After the official statements of the European Data Protection Board (EDPB) and several Supervisory Authorities (SAs), it is clear that at the moment there is no practical way for data to lawfully flow from the EU to the US.
The reasoning in 5 steps:
- On 16 July 2020 the Court of Justice of the European Union (CJEU) invalidated the European Commission’s Privacy Shield adequacy decision concerning the transfer of data between the EU and the US (see Case C-311/18 “Schrems II”). Privacy Shield therefore no longer constitutes a valid basis for the transfer of personal data to the United States. You can read the Press release here.
- The main reasons of the invalidation are: “[i] that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from EU to the U.S. for national security purposes, result in limitation on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and [ii] ]that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities” (EDPB Frequently Asked Questions); additionally, [iii] the Court underlines that certain surveillance programmes enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes do not provide for any limitations on the power conferred on the U.S. authorities, or the existence of guaranties for potentially targeted non-US persons. (See question 1, EDPB FAQ)
- There is no grace period (See question 3, EDPB FAQ). However, it is interesting to observe that following the judgement, ICO (until 27 July 2020 when it published an updated statement, available here) stated on its website, “We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020. If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.” Did this show that the ICO has already started to move away from EU influence in the area of privacy? Is such a statement an exercise of political power of the ICO or is it simply a pragmatic approach to manage the situation where transatlantic data flows are of huge value and it would be too disruptive to enforce? In any case, it is clear that this is not just a legal matter but also – if not especially – a political and economic battle between the EU and the US.
- The ratio of the decision also applies to SCCs and BCRs and potentially holds for any third country (See questions 5 and 6, EDPB FAQ). Therefore, before transferring personal data to the US (and to any other third country that has not received an adequacy decision) on the basis of SCCs or BCRs, organisations are requested to (i) carry out an assessment on the appropriate safeguards “in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined” (see Art. 46 GDPR); which will also include the possible effects of (ii) supplementary legal, organizational or technical measures that the exporter and the importer will put in place. The EDPB is evaluating which kind of supplementary measures could be effectively be implemented. However, “the Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures.” (See question 10, EDPB FAQ). This approach seems to demonstrate a lack of familiarity with actual implications as the vast majority of organizations do not have (access to) the capabilities to carry out an assessment on whether the appropriate safeguards are guaranteed with respect to a specific transfer to a non-adequate third country. Moreover, how could supplementary contractual legal measures set forth between two parties (exporter-importer) limit the reach of national law provisions granting exceptional rights to local authorities for national security purposes? One may consider technical measures, for example, aimed at rendering the data unintelligible to third-country authorities; however, this may result in possible violations of other applicable legislation.
- The derogations provided in Article 49 GDPR can theoretically be used, but practically will not offer many viable options in business contexts. Data subject consent is a very impracticable legal basis for transfer. The majority of organisations have not based data transfers on consent so far and collecting it now will not be very successful (i.e., very low consent acquisition rate). Moreover, even if the consent of data subjects is acquired, it will not be a “stable” legal ground for transferring due to the possibility for the data subject to withdraw it at any time. Transfer for the performance of a contract – either between data subject and controller (Art. 49.1.b GDPR) or concluded in the interest of the data subject between the controller and another natural or legal person (Art. 49.1.c) – can only serve as legal basis when the transfer is occasional. More generally, the derogations of Art. 49 GDPR “should not become ‘the rule’ in practice, but need to be restricted to specific situations and each data exporter needs to ensure that the transfer meets the strict necessity test.” (question 8, EDPB FAQ).
Conclusions: de facto, the regular transfer of data from the EU to the US is not really possible at this point in time without the risk of incurring sanctions.
A collection of official statements and a few comments on them
Below I provide a list of official statements and FAQs from the European Data Protection Board, national supervisory authorities, and European and international Institutions which will be updated regularly.
The game-changer: On 16 July 2020 the Court of Justice of the European Union invalidated the European Commission’s Privacy Shield adequacy decision concerning the transfer of data between the EU and the US (see Case C-311/18 “Schrems II”). Privacy Shield therefore no longer constitutes a valid basis for the transfer of personal data to the United States. You can read the Press release here.
