In a high-profile ruling on 16 July 2020, the European Court of Justice (ECJ) in the “Data Protecttion Commissioner v. Facebook Ireland and Schrems” case (C-311/18) “invalidated” Decision 2016/1250 on the adequacy of the protection provided by the EU-US data protection shield. However, the “standard contractual clauses for the transfer of personal data to processors established in third countries” remain valid.
Thus, the EU-US Privacy Shield Agreement has finally failed and is invalid. Effective data export to the US can now only be realized by standard contractual clauses or binding corporate rules of the data importer.
A press release has already been published – the full text of the ruling is still pending.
ECJ Follows Recommendation of the Advocate General: Privacy Shield Decision is Invalid
The Court thus essentially followed the recommendation of the Advocate General in his Opinion. While the opinion did not call for a direct ruling by the ECJ on the Privacy Shield Decision of the European Commission (Decision 2016/1250), the Advocate General had fundamental doubts as to the effectiveness of that decision – especially against the background of the lack of legal remedies and the extensive powers of the US security and intelligence authorities to access data. This aspect was further intensified with the adoption of the CLOUD Act in March 2018.
Data protection activist Schrems was already able to bring down the Privacy Shields predecessor “Safe Harbour” in 2015: This data agreement between the EU and the USA was also declared invalid by the ECJ at the time (C 362/14).
The ECJ has now (again) confirmed Schrems and the Advocate General’s view on Privacy Shield: in particular, the “Ombudsperson mechanism […] does not provide data subjects with any cause of action before a body which offers guarantees substantially equivalent to those required by EU law, such as to ensure both the independence of the Ombudsperson provided for by that mechanism and the existence of rules empowering the Ombudsperson to adopt decisions that are binding on the US intelligence services.”
Standard Contractual Clauses and Binding Internal Data Protection Rules Remain Valid
On the other hand, the ECJ left the Commission’s adequacy decision on standard contractual clauses (Decision 2010/87) untouched.
In this respect, the ECJ notes that the Decision (and thus the standard contractual clauses) “contains effective mechanisms which can ensure in practice that the level of protection required by Union law is respected” and that corresponding “transfers of personal data are suspended or prohibited if those clauses are infringed or if compliance with them is impossible”.
The ECJ also attaches particular importance to the notification obligations and rights of withdrawal which the standard contractual clauses provide for in the event that the data importer cannot (any longer) guarantee the agreed level of data protection.
Need for Action: Review of Existing Contractual Arrangements With Data Export to the US
For companies that use the services of processors in the US (e.g. Microsoft Azure or Amazon AWS), there is now a concrete need for action: Existing contracts must be checked to see what arrangements have been made for data transfer or data export.
If the contractual regulation relies on Standard Contractual Clauses or Binding Corporate Rules in addition to the Privacy Shield certification of the provider, the data exporter is only seemingly on the safe side: Especially now the correct implementation of the Standard Contractual Clauses should be revalidated. In this respect, the supervisory authorities do not allow any changes to the wording, the annexes must be filled in correctly and direct contracts may be necessary if sub-service providers are used.
The ECJ also emphasises that the data exporter and the data importer must check in advance whether the required level of protection is met in the third country concerned and that the recipient must, where appropriate, notify the data exporter that it cannot comply with the standard protection clauses, whereupon the exporter must suspend the data transfer and/or withdraw from the contract with the recipient. In this respect, US service providers must check whether compliance with the clauses is possible against the background of the monitoring programmes (keyword PATRIOT Act and CLOUD Act).
In the case of Binding Corporate Rules, it must be checked whether these have been properly reviewed and approved by a supervisory authority and whether they apply to the present data transfer situations (when using service providers, so-called Binding Corporate Rules for processors are regularly required).
If, on the other hand, the contract is based solely on the Privacy Shield certification of the data importer, urgent action is required: These contracts must now be renegotiated very promptly and concluded again in compliance with the ruling.