ECJ cuts data transfers to the USA
The European Court of Justice (ECJ) changed the rules of the game for data transfers to the USA in its judgment of 16 July 2020 (case number C-311/18, full text): With immediate effect, Privacy Shield (Decision (EU) 2016/1250 – „EU-US Data Protection Shield“ or „Privacy Shield“) is ineffective due to fundamental deficiencies in data protection in the USA and can no longer justify data transfers there.
Although the so-called standard contractual clauses (“SCC”) may continue to be used according to the ECJ, such use will require a prior assessment of the controller as to whether an adequate level of data protection can actually be guaranteed in the third country. Since many experts rightly deny this for the USA, the standard contractual clauses are also no longer available for data transfers to the USA. As things stand today, most data transfers to the USA are therefore illegal.
The ruling means that almost all companies and organizations – including public institutions and authorities – are facing with considerable challenges: Countless IT-systems, websites, apps and social media sites require data transfers to the USA based on the Privacy Shield and/or standard contractual clauses. All this became illegal on 16.07.2020 without a grace period (for readers in a hurry: on the practical consequences under part 3).
The judgment means (at present)
Google Analytics: Impossible.
Social media on Facebook, Twitter and Instagram: Impossible.
Video conferencing systems from US suppliers (Zoom, MS Teams): Impossible.
Hosting of services in US-American infrastructure (AWS, MS Azure, Cloudflare): Impossible.
Part 1: Detailed background to the judgment
Data protection in third countries
The General Data Protection Regulation (GDPR) sets a high level of data protection within its scope. This level of protection is not be jeopardized by data transfers to so-called third countries, that is countries outside the EU and EEA. This is because it is not possible to ensure an adequate level of data protection for these countries outside the scope of the GDPR without further measures being taken. Pursuant to Art. 44 GDPR, a transfer of personal data is therefore only permissible under the conditions of Art. 45 et seq. GDPR.
The level of protection for third country transfers can be ensured in particular as follows:
- Adequacy decisions of the EU Commission, Art. 45 GDPR: These are decisions of the EU Commission, stating that the level of data protection in a given third country was carefully examined and found to be adequate in accordance with the criteria listed in Art. 45 (2) GDPR. This is the case with Israel, Japan, Australia and Canada, for example. The complete list of third countries can be found here. No such adequacy decision exists for the USA.
The EU Commission may also allow voluntary commitments by companies from third countries by means of such an adequacy decision, if it ensures a level of data protection comparable to that in the EU/EEA. One such agreement was the Privacy Shield (implementing decision (EU) 2016/1250). The agreement now declared invalid by the ECJ was the successor to the „Safe Harbor“ agreement also declared invalid by the ECJ (cf. judgment of October 6th 2015, C-362/14). On the basis of a certification under the Privacy Shield, numerous data transfers to the USA were legitimized.
- In addition, a transfer to third countries can be based on „appropriate safeguards“ (Art. 46 GDPR). Such safeguards can result above all from „binding corporate rules“ (Art. 47 GDPR) and standard data protection clauses (Art. 46 para. 2 letter c or d GDPR). Binding Corporate Rules (BCR), i.e. binding internal company regulations designed to ensure the level of data protection, are not widespread in practice, as they require a great deal of effort in terms of implementation and approval processes. Following the ECJ ruling, BCR can no longer be considered as safeguard for data transfers to the USA (see below).
Standard Contractual Clauses (SCC, occasionally also referred to as Model Clauses or MC), now referred to as „standard data protection clauses“ in the GDPR, are sample contracts issued by the EU Commission. They are a widely used instrument for ensuring the level of data protection by contractual means and are used in many cases of data transfers worldwide. In the case of the USA, they were often additionally concluded because of the uncertainties in certification under the Privacy Shield, which have been discussed for a long time. SCC have also been used as only safeguard by companies not certified under the Privacy Shield.
Summary of the proceedings
The ruling was again prompted by a complaint lodged by data protection activist Max Schrems with the Irish Data Protection Commissioner (DPC). The complaint concerned the practices of Facebook Ireland Ltd, which also transferred data to its parent company in the USA, the Facebook Inc. One of the issues addressed was whether Facebook Inc. could be obliged under the surveillance laws applicable in the USA to grant US authorities access to personal data transferred from the EU/EEA. Ultimately, the Irish High Court referred the case to the ECJ for a preliminary ruling in order to provide clarification on the compatibility of the Privacy Shield and the SCC with European laws.
