The EuropeanCourt of Justice (ECJ, Case C-311/18)) has declared the EU-US agreement on theso-called Privacy Shield invalid. This agreement regulates the cond 仆 ionsfor ensuring that the transfer of personal data of EUcitizens or residents to the USA meets the requirements of the European DataProtection Regulation (DSGVO). To this end, US companies must be certifiedaccordingly as recipients of the protected data. As a consequence of the ECJ ruling, the transfer of personaldata to the USA lacks its essential legal basis. The ECJ justifies its viewwith the inadequate protective measures and legal protection options containedin the Privacy Shield. In particular, this is due to the electronicsurveillance measures against foreigners carried out abroad as permitted underUS law. The decision was based on procedures initiated by data protectionactivist Max Schrems against the Irish Date Protection Commissioner. Schremshad lodged a complaint against the transfer of his personal data by FacebookIreland to its US parent company, Facebook, Inc..
There isanother legal basis for data transfer to the USA, namely the so-called standardcontractual clauses. These model clauses are considered by the EuropeanCommission (the Executive Body oftheEuropeanUnion)tobeappropriateforagreementsrelatingtotheexportofdata.Inparticular, the standardcontractual clauses are agreed with data importers established in thirdcountries which do not provide for data protection in line with EU law. Only 12countries are currently regarded as so-called safe third countries, whose data protectiontherefore meets EU standards without further measures. The USA has not been asafe third country either. Safe Harbour and, from 2016, Privacy Shield wereonly intergovernmental agreements to bring data protection in the USA into linewith the status of a safe third country in relations between parties to theseagreements.
In the new decision, the ECJalso comments on the standard contractual clauses. These were includedintheagreementbetweenFacebookandMaxSchrems.However, theyonlyhaveaneffectin the relationship between the parties to the contract and do not bind theauthorities concerned. Among other things, they contain detailed provisions oninformation that the data importer must providetotheexporter(e.g. onpotentialgovernmentinterference) andontheliab仆ityoftheparties. Inprinciple, the parties must examine the extent of data protection in theimporting country. However, the supervisory authorities can also intervene and,if necessary, prohibit the transfer of data.
Depending onthe form of data protection in the recipient country, the ECJ considers thatadditional measures must be taken to bring data protection in the importingcountry into line with EU standards. Unfortunately, the court does not explainwhat specifically needs to be done with regard totheUSA.Initsmostrecentruling,theECJconsideredmonitoringmeasuresbytheUSauthoritieson foreigners to be particularly problematic. It is true that the standardcontractual clauses in the agreement between the parties can be supplemented byadditional obligations to provide information in the event of control measuresby state authorities, provided the importer of the data becomes aware of them.Such cases can then entitle to terminating the contract or to cancelling thedata transfer. However, this does not change the fundamental problem. Thisconsists of the fact that, from the EU point of view, unauthorised interferencewith data protection can occur, e.g. through surveillance measures. In mostcases these cannot be foreseen in advance by the parties to the data transferagreement.
Only a newagreement between the EU and the US, which takes into account the reservationsof theECJ,canprovidealastingremedy.However,theCommissionalsointendstopresentarevisionof the standard contract clauses shortly. This should provide clearer guidanceto the parties on the aspects which the ECJ has identified ascritical.
Forcross-border data transfers that take place within groups of companies, bindingcorporate rules can be considered as a basis of legitimacy. These must beapproved in advance by the competent data protection authority. They then formthe basis for a lawful data transfer to a non-secure third country. The ECJruling does not call into question the validity of such rules.
It isstrongly recommended that, as a consequence of this ECJ ruling, companiescentrally record and verify all transfers of personal data to non-EEA andnon-secure third countries. The limitations expressed by the ECJ on thevalidity of standard contractual clauses are likely to have implications beyondthe specific reference to data transfers to the US. According to the ECJruling, the parties to a cross-border data transfer agreement (i.e. bothexporter and importer) are obliged to examine whether the obligations andguarantees regulated in the standard contractual clauses are sufficient in thespecific case to bring data protection under the law of the recipient of thedata into line with EUstandards.
Encryptedtransmission of data is also possible. However, this form of transfer is not asreliable as one might initially assume. In many cases, the decryption key canbe accessed by the supervisory authorities.
This reviewof the concrete impact of the data protection law of the recipient country tobe performed by the entity intending to transfer personal data to non-securethird countries should clarify the following questions:
To which relevant countries doesthe company transfer personal data, i.e. to countries outside the EEA that arenot safe thirdcountries?
Forwhatreasonscantheauthoritiesgainaccesstorelevantpersonal dataunderthelaws of the data importing country? Ifthe authorities are formally entitled to control personal data for reasonsother than the protection of public security, prevention andprosecution