is not the case, it should be done as soon as possible.
Standard contractual clauses still valid
In its decision, the ECJ has apart from the Privacy Shield Agreement also addressed the validity of the SCC and confirmed it against following background: The clauses itself do not state anything about the adequacy of the level of data protection of a third country. Rather, they are intended to provide appropriate contractual guarantees particularly for recipients in third countries without adequate level of protection. It is therefore - and has always been - the responsibility of data controller or processor to check whether the SCCs already provide sufficient guarantees or if additional measures are required in order to ensure such an adequate level of protection. Therefore, the conclusion of SCCs is still a suitable legal basis for data transfers to the US. After the recent ECJ ruling data transfers to the US generally will have to consider the potential data protection risks due to the US legislation and its structure. In this regard it is questionable if and how a company based in the US may provide sufficient security measures despite being subject to these legal requirements. One possible approach in this regard might be to provide more security measures by agreeing on additional (stricter) contractual obligations in the SCCs itself. This might help to mitigate risks and doubts. Which measures are reasonably possible and necessary, however, depends on the respective circumstances in the third country, the scope and sensitivity of data transferred and, lastly, on the effectiveness of the contractual clauses. GDPR-compliance of SCCs for data transfers may thus inter alia be achieved by stipulating further information obligations, cooperation processes and additional termination rights.
From a political point of view, it should be noted that one day after the ECI's decision on the admissibility of Irish tax benefits for US technology companies, the ECJ in today's ruling based on EU data protection law (which is unlike tax law harmonized by the GDPR), has scotched a possible friendly interpretation for US technology companies by the Irish Data Protection Authorities. The ECJ explicitly stated that data transfers to the US must comply with the strict EU standards of protection of fundamental rights.
Since the Privacy Shield has been declared being invalid, data transfers to the US must now either be stopped or - and this seems to be only realistic alternative - quickly relied on other appropriate safeguards in order to allow future data transfers to US recipients. These contractual agreements are subject to the respective control of the competent local supervisory authority, which will have to decide on a case-by-case basis whether the provided guarantees are sufficiently effective. The DORDA data protection experts are of course be happy to answer any questions you may have and to assist you with the necessary review and amendment of your agreements in this regard.