The European Court of Justice (ECJ) yesterday, Thursday, has made its decision, which was awaited by many with great nervousness and which represents a partly expected, partly feared bang. In July 2019 when the hearing in the Schrems / Facebook II case (C 311/18) took place the data protection commissioner of Baden-Württemberg at that time called the case “Rumble in the Jungle” (in reference to a legendary Muhammad Ali boxing match). Yesterday the match ended with a knockout.
I. What was it about exactly?
The dispute between Schrems and Facebook has a long history. In 2011, the then Austrian student Maximilian Schrems had filed a complaint against Facebook in which he objected to the transfer of his personal data to the USA. The background was the Snowden revelations about the surveillance practices of the NSA. In 2015, the ECJ ruled that the so-called “Safe Habour Agreement” existing at that time with the USA did not provide sufficient protection for data processing and therefore no transfer of data to the USA could be justified on this basis.
The successor model was the EU-US Privacy Shield Agreement, which has formed the basis for a large proportion of data transfers to the USA since 2016. This was a kind of self-certification mechanism organised by the EU and the US Department of Commerce, to which some 4,800 American companies had recently submitted. This was intended to ensure adequate protection for EU data.
However, a large proportion of data transfers from the EU to third countries (i.e. outside the EU and the EEA) did not take place on the basis of the Privacy Shield mechanism at all, but on the basis of so-called Standard Contractual Clauses (SCC), which Facebook also invoked after the Safe Harbour decision. Maximilian Schrems, now a lawyer, adapted his complaint to these new facts and continued to demand that Facebook be prevented from transferring his data to the USA. The case originated in Ireland, where the European Facebook headquarters are located. In 2018, the Irish High Court found targeted mass surveillance by the US regulators and referred a number of questions to the ECJ. These dealt with both the Privacy Shield Agreement and the SCC, so that the ECJ now had to make a decision on both transfer regulations.
II. Principles for data transfer to countries outside the EU/EEA
Before assessing the decision of the ECJ and drawing conclusions from it, it is advisable to look at the principles governing data transfers to third countries.
1. Decision on adequacy
According to European law, the transfer of personal data to third countries is only permissible if an adequate level of data protection is also ensured there. According to Art. 45 GDPR, the European Commission may determine that a third country or an international organisation guarantees such an adequate level of data protection. If this is the case, no further action is required and the transfer of data is permitted without further ado. Adequacy decisions at EU level currently exist for the following countries: Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, Canada, New Zealand, Switzerland and Uruguay.
In addition, there is the already mentioned Privacy Shield Agreement for the USA.
In the absence of a decision on adequacy, the Basic Data Protection Regulation assumes in principle that there is no adequate level of data protection in the third country. In this case, the transfer of data must therefore be accompanied by further protective measures. The following options may be considered:
2. Standard Contractual Clauses (SCC)
SCC issued by the European Commission can be used as a basis for data transfers to third countries and international organisations without further approval by the supervisory authorities if they are incorporated in the underlying contracts essentially unchanged. Since the European Commission has not yet issued any standard contractual clauses after the entry into force of GDPR, Art. 46 (5) GDPR stipulates that the SCC previously issued for the EU Data Protection Directive remain valid.
3. Approved sets of rules
Alternatively, individually negotiated contractual clauses may be data protection-compliant, but they must be approved by the competent supervisory authority and coordinated with the other European supervisory authorities.
The same applies to binding internal data protection regulations (Binding Corporate Rules/BCR), which are particularly applicable in large international groups. However, they only regulate the internal transfer of data between group companies and do not allow data to be transferred to external parties, such as service providers.
Another possibility is an approved Code of Conduct or an approved certification mechanism, although here too approval by the relevant supervisory authorities or special certification bodies is required.
An important aspect of all the above-mentioned required approvals is that the supervisory authority must check whether there are legally binding and enforceable obligations on the part of the responsible party in the third country. This is where such regulations often fail, as there is a lack of enforceability for affected EU citizens and companies abroad.
4. General grounds of justification
In addition to specific guarantees for public authorities, there are also the general exceptions under the GDPR, namely the existence of the consent of a data subject (which, however, has little relevance in the labour law), the necessity of the transfer of data for the performance or conclusion of a contract between the individual and the controller (this too is irrelevant in the transfer of personal data in the context of work), the transfer of data for important reasons of public interest, and the transfer of data for the protection of the compelling legitimate interests of the organisation. The above-mentioned exceptions must be interpreted strictly and, according to the guidelines of the European Data Protection Committee, may not be used for regular data transfers involving a large number of persons.
The above legal situation shows the importance of SCC or, in relation to the USA, the Privacy Shield Agreement. This underlines the importance of the current decision of the ECJ.
III. What has the ECJ decided?
Under reason 5 of its decision, the ECJ stated with unmistakable clarity that the agreement between the EU on the one hand and the United States of America on the other hand, generally referred to as the “EU-US Privacy Shield”, which has been fundamental for many data transfers to the USA up to now, is invalid. A transfer on this basis may therefore no longer take place with immediate effect. This concerns those companies that have carried out certification under the agreement. These companies will now immediately have to seek a new legal basis for a data transfer.
With regard to the frequently used SCC (see above Section II.2), the ECJ has made a differentiated decision. According to its ruling, the use of these clauses is neither a carte blanche for a data transfer nor generally inadmissible. However, the users of the standard data protection clauses on both sides (sender and recipient of the data) must ensure that the contractual clauses are not only implemented in their relationship, but that they are also checked against the legal regulations in the country to which the data is transferred for compatibility with GDPR. In addition, the ECJ has established that there is an obligation on the Data Protection Authorities in the EU to intervene and prohibit a data transfer that does not meet the aforementioned conditions. In the event of the dispute in question, this means that the data transfer that Facebook has carried out on the basis of SCC will be inadmissible in the future. Ultimately, however, the ruling goes much further, since, without this having been expressly established by the ECJ, it should be beyond doubt, at least in relation to the United States of America, that the data protection regulations there do not normally comply with European standards. The decisive factor in this respect, and this has also played a decisive role in the proceedings, is that the American security authorities reserve comprehensive access to data of American companies, even if the data are not located on servers in the USA. That is why contractual agreements between two parties under civil law, in which the parties undertake to comply with European data protection standards, are ultimately of no help at all in relation to the USA, as there is no legal means available to American companies against their own security authorities to deny access.
From this it can be concluded that a data transfer to the USA can now essentially only take place if the data transfer is either necessary within the framework of the fulfilment of contractual obligations or if a legally valid consent of the person affected by the data transfer exists.
IV. What to do?
Companies that routinely transfer data to the USA or allow access to personnel data on the basis of the Privacy Shield or SCC are urgently required to stop their practices immediately. If a data transfer is still considered indispensable, alternatives such as BCR must be examined and implemented if necessary.
Company agreements and employment contracts that allow the transfer of personnel data with reference to Privacy Shield or standard contract clauses must also be reviewed and, if necessary, immediately overruled and adapted.
Further data transfers in contravention of the ECJ’s decision could result in substantial fines.
Ultimately, the decision is likely to result in much greater data economy in relation to the USA in particular (and other countries with comparably low data protection standards, including, for example, the PRChina). This also applies to the transfer of personnel data within a corporate group, for example, from and to an American or Chinese parent company. Contracts with service providers who process personnel data (commissioned data processing) should also not be forgotten. Here too, it must be checked immediately where data is stored and whether the processing meets the requirements of the ECJ. This affects many American software and IT service providers.