Introduction

For several years now, the Austrian data protection activist and jurist Max Schrems has been criticising Facebook’s data transfers from the EU to the US. In his opinion, the data transfers do not comply with the General Data Protection Regulation (GDPR). Thus, Schrems had lodged a complaint against Facebook with the Irish supervisory authority. The complaint is directed against the transfer of personal data from Facebook in Ireland to its parent company in the United States. Schrems bases his complaint on the fact that a sufficient data protection is not guaranteed in the US, as Facebook is obliged to grant US authorities, such as the NSA or FBI, access to data transferred from the EU without the data subjects being able to take legal action against it. According to the Austrian data protection activist, an adequate level of data protection is especially not guaranteed by the EU-US Privacy Shield (“Privacy Shield”) or the standard data protection clauses. With his complaint Schrems seeks that those data transfers will be prohibited. Facebook, on the other hand, argues that the data transfers are legitimate, and that European data protection law is also not applicable if the personal data is processed for the purpose of national security.

The Irish High Court has then appealed to the European Court of Justice (ECJ) to clarify whether the Privacy Shield and the standard data protection clauses are compatible with European data protection law. 

Data Transfers to third countries according to the GDPR  

A data transfer from the EU to third countries takes place in accordance with Art. 44-49 GDPR. A data transfer to a third country is always permissible if the European Commission issues an adequacy decision pursuant to Art. 45 (1) GDPR, which states that the respective third country provides an adequate level of data protection comparable to that under EU law. Until now, transatlantic data transfers have often been justified based on the Privacy Shield. The Privacy Shield is an agreement between the US government and the EU Commission, which was designed to guarantee an adequate level of protection for personal data transferred from the EU.

In addition, standard data protection clauses of the EU Commission can provide a legal basis for the transfer of data to the United States. Until now, several US groups have used standard data protection clauses when data was transferred from the EU to the United States.  

Decision of the ECJ 

In its latest ruling (16 July 2020, Ref.: C-311/18), the ECJ first clarifies that EU law, in particular the GDPR, is generally applicable when personal data are transferred for commercial purposes. This also applies in cases where the respective data could be processed directly or subsequently by authorities of the third country. Data processing by authorities in a third country could not lead to the data transfer not being subject to the requirements of the GDPR.

Furthermore, the ECJ stated that the Privacy Shield did not comply with European data protection law. This was due to the fact that the surveillance laws in the United States were too extensive, so that an adequate protection of the personal data of EU citizens was not guaranteed by the Privacy Shield either. In addition, the ECJ criticized that there were no sufficient rights of data subjects to take legal action against the data transfer or the access to European data by the US authorities. The ECJ therefore invalidated the Privacy Shield.

However, the Luxembourg judges did not object to the use of standard data protection clauses. There was no apparent conflict with the Charter of Fundamental Rights of the European Union (CFR). The decision of the EU Commission on standard data protection clauses (Decision 2010/87) includes effective and necessary measures to ensure, in practice, that the level of data protection required by the EU is complied with and that processing and transmission is suspended or prohibited in the event of a breach of the clauses.  

Conclusion

After the ECJ had already declared the predecessor of the Privacy Shield, the Safe Harbour Agreement, invalid in 2015 (6 October 2015, Ref.: C-362/14), the Privacy Shield now shares the same fate. The reason for this was the extensive US surveillance laws, which gave the US authorities extensive powers to monitor “foreign communications”. Moreover, the rights of EU data subjects were insufficient. All in all, there was no adequate level of data protection in the USA, according to the Luxembourg judges. The standard data protection clauses were not objectionable as long as they would be observed in the respective third country.

Because of the ruling, many data transfers that had been based on the Privacy Shield are no longer lawful. This could have a strong impact on companies that have placed their trust in the existence of the Privacy Shield.

Furthermore, it is recommended that EU-based companies should thoroughly re-examine their data transfers to the US and data processing agreements concerning data transfers to the US. If the transatlantic data transfers are justified by the Privacy Shield, a switch to standard contractual clauses shall be made immediately to ensure an adequate data protection. If this conversion does not take place, high fines are threatened (Art. 83 GDPR).