The detailed presentation of the ECJ judgment
The ECJ deals in particular with the following questions:
- Questions 7 and 11 (recital 122 et seq.) were intended to know about the validity of the EU Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries (EU Commission Decision 2010/87/EU of 5 February 2010) (in particular with regard to the EU fundamental rights „respect for private and family life“, „protection of personal data“ and „right to an effective remedy and to a fair trial“, Articles 7, 8 and 47 of the EU Charter of Fundamental Rights). This is mainly because the standard contractual clauses only oblige the contracting party, but not third country authorities, to ensure an adequate level of protection.
- By questions 2, 3 and 6 (recital 90 et seq.), the High Court wanted to know about the level of protection that is required when personal data are transferred to a third country on the basis of standard contractual clauses. In other words, on the one hand, which law (EU Charter of Fundamental Rights or national law) is the point of reference. On the other hand, which legal and factual aspects have to be taken into account in order to guarantee this level of protection.
- The High Court also asked in question 8 (paragraph 106 et seq.) whether the competent supervisory authority is obliged to take action against a transfer of personal data to a third country based on the standard contractual clauses if it considers that compliance with the clauses cannot be ensured in the third country.
- By questions 4, 5, 9 and 10 (recital 150 et seq.), the High Court sought to get answers regarding the validity of the Privacy Shield.
In its judgment, the ECJ decided the following in summary:
- Concerning questions 7 and 11 (validity of standard contractual clauses): The ECJ has ruled that the Commission’s decision on standard contractual clauses is valid. The standard contractual clauses remain applicable in principle (recital 149). This is because the standard contractual clauses – if fully implemented and honored by both parties – can ensure an adequate level of data protection.
- On questions 2, 3 and 6 (determination of the level of protection): The ECJ clarifies that the rights of the persons concerned by a transfer from a third country must benefit from a level of protection equivalent to that provided by the GDPR as understood in the light of the EU Charter of Fundamental Rights. The national supervisory authorities must therefore not be acting solely on their respective laws.
In assessing whether this level of protection is actually achieved, two things have to be taken into account. On the one hand, the contractual arrangements between the responsible person and the recipient in the third country. On the other hand, the laws applicable in the third country regarding possible access rights of authorities to said personal data. Thus, circumstances that cannot be controlled by the contracting parties are also relevant. As a result, the requirements of Art. 45 para. 2 GDPR, which sets out the framework for the review of adequacy decisions, must also be observed when assessing the actual level of data protection achieved due to standard contractual clauses.
- Concerning Question 8 (duty of supervisory authorities to intervene): The competent supervisory authorities are obliged to suspend or prohibit data transfers on the basis of standard contractual clauses if they consider, in the light of all circumstances, that the clauses are not (cannot be) complied with in the third country and that the protection of personal data and the rights of the data subjects cannot be ensured by other means. This applies if no adequacy decision has been made for the third country and if the controller does not himself suspend or terminate the transfer…
- …a circumstance (the lack of an adequacy decision) the ECJ then gives rise to, regarding the USA, in questions 4, 5, 9 and 10: The ECJ declares the decision on the Privacy Shield invalid (recital 201), because due to the powers of government authorities, adequate protection cannot be guaranteed there despite the guarantees promised with the Privacy Shield. Data transfers to the USA can no longer be justified on this basis.
Part 2: The significance of the judgment
Data transfers to the USA
The ECJ ruling means nothing less than that the most important basis for the transfer of personal data to data importers in the USA so far is invalid. With immediate effect, data transfers to US companies can no longer be legitimized by the Privacy Shield.
The ruling also calls into question – and this is the further explosive power of the ruling – all other possibilities of data transfers to the USA: for the requirements which the ECJ (see above on questions 2, 3 and 6) places on third country transfers using the standard contractual clauses cannot be complied with in practice. For this to happen, the receiving companies (data importer) would have to assure the person responsible in the EU/EEA (data exporter) that they will not pass on the data to US authorities – which they are legally obliged to do in the USA under various laws.
