The transfer of personal data to the United States under the so-called Privacy Shield is not compliant with the GDPR. That is what the European Court of Justice decided on 16 July 2020 in the Schrems II judgment. The transfer of personal data on the basis of “standard contractual clauses” (SCCs) remains in place, but only under the condition that the receiving country offers a legal protection equivalent to data protection within the EU.
Within the member states of the European Economic Area (EEA), personal data may be freely transferred as long as the general principles of the GDPR are respected. The transfer of personal data to countries outside the EEA, on the other hand, is only possible in the following situations:
- For the third country concerned, an adequacy decision has been adopted by the European Commission (for the United States, this was the case to the extent that the organisation was a member of the EU–US Privacy Shield; there are also adequacy decisions for Canada, Switzerland, Japan, among others);
- There is no adequacy decision, but so-called “appropriate safeguards” have been put in place for the protection of personal data (these include the SCCs approved by the European Commission or the Binding Corporate Rules (BCRs));
- The transfer falls under the specific derogations provided for in Article 49 of the GDPR (e.g., transfers that are necessary for the conclusion or performance of a contract, or transfers that occur on the basis of the explicit consent of the data subject). However, these derogations can only be applied on an occasional basis.
The Schrems II judgment
Austrian privacy activist Max Schrems contested Facebook’s use of SCCs for the transfer of personal data to its headquarters in the United States and filed a complaint with the Irish data protection authority to challenge the validity of the SCCs. His main objection concerned the transfer of personal data under the SCCs to, among others, the United States, while the US security services (e.g., the CIA, FBI or NSA) have large-scale access to these data. The case eventually ended up before the European Court of Justice, which ruled on both the SCCs and the Privacy Shield:
- the transfer of personal data to third countries under SCCs remains valid, but only insofar as the legal privacy protection in the third country is in line with the level of protection ensured within the EU. According to the Court, it is no longer sufficient to use SCCs, but the transferring country (and the receiving country) should effectively assess whether the legal framework in the third country provides an adequate level of protection. In case of insufficient protection, the supervisory authorities may even suspend or prohibit the data transfer;
- the transfer of personal data to the United States under the Privacy Shield has been completely invalidated because of possible interference with the transferred personal data by the US security services. Moreover, there are insufficient legal remedies under the Privacy Shield against such interference.
This judgment raises many questions for companies that currently transfer personal data to the US and to other third countries.
Position of the European Data Protection Board
Immediately after the judgment, several national authorities indicated that they would further examine the concrete consequences. In the meantime, the European Data Protection Board (EDPB) has published a FAQ taking a strict view and stating that:
- Privacy Shield can no longer be used, with immediate effect (i.e., there is no transitional or grace period as the British ICO, among others, had suggested);
- the use of SCCs for transfers to third countries should be assessed on a case-by-case basis, in light of the concrete circumstances and supplementary measures that can be provided to ensure that the data are sufficiently protected. The EDPB will issue further guidance on what exactly these “additional measures” could consist of;
- the judgment also applies to transfers based on other transfer mechanisms such as BCRs and, therefore, the need for supplementary measures also needs to be examined;
- if it appears that the security of the data cannot be guaranteed in view of the concrete circumstances and the possible supplementary measures, the transfer must be suspended or ended. If the transferring party still wishes to proceed with the transfer even though adequate protection cannot be guaranteed, the competent supervisory authority should be notified;
- data transfers are still possible under the specific derogations in Article 49 of the GDPR, but the EDPB emphasises that the derogation for transfers necessary for the performance of a contract can only be used for occasional transfers.
How to transfer data from now on?
For transfers to the US, the Privacy Shield has been invalidated with immediate effect and the Court of Justice has decided, after analysis of the US legal framework, that there is no adequate protection. Consequently, the only possibility for systematic transfers to the US is to use another transfer mechanism (e.g., SCCs or BCRs) in combination with other supplementary measures, insofar as it can be demonstrated that the data are thereby appropriately protected.
For transfers to other third countries, companies can of course still rely on the adequacy decisions if these are available for the country concerned. For countries for which no adequacy decision has been adopted, an analysis of the legal protection in the third country will always have to be carried out so that the transfer can be based on SCCs or BCRs. It will be important to properly document this analysis within your company. If it turns out that the legal framework does not offer protection equivalent to the GDPR, then supplementary measures will have to be taken for appropriate data protection.
Note that because of Brexit, the UK will become a third country on 1 January 2021 and – unless the European Commission adopts an adequacy decision – the same analysis of the legal framework will have to be carried out for the UK. Given that the UK allows for a high level of interference by its security services under the Investigatory Powers Act, the European Commission may decide not to adopt an adequacy decision and therefore supplementary measures may be necessary to ensure appropriate protection for data transfers (via SCCs or BCRs) from the EU to the UK.
Develop a full documentation of data transfers to third countries:
- identify what data are processed in which third countries and on the basis of which safeguards (this should, in principle, already be indicated in the record of processing activities);
- assess to what extent these safeguards would require supplementary security measures (e.g., encryption, imposing a notification in case of governmental intervention);
- impose on data recipients in third countries an obligation to notify your company if they are requested by a public authority to provide data and, where appropriate, to contest such requests.
We further recommend that you contact service providers in the US who currently rely on the Privacy Shield to ask (i) how they will deal with the Privacy Shield’s invalidation and (ii) whether they are prepared to enter into SCCs and take supplementary measures to ensure data security and (iii) what specific security measures they propose to ensure that privacy and the right to data protection are optimally protected.