Von Peter Schaar, 16.07.2020
With its decision today, the European Court of Justice has again underlined the importance of the fundamental right to data protection guaranteed by Article 8 of the EU Charter of Fundamental Rights. Almost five years after its landmark decision of 6 October 2015, in which the highest European court declared the then Safe Harbor Agreement invalid (“Schrems I”), the European Commission’s second attempt to put the data flows between the EU member states and the USA on a legally secure basis has now also failed. The Privacy Shield agreed in 2016 should ensure that personal data transferred from EU Member States to the United States are adequately protected. This is also required by Art. 44 of the Basic General Data Protection Regulation (GDPR).
Insufficient protection against Government access
Both the Safe Harbor Agreement and its successor, the Privacy Shield, failed due to the insufficient protection of personal data against access by US security authorities. In 2015 – as today – the focus was specifically on data transfers between Facebook Europe and the American parent company. The CJEU does not consider the legal improvements negotiated by the EU Commission with the US government in 2016 to be sufficient. In particular, the judges criticise the fact that even after the Privacy Shield EU citizens are not provided with an effective legal protection against surveillance measures of American authorities. Unlike US citizens, Europeans cannot challenge the access to Data by the NSA, FBI and other US security authorities before US courts, but have been fobbed off with a kind of ombudsman mechanism. The Court finds it unacceptable that the guarantee of data protection for EU citizens in relation to government measures in the USA ultimately depends on the goodwill of the US government.
Standard contract clauses as a solution?
After the Safe Harbor was ended, many companies operating in Europe had concluded so-called standard contracts with their US partners. These are – as in the case of the Commission’s “adequacy decision”, which was annulled today – an instrument which is intended to guarantee an adequate level of data protection for the data recipient. At first glance, it would appear that the standard contracts would also be valid after the new judgment. However, this could be a false conclusion. Although the ECJ found that the European Commission’s Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors in third countries remains valid, the Court of Justice did not rule on the validity of this decision. Standard contracts only if effective legal protection is available in the recipient state.
At the same time, however, the court clarifies that the respective standard contracts only provide a legal basis for the transfer of data if they actually guarantee the required adequate data protection. Standard contracts are therefore only valid if the legal system of the country to which the data are to be transferred provides the necessary guarantees. Thus, if the relevant guarantees are not fully guaranteed in the recipient state, including effective legal protection against Government access to data, the data protection authorities must suspend or prohibit the relevant contracts.
And this is where it gets interesting: Since the CJEU – with reference to the Privacy Shield – has denied adequate data protection in the USA, even standard contracts cannot compensate for this deficit. Standard contracts, like the annulled Privacy Shield, cannot guarantee the necessary protective measures against unjustified state access to data.
What happens next?
According to today’s ECJ decision, the transfer of personal data to the USA based solely on the Privacy Shield must be stopped. Although the system of standard contractual clauses will remain in principle and the standard contracts concluded will initially remain in force, they will have to be reviewed and, if necessary, suspended by the data protection authorities in the light of the ECJ ruling. This review will not be limited to data transfers to the USA. The transfer of standard contracts with other third countries with dubious guarantees under the rule of law must also be urgently reviewed.
Do we need Schrems III?
This puts the ball back in the court of the Irish data protection authority, which must examine the legal basis for allowing Facebook Ireland to transfer data from the EU to the US parent company Facebook Inc. And that authority, as we have learned, takes a lot of time for those checks. Since the GDPR came into force over two years ago, this authority has not taken a single final decision on a complaint concerning the treatment of European subsidiaries of US companies based in Ireland with the personal data of their European costumers.
The Irish data protection authority has so far acted like the proverbial dog that you have to wear to hunt. It remains to be seen whether today’s CJEU decision will change this.