This is not just an academic question. The ECJ has all but ordered the supervisory authorities to prohibit data transfers if they consider that the standard contractual clauses cannot be complied with de facto. Since the ECJ has already communicated its legal opinion on this matter for the USA, the supervisory authorities cannot remain inactive here.
The ECJ did not comment on the Binding Corporate Rules, as this was not a matter of procedure. However, what was established with regard to data transfers on the basis of the standard contractual clauses applies: As long as access by the authorities perpetuates a risk to personal data, no adequate level of data protection can be guaranteed. If not contractually, then certainly not through a self-commitment of the companies subject to the Binding Corporate Rules.
This leaves only the exceptions pursuant to Art. 49 GDPR for data transfers to the USA, in particular the consent of the data subject or the necessity of the transfer for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures at the request of the data subject. These are exceptions for specific processing activities which do not apply, for example, in the case of centralized data processing within a group of companies or the use of global cloud services in the data subject’s own IT infrastructure.
Data transfers to other third countries
Data transfers to other third countries also have to comply with ECJ requirements. This results in a considerable additional effort for controllers to examine their data flows. For example, the practice of regularly outsourcing support services to Asian countries, such as India or Vietnam, using standard contractual clauses should be considered. On the occasion of the UK’s final withdrawal from the EU on December 31st 2020 after the “Brexit”, there is also the risk that in the case of „hard Brexit“, the UK will have to be treated like any other third country. The joint surveillance practice with the USA as part of the so-called „Five Eyes“ alliance should put the UK and the USA in line.
Part 3: Practical consequences – What do you have to do?
Which data processing operations are concerned?
The ruling of the ECJ is causing a stir across all sectors of industry and all companies and organizations:
Due to the interconnectedness of international data traffic, it’s hard to imagine processing operations that do not currently involve the transfer of personal data to the USA or other third countries without an adequacy decision. Its not even necessary for the first data importer to be located in such a third country – it is sufficient if the data is handed down, at one point in the chain of services rendered, to a data importer in such a third country. For examples, the following points can be mentioned, which show where there is a need for action and the risk of illegal data processing:
- Websites (e.g. corporate websites, online shops and news portals): Hosting, but also numerous additional tools, services and features (e.g. Google Analytics, Facebook Custom Audiences, HubSpot) are offered by US companies which, despite having subsidiaries in the EU, also reserve the right to transfer data to their parent companies in the USA. Here, the already existing pitfalls of data protection law (e.g. with regard to the use of cookies and joint responsibility, see the detailed article on our website) are supplemented by a further problem that is difficult to capture without changing the data flows at these companies (or the powers of the US security authorities …).
- Social media (e.g. Facebook fan page, Instagram, Twitter): The operation of social media sites is affected by the ruling, as according to an earlier ruling of the ECJ, there is a joint control and hence joint responsibility between the fan page operator and the operator of the social network (see in detail the article on our website). As a rule, the operators of the networks reserve the right to transfer corresponding data to the parent companies in the USA, which can now no longer be legitimized under European data protection law. Nevertheless, the ECJ did not miss the opportunity to disseminate the ruling via its own Twitter account (which, according to the principle of „no equality in injustice“ bears no protection from supervisory authorities – unfortunately).
- Cloud computing and cloud services in general: Even with cloud services such as Amazon Web Services (AWS) and Microsoft Azure, service providers reserve the right to transfer data to third countries, especially to the USA.
- Analysis services and tools for websites: When using Google Analytics, Google also transfers the personal data collected to group companies in third countries, for example in the USA. This also applies to other analysis services and tools for websites, such as Vimeo. It becomes perfidious if the tool itself only processes personal data in the EU/EEA, but piggybacks on another analysis tool such as Google Analytics. These cases are also affected.
- Microsoft 365 / Office 365: Microsoft reserves the right to transfer data to the USA and therefore includes the standard contractual clauses in the Online Services Terms (OST) together with the associated data protection agreement (DPA). This raises the question of whether and how the associated products can still be used in conformity with the GDPR in light of the ECJ ruling. (Spoiler: without significant changes in data processing by Microsoft not at all).
- Video services, such as Zoom or Microsoft Teams, which have gained massively in importance during the Corona crisis and in many cases have become an integral part of everyday working life, are also affected.