The same day, U.S. Secretary of Commerce Wilbur Ross issued a Statement on Schrems II Ruling and the Importance of EU-U.S. Data Flows (Read it here). The statement notes that the US has “been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.” Mr. Wilbur Ross’ statement is politically understandable, but as explained above, after the ruling of the Court of Justice, the regular transfer of data from the EU to the US is not really possible at this point in time without EU organizations risking sanctions. The task of safeguarding the transatlantic economy and, more generally, the digital society which also strongly relies on such data flows) seems to be left to EU Supervisory Authorities. This is a clear lack of political agreement between the EU and the US, leaving EU Courts and Supervisory Authorities to take decisions whose effects go way beyond their mandate.
Following the decision, on 16 July 2020, European Commission Vice President Jourová acknowledged the invalidation of Privacy Shield and stated that, “transatlantic data flows can continue, based on the broad toolbox for international transfers provided by the GDPR, for instance binding corporate rules or Standard Contractual Clauses.” Jourová furthermore stressed that the Commission is committed to ensuring that data flows are in line with the judgment of the CJEU, respect EU law, and guarantee the protection of fundamental rights and therefore offer a high level of protection for personal data. She outlined the three priorities of the Commission which include: 1. “Guaranteeing the protection of personal data transferred across the Atlantic”; 2. “Working constructively with our American counterparts with an aim of ensuring safe transatlantic data flows”; and 3. “Working with the European Data Protection Board and national data protection authorities to ensure our international data transfer toolbox is fit for purpose.” The EC Vice President furthermore stressed, as she has already done on multiple occasions in the past, that “the Commission has already been working intensively to ensure that this toolbox is fit for purpose, including the modernisation of the Standard Contractual Clauses.” You can read the full statement here. Ms. Jourová clearly underestimated the impact of the Court’s decision on the “the broad toolbox for international transfers provided by the GDPR”.
As indicated above, on the one hand, at present, both SCCs and BCRs would require supplementary measures which also the EDPB is looking to determine. On the other hand, as I already explained above, the derogations pursuant to Article 49 GDPR aren’t very practicable. I fully agree that the priority of the Commission should be “Guaranteeing the protection of personal data transferred across the Atlantic”; but in order to achieve such an objective, the EU international data transfer toolbox must be fit for its purpose. Currently, instead, the lack of political agreement, solidly based on a genuine objective, which is the protection of personal data, is resulting in systematic exposure of the majority of EU-based organizations to an incredible number of sanctions.
On 17 July 2020, the European Data Protection Supervisor (EDPS) issued a statement following the ruling in Case C-311/18 (EDPS Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”)). In its statement the EDPS, “welcomes that the Court of Justice of the European Union, in its landmark Grand Chamber judgment of 16 July 2020, reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries.” And stresses that, “The EDPS will continue to strive, as a member of the European Data Protection Board (EDPB), to achieve the necessary coherent approach among the European supervisory authorities in the implementation of the EU framework for international transfers of personal data.” Importantly, the EDPS also noted that “European supervisory authorities will advise the Commission on any future adequacy decisions, in line with the interpretation of the General Data Protection Regulation (GDPR) provided by the Court.” And that it “trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court.”
With respect to Standard Contractual Clauses (SCCs), the EDPS noted that “the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries.” Read the complete statement here.
The real question is: what should organisations do now, in a situation where a legal-political agreement between the EU and the US could take months or even years, and being mindful of the fact that the ratio of the Court ruling applies to all third countries without an adequacy decision, a situation where SCCs are to be revised and “supplementary measures” for SCCs and BCRs are to be identified by the EDPB? Well, the EDPB is clear in this respect: “If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.” (FAQ 12, EDPB). Therefore, the practical result of the Court ruling, at present, is to restrict the data processing to the EEA, which seems to clash with the free flow of data which is inherent to the digital society and the digital economy. This is not an easy outcome to accept and digest in the era of the connected economy and society which is strongly based on global data flows.
On 24 July the European Data Protection Board published its much-awaited guidance on the question, in the form of Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, available here.
The FAQs, among others, confirms the immediacy of the invalidation (there isn’t a grace period). See question 3), “Is there any grace period during which I can keep on transferring data to the U.S. without assessing my legal basis for the transfer? –> No, the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.”
Importantly, the EDPB notes that in order to make use of other transfer mechanisms (SCCs and BCRs) there is a first necessity of carrying out an assessment “taking into account the circumstances of the transfers, and supplementary measures you could put in place” which, considered together with the relevant mechanism,“following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.” (See EDPB FAQ questions 5 and 6).
Now, for the reasons I have extensively exposed above, the vast majority of organisations will find themselves in the position where they shall notify the competent Supervisory Authority – unless they decide to opt for trying to conceal their unsafe transfer to the US (and other third countries without adequacy decisions). The following legitimate questions arise: How are SAs going to deal with that potentially huge influx of notifications when they have already made it clear that they have limited resources and experience difficulty in enforcing the GDPR – in the EDPS opinion on the Commission’s GDPR review, the EDPS noted that “the consistent and efficient enforcement of the GDPR remains a priority. Resources available for the national data protection authorities (DPAs) are sometimes insufficient and there are some discrepancies caused by the different legal frameworks and national procedural laws.” – ? What is this going to mean in practical terms, does an organization just notify and go ahead with the transfer or does it need to wait for some kind of approval or response from them? Isn’t the SA going to issue a fine if an organisation cannot guarantee an adequate level of protection even with these extra mechanisms in place? What it is sure is that the notification in and of itself will not provide any further protections for data subjects.
- 16 July 2020, “Opening remarks by Vice-President Jourová and Commissioner Reynders at the press point following the judgment in case C-311/18 Facebook Ireland and Schrems”. Available here.
European Data Protection Board
- 17 July 2020, “Statement on the Court of Justice of the European Union Judgment in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems.” Available here.
- 24 July 2020, “Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems Adopted on 23 July 2020.” Available here.
European Data Protection Supervisor
- Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”). Available here.
National Supervisory Authorities:
Danish Data Protection Authority
- 20 July 2020, “Preliminary opinion of the European Data Protection Board on the consequences of the Schrems II judgment”. Available here.
French Data Protection Authority
- 17 July 2020,“Invalidation of the “Privacy shield”: the CNIL and its counterparts are currently analysing its consequences”. Available here.
Datenschutzaufsichtsbehörden des Bundes und der Länder
- 28 July 2020, “Judgment of the European Court of Justice on the transfer of personal data to third countries (“Schrems II”) strengthens data protection for EU citizens”. Available here.
Hamburg Data Protection Authority
- 16 July 2020, “CJEU suspends Privacy Shield and confirms standard contractual clauses”. Available here.
Berlin Data Protection Authority
- 17 July 2020, “After “Schrems II”: Europe needs digital autonomy”. Available here.
German Federal Commissioner for Data Protection and Freedom of Information (“BfDI“)
- 17 July 2020, “BfDI on the Schrems II judgement of the CJEU”. Available here.
Rhineland Palatinate Data Protection Authority
- 16 July 2020, “Big bang: CJEU shreds the Privacy Shield, but data transfer to countries outside the EU still possible on a contractual basis.” Available here.
- FAQ on Data transfers to third countries, available here.
Thuringia Data Protection Authority
- 16 July 2020, Press release, Available here.
North Rhine Westphalia Data Protection Authority
- “ECJ declares decision on EU-US data protection shield invalid – standard data protection clauses permissible in principle but subject to review in individual cases (C-311/18 “Schrems II”).” Available here.
Irish Data Protection Authority
- 16 July 2020, “DPC statement on CJEU decision”. Available here.
Lichtenstein Data Protection Authority
- 17 July 2020, “Invalidation of the EU-U.S. Privacy Shield by the European Court of Justice.” Available here.
Lithuania Data Protection Authority
- 20 July 2020 “Judgment of the Court of Justice of the European Union on the EU-US ‘Privacy Shield’.” Available here.
Netherlands Data Protection Authority
- 20 July 2020, “Privacy shield for transfer to US declared invalid.” Available here.
Polish Data Protection Authority
- 20 July 2020, “CJEU judgment regarding Data Protection Commissioner against Facebook Ireland Ltd. and Maximilian Schrems.” Available here.
Romanian Data Protection Authority
- “Invalidation of European Commission Decision (EU) 2016/1250 on the EU-US Privacy Shield.” Available here.
Swiss Data Protection Authority
- 16 July 2020, “CJEU ruling on European standard contractual clauses and the EU-US Privacy Shield.” Available here.
UK Data Protection Authority (ICO)