The Court of Justice of the European Union made judgment, on 16 July 2020 in Case C-311/18 (Data protection Commissioner v. facebook Ireland and Schrems), that Commission decision 2016/1250 on the adequate level of protection afforded by the EU-US Privacy Shield is invalid, which means more difficult transfer of personal data from EU to the US.
The transfer of personal data from the European Union to third countries is possible, inter alia, where such transfer is based on a decision on adequacy level of protection issued by the Commission under Article 45 of the GDPR (previously a similar requirement was expressed in Article 25 (1) of the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, i.e. that member states could allow the transfer of personal data to third countries only if those countries ensure an adequate level of protection). Commission Decision 2016/1250 reflecting the Privacy Shield was just such a decision on adequate protection under Article 45 of GDPR.
Annulment of Commission decision 2016/1250
The Court of Justice of the European Union has based its ruling on the fact that Privacy Shield allows secret services and other US government agencies to request data from private US companies, in which case European standards of personal data protection are set aside. The Court of Justice of the European Union considers this possibility to be breach not only of the rules on the protection of personal data but even of the Charter of Fundamental Rights of the European Union itself. At the same time, privacy Shield did not give the possibility of effective procedural protection to personal data subjects as required by European regulations.
Possible solution to the situation
If Privacy Shield was legal basis for exporting personal data from the EU to the US, you need to choose a different legal basis now to avoid possible fines from supervisors.
For example, personal data from the EU to the US may be transferred with the consent of the personal data subject and other specific situations expressed in Article 49 of the GDPR or based on binding corporate rules under Article 47 of the GDPR (consent of data subject is considered as the weakest possible title for the transfer and binding company rules can only be drawn up within a business group that carrying out a joint economic activity and also transfer must be approved in advance by the supervisory authority.) In addition to the above, the so-called standard clauses can also be used.
The standard clauses are adopted either by the Commission itself or, where appropriate, by the supervisory authorities with approval of the Commission. Standard clauses for the transfer of personal data from the EU to third countries are contained in an implementing regulation, issued as Commission decision 2010/18, which was implementing regulation for previously applicable Personal Data Protection Directive.
However, the Court of Justice of the European Union has stated that Commission decision 2010/87 on standard clauses is also applicable for GDPR purposes, at the same time, the Court of Justice of the EU has clarified the conditions under which such clauses may be used to transfer of personal data from the EU to the US.
Necessary measures when using standard clauses
Where personal data of data subjects are transferred to third countries, such data subjects must have same level of protection which is in principal equivalent to the level of protection guaranteed in the European Union.
At the same time, according to clause 5 contained in Commission Decision 2010/87, the personal data recipient is obliged to inform the exporter that he will not be able to ensure compliance with the obligations arising from the concluded contract. In addition, the recipient must certify that he has no reason to believe that his national law prevents him from fulfilling the obligations arising from the concluded contract and the recipient undertakes to inform the exporter of personal data, without delay, if this situation changes.
This certificate should be drawn up in writing at the earliest opportunity to protect the contracting parties. It is the duty of the controller to suspend the transfer of personal data to a third country if it finds that the protection of personal data is not fulfilled according to the requirements for transfer on the basis of standard clauses. Failure to do so may result in penalties from the supervisory authority.
If, at the beginning of the transfer, the exporter is satisfied and believes that the third county provides adequate protection of personal data but this situation will change over time he must suspend the transfer of personal data and also the recipient must returned or destroyed personal information (including copies) as appropriate.
The Court of Justice of the European Union has given the supervisory authorities of the Member States a very strong power to decide whether the standard clauses can be complied with in a third country in the light of the legislation there. In the event that the Authority considers that such standard clauses may be breached in any way and thus does not provide essentially the same level of personal data protection as Union law the supervisory authorities are obliged to prohibit the transfer of personal data temporarily or permanently to that third country on the basis of standard clauses.
Immediate action required
For the sake of clarity we simply state here in points the necessary steps that personal data controllers must take in connection with the above-mentioned decision of the Court of Justice of the European Union.
- Determine whether personal data is transferred to the US on the basis of Article 45 of the GDPR, i.e. on the basis of Privacy Shield;
- If so, this transfer must be substantiated by another legal reason assumed by the GDPR, i.e. whether by the consent of the personal data subject, binding company rules or standard clauses according to Commission Decision 2010/87;
- In the event you choose to use standard clauses to authorize transfers you must first assed whether personal data protection is appropriate in the United States, i.e. in particular, that local laws do not adversely affect or do not preclude the applicability of standard clauses. This step cannot be underestimated and should not be just a „piece of paper“ for the transferring personal data controller, moreover, the complexity of drawing up such an opinion is evidenced by the fact that the Court of Justice of the EU itself assessed, in the title judgement, that US law is incompatible with fundamental rights guaranteed by the European Union;
- Subsequently, a certificate must be requested from the recipient of the personal data. Certificate should have stating that recipient has no reason to believe that U.S law prevents him from complying with the personal data exporter´s instructions and obligations under the contract and that in the event of any change in that legislation, which could significantly affect the safeguards and obligations set out in clauses, he will immediately notify the exporter of the personal data of this change;
- The exporter of personal data is then entitled to suspend the export of this personal data. If he still decides to continue he must submit information of the recipient that the standard clauses can no longer be complied with to the supervisory authority.
In the light of the grounds of the above judgment, it can be assumed that the supervisory authorities of Member States will gradually conclude that US law does not provide such a level of protection of personal data and that is the reason why standard clauses can´t be used in the transfer of personal data. For the time being, however, it seems that these standard clauses could, at least temporarily, still be a tool to overcome that „vacuum “without valid Commission decision on adequate protection.