Privacy Shield: ECJ ruling unsettles businesses
The ruling was eagerly awaited by many businesses: On 16 July 2020, the European Court of Justice overturned the so-called EU-US Privacy Shield (Press release). What is behind this decision? The EU General Data Protection Regulation (GDPR) is intended to limit the abuse of data as far as possible. However, other countries have much more lenient regulations. To create a legal basis for cross-border data transfers, the European Data Protection Board reviewed the level of data protection applicable in non-EU-member states. In the case of the USA, the so-called EU-US Privacy Shield was created in 2016.
The ruling of the European Court of Justice has now eliminated the legal basis for the transatlantic transfer of personal data for many businesses. This means that when it comes to transferring data to the USA, businesses now operate in a legal grey area. This is a difficult situation considering how frequently cloud services such as MS Azure, Amazon Web Services (AWS) or US software with telemetry functionality such as MS Office 365 are used. SaaS (Software as a Service) products such as the Zoom video conferencing tool, the use of social media plug-ins and tracking services (Google Analytics) or the storage of data on cloud storage such as One Drive have also become a critical issue – not least because the ECJ ruling does not provide for a transitional period for implementation. Businesses that exchange personal data with the USA now need to take action swiftly. Strictly speaking, any transatlantic data transfer can only take place on the basis of Standard Contractual Clauses (SCC). But these are not considered to be fully legally secure either. So what are the ways out of this dilemma?
Legal bases for data transfer to non-EU-member states
According to the General Data Protection Regulation (GDPR) in force since May 2018, personal data may only be transferred to countries outside the European Union – so-called third countries – if a comparable, “adequate” level of data protection exists there (cf. Articles 44 – 49 GDPR). The GDPR requires additional safeguards to be in place to ensure the European level of data protection. Which legal regulations do apply?
- Transfers on the basis of an adequacy decision (Art. 45 GDPR)
According to the EU Commission, the following third countries have an adequate level of data protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay (but not the USA).
- Privacy Shield decision of the EU Commission
An adequate level of data protection has so far been attested for the USA, provided that US companies committed themselves to comply with EU law on the basis of the EU-US Privacy Shield (a list of 5,378 registered companies can be found on the website of the US Department of Commerce). However, the ECJ has now invalidated the Privacy Shield.
- The Standard Data Protection Clauses (formerly Standard Contractual Clauses)
These are contract clauses pre-formulated by the EU Commission. They require data importers in a third country to ensure that they respect the level of data protection applicable in the EU (or as laid down in the GDPR).
- Binding Corporate Rules (BCR)
Binding Corporate Rules are policies for the handling of personal data, which are drawn up by the respective company itself and which undergo a final approval procedure. This alternative scheme, however, involves additional work and costs for businesses and has not been used very frequently so far.
As a “last resort”, there would still be the possibility of obtaining the consent of data subjects. However, this alternative does not seem to be very workable for various reasons as consent may be revoked at any time, must be given voluntarily and must be documented accordingly.
- Derogations for specific situations
Exceptions (Art. 49 DSGVO) are only made if very specific and strictly regulated conditions are fulfilled.
What can businesses do now?
Any data transfer that was previously based solely on the Privacy Shield is now considered inadmissible by the ECJ ruling, unless further or additional legal bases derived from Articles 44 – 49 of the GDPR apply. In the event of violations, data protection supervisory authorities can impose various sanctions – including transfer bans and fines.
This does not mean, however, that all data transfer between the EU and the USA will now come to a standstill. Standard data protection clauses may remain a possible legal basis for data transfers to the USA. But restrictions and possibly changes apply. The processing of personal data in third countries must be based on the level of data protection laid down in the GDPR. It remains to be seen whether this is even possible within the framework of US legislation. Another option would be to create and approve Binding Corporate Rules. Or businesses would have to obtain the consent of the data subjects before any transfer of their data to the USA. In any case, businesses are well advised to take an inventory of the US providers used and to “classify” them in a timely manner.
Checklist: Data transmission to third countries
The European Data Protection Board (EDPB) has compiled a checklist of the most frequently asked questions regarding data transfers to third countries. These are the key statements:
- Businesses should document and review all data transfer operations to third countries and determine their legal basis.
- All data recipients in third countries, especially those based in the USA, must be checked for suitable safeguards (Art. 44-49 GDPR) before further data transfer.
- For data transfers that have so far been made on the basis of the Privacy Shield, it should be clarified whether Standard Data Protection Clauses, Binding Corporate Rules or similar provisions can be used as a legal basis in the future, or whether a derogation under Art. 49 GDPR is possible.
- If the data transfer is based on Standard Data Protection Clauses or Binding Corporate Rules, businesses must ensure that these tools provide a level of protection that is adequate to EU data protection legislation.
- If this is not the case, the next step would be to check whether adequate data protection can be achieved by additional measures such as encryption or contract amendments.
- If an adequate level of protection cannot be achieved, it must be examined whether “derogations for specific situations” (according to Art. 49 GDPR) can be applied. If this is not possible either, data transfer must be suspended.
- If data transfer continues without an adequate level of protection in the third country, the transfer controller must inform the competent supervisory authority.
All EDPB recommendations can be found on the corresponding FAQ page. Furthermore, the European Data Protection Board has issued new Guidelines on Standard Data Protection Clauses which, among other things, take a closer look at the current situation with regard to joint controllership.
Conclusion and outlook
An Orientation guide on international data transfer was published by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg (LfDI). It is aimed at public bodies and businesses that transferred personal data to US companies before the Privacy Shield was invalidated. This guide contains further information on the legal basis of data transfers, especially to the USA, and a checklist of specific measures.
Often business in the current situation are advised to follow this motto: Don’t panic! Nevertheless, you should react swiftly and take the first steps. The experts from TÜV Rheinland will be happy to advise you. If required, we will provide support in a number of areas including the analysis of your transfers to third countries and the privacy-compliant collaboration with external service providers.
Dr. Stefanie Schneider
Stefanie Schneider is a Security Consultant (Data Protection Department) in the “Mastering Risk and Compliance” department of TÜV Rheinland i-sec GmbH. In her function as external data protection officer (eDSB) she advises various companies in the production and service sectors. Stefanie Schneider is a certified company data protection officer (GDDcert EU), PC network specialist and certified MCSE, MCPI and CNA.
Electric mobility: charging infrastructure getting more extensive
The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Cool title – no applicants? Sorting the good ads from the bad
Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.