The above comments apply equally to companies that are processors or make use of processors pursuant to Art. 4 no. 8, Art. 28 GDPR. A processor is liable for infringements committed by another processor („subcontractor“) as if they were its own fault. If there is (another) processor in the service chain who reserves the right to transfer data to the USA (e.g. by using AWS), the liability chain goes up back to the controller.
Checklist for further procedure
Your task is to identify and assess the possible risks arising from third country transfers following the ECJ ruling and to take the necessary measures accordingly:
- Step 1: Gain an overview of the processing activities that involve data transfers to third countries, in particular to the USA. The answer to this should be found in the records of processing activities.
- Step 2: For each processing operation and for each third country, check on basis of which legal basis the data transfers to that country are carried out. If there is no adequacy decision by the EU Commission, but standard contractual clauses or binding corporate rules, you must assess whether there is an adequate level of data protection in the third country – together with the standard contractual clauses or BCR – or whether this is opposed in particular by state authorities’ access to the personal data. Ask the data importer in the third country whether he or she is able to comply with the standard contractual clauses and act in full compliance with data protection legislation with regards to the respective processing of personal data. If necessary, consult future recommendations of the European Data Protection Board or the EU Commission.
- Step 3: If there is a data transfer to the USA or if you otherwise come to the conclusion that the standard contractual clauses are not fully enforceable by the data importer in the third country, the data transfer to the USA or the other third country is most likely not permissible.
If the transfer of data can easily be stopped (e.g. by deactivating tools on your own website that also transfer personal data to the USA) this should be implemented in the short term. If, on the other hand, the necessary changes interfere with core processes or can only be implemented at considerable expense, a check should be made to see whether and, if so, how and with what amount of time alternatives can be used that do not involve the transfer of data to third countries.
If there are no alternatives, or if the cost of the change is economically or actually unreasonable, the situation that violates data protection law must be accepted and it must be regularly re-examined whether a change is possible. The facts of the case and its assessment should be fully documented, as should the measures taken where it was feasible to dispense with transfers from third countries. The GDPR cannot demand or sanction the impossible.
The aim should always be to cause as little frictional loss as possible in the operational process, so that today’s hectic does not cause more damage than tomorrow’s (possibly accruing) sanctions.
We would be pleased to support you in dealing with these issues and to develop potential solution together with you for a GDPR compliant design of the data processing under your control. In doing so, we can also draw on our experience with providers who have already avoided these problems prior to this ruling by having their headquarters exclusively in the EU and refraining from transferring data to third countries.
Who are KREMER RECHTSANWÄLTE and your contacts there?
KREMER RECHTSANWÄLTE is a law firm specializing in digitization consulting and advises its clients and customers in a highly specialized manner at the interface between technology and law. Our clients include DAX corporations, small and medium enterprises, credit institutions and financial service providers of all sizes, church institutions and start-ups. The firm has been involved in the implementation of the GDPR by the respective members of various industry and umbrella associations and has itself successfully led or accompanied several major projects for the implementation of the GDPR.
The attorneys at law and commercial lawyers regularly publish specialist articles, samples and books on data protection and are active in the training and further education of data protection officers, personnel managers, company management, lawyers, trainee lawyers and students.
KREMER RECHTSANWÄLTE has been awarded TOP Law Firm in Data Protection Law by WirtschaftsWoche 2019. In addition, the law firm is listed in kanzleimonitor.de 2018/2019 as a law firm recommended by corporate lawyers in IT and data protection law.
If you are already being advised by us on data protection, please contact the lawyer who is responsible for you. Otherwise, please contact one of the following contact persons at any time:
Sascha Kremer, specialist lawyer for IT law, external data protection officer (TÜV) sascha.kremer@kremer-recht.de
Daniela Köhnlechner, attorney at law, data protection officer (TÜV)
daniela.koehnlechner@kremer-recht.de
Kristof Kamm, attorney at law, data protection officer (TÜV)
kristof.kamm@kremer-recht.de
Nadine Schneider, attorney at law, data protection officer (TÜV)
nadine.schneider@kremer-recht.de
Michael Matejek, LL.M., business lawyer
michael.matejek@kremer-recht.de