Give It a Try: How to Transfer Personal Data from Europe to the US after the ECJ Ruled the Privacy Shield Void
by Jaroslaw Norbert Nowak
On 16 July 2020, the European Court of Justice (ECJ) declared the Privacy Shield Adequacy Decision (2016/1250; hereafter “Privacy Shield”) of the European Commission on personal data transfer from the European Union (EU) to the United States (US) invalid (Case C-311/18). In the view of the ECJ, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities are not satisfying a level of data protection that is essentially equivalent to the requirements under EU law.
The far-reaching decision of the ECJ has a significant influence on the lawfulness of data transfer to the US. Unfortunately, neither the European Data Protection Supervisor nor the federal Data Protection Offcers delivered proper guidance on how to conduct data transfer in the aftermath of the ECJ judgement. It is rather demanded from business companies to solve the legal problems on its own merit. Against this backdrop, it is indeed worthwhile to evaluate ideas for a lawful data transfer.
According to Chapter 5 of the GDPR, personal data may in principle only be transferred to a third country (i.e., not an EU member state) if the transfer is based either on an adequacy decision (Art. 45 GDPR) or on appropriate safeguards (i.e., standard data protection clauses adopted by the Commission, Art. 46 GDPR) or on binding corporate rules (Art. 47). All requirements under Chapter 5 of the GDPR have in common that they intent to ensure an equivalent level of data protection is provided by the third country, comparable to the GDPR. If this is not possible, a data transfer based on these conditions is not permitted.
After ruling the Privacy Shield void, focus increased on the use of standard data protection clauses as a justification for data transmission, given the ECJ decided that the standard contractual clauses (SCCs) pursuant to the Commission Decision 2010/87 (amended by 2016/2297) are valid. But the ECJ stated also that the validity off the agreed SCCs requires effective mechanisms to ensure compliance with the level of protection required by EU law. At first glance, it may seem suffcient to adopt the SCC provided by the Commission. However, such an understanding would undermine the main argument of the ECJ ruling that protection of personal data arising from surveillance programmes conducted by the US authorities is limited in the US and does not match the standard under the EU law. Against this backdrop, it appears legally doubtful to rely solely on the SCCs, as neither the data exporter nor the recipient has the power to bind US authorities to apply the standard within the GDPR.
According to the regional data protection offcer of Baden-Württemberg, SCCs can apply in the future only (as far as data transfer in the US is concerned) if the parties to the contract agree on additional safeguards. Additional guarantees can be provided in the form of encryption or in anonymisation or pseudonymisation, which cannot be overcome by US services. However, in view of the high costs involved in such measures, the question arises as to whether the agreement of such guarantees is realistic.
The lack of optimism is supported by the German Data Protection Supervisor. In a letter to the German authorities, he claimed the ECJ ruling leads to non-applicability of all legal grounds within Chapter 5 of the GDPR. Indeed, there are reasons to agree with this conclusion. On the other hand, the words from the German Data Protection Supervisor are farfetched. Such an assumption ignores Art. 49 GDPR. According to Art. 49 Abs. 1 a), GDPR data transfer to the US (as well as other third countries) is legally permitted if the person subject to the data transfer explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards. Of course, obtaining a declaration of consent from the person subject to the transfer may not prove to be realistic in all areas of business. Additionally, consent can be revoked at any time by the data subject. Nevertheless, in the area of data processing when visiting the company’s website, obtaining consent can be a sound solution.
Eventually, it remains to be seen what the responsible authorities expect. But as long as they do not a provide proper solution, they should not criticise any wrongdoing of a party trying to overcome the adversities brought about by the ECJ decision.