Top EU court sinks main framework for sending personal data across the Atlantic

Posted on Jul 23, 2020 by Glyn Moody

The Privacy Shield framework for transferring personal data across the Atlantic was brought in to deal with a problem created by the EU’s GDPR. According to the latter, the personal data of European citizens can only be transferred to countries that offer “adequate” data protection, equivalent to the GDPR. The Privacy Shield system was devised to allow the European Commission to confirm that the US did offer adequate privacy protection. The EU’s top court, the Court of Justice of the European Union (CJEU) has just ruled that the Commission was wