Invalidation of the Privacy Shield by the Court of Justice of the European Union
ECJ, 16 July 2020, Data protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, C-311/18
In a judgment of 16 July 2020, the ECJ invalidated the EU-US Privacy Shield. Transfers of personal data from the EU/EEA to the US based on this legal framework are now illegal, and companies can no longer refer to it.
- The EU-US Privacy Shield
The Privacy Shield refers to a self-certification mechanism for companies based in the United States, which allowed companies located in the EU to transfer personal data to self-certified companies in the US. This framework was adopted by the European Commission's adequacy decision 2016/1250, which considered that the US provided an adequate level of data protection. The Privacy Shield replaced the Safe Harbor framework invalidated by the ECJ in 2015 (C-362/14).
In its judgment of 16 July 2020, the ECJ answers the preliminary ruling referred by the High Court of Ireland following the complaint of Maximilian Schrems, an Austrian citizen, seeking to prohibit Facebook Ireland from transferring his personal data to servers belonging to Facebook Inc. located in the United States.
- Analysis of the ECJ
The GDPR provides that the transfer of data to a third country outside the EEA may in principle only take place if the third country in question ensures an adequate level of protection (Art. 44 et seq.). The Commission may find that a third country ensures an adequate level of protection by adopting an adequacy decision. In the absence of such a decision, the transfer may only take place if the exporting controller or processor provides for appropriate safeguards, such as Standard Contractual Clauses ("SCCs") or Binding Corporate Rules ("BCRs").
The ECJ considers the Commission’s decision 2010/87 on SCCs to be valid. It ruled that the transfer to a third country on the basis of SCCs provides for an effective mechanism since such transfer must be suspended or prohibited if the recipient does not comply with the SCCs or is unable to comply with them. Indeed, the exporter and the recipient must verify, prior to the transfer, that the third country complies with the level of protection required by the GDPR. In addition, the recipient must inform the exporter of its possible inability to comply with the SCCs or any additional safeguards.
The ECJ invalidates the Commission's adequacy decision 2016/1250 on the Privacy Shield. It ruled that US law does not provide a level of protection "essentially equivalent" to that guaranteed by the EU (Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive 28). On the one hand, it considers that the access and use by the US authorities of personal data transferred to the United States are not sufficiently regulated, as surveillance programs for national security and foreign intelligence purposes are not limited to what is strictly necessary. On the other hand, it considers that US law does not give persons whose personal data are transferred to the United States a right to effective legal remedies against US authorities before the courts. In particular, it calls into question the independence of the Ombudsperson established by the Privacy Shield.
- Implications for data transfers to the United States on the basis of the Privacy Shield
Transfers of personal data from the EU to the United States based on Privacy Shield are illegal and there is no grace period. Data controllers and processors willing to keep transferring personal data to the United States must rely on other existing transfer mechanisms.
- Implications for data transfers to the United States based on other legal frameworks
According to the ECJ ruling, it belongs to each exporter of personal data to the United States and recipient to assess whether the SCCs and the additional safeguards implemented ensure that US law does not compromise the adequate level of protection of the transfer required by the GDPR. If this assessment leads to the conclusion that the adequate level of protection is not respected, the data exporter must suspend the transfer and/or terminate the contract with the recipient. If the exporter nevertheless decides to continue the transfer, it must notify its competent supervisory authority (i.e. the CNIL in France), which may carry out checks on the recipient and suspend or terminate the transfer.
The EDPD and the CNIL indicated that the ECJ ruling also applies to BCRs since US law also takes precedence over this framework.
Transfers of personal data to the United States remain possible on the basis of the derogations provided for in the GDPR (art. 49). These include in particular consent (when it is explicit, specific to the processing contemplated and collected before the transfer takes place, and when the individual is informed of such transfer), contract (when the transfer is occasional), or important reasons of public interest.
- Implications for data transfers to other non-EEA countries
The EDPD and the CNIL indicated that the threshold set by the ECJ applies to any country outside the EEA. The evaluation and notification procedure specified for SCCs therefore applies to all data transfers to other non-EEA countries, regardless of the transfer framework contemplated.
The invalidation of the Privacy Shield by the ECJ does not create a legal vacuum for data transfers outside of the EU/EEA, since the GDPR provides for alternative transfer mechanisms. Nevertheless, this ruling clarifies the scope and content of the obligations of companies exporting and importing personal data to the United States and any third country. They must engage in a strict evaluation and notification procedure, including the review of contracts between controller and processor. This ruling confirms the principle of accountability of companies and supervisory authorities introduced by the GDPR. The United States and the European Commission have recently begun discussions to assess the possibility of adopting a new legal framework that would comply with the ECJ ruling.
The ECJ ruling is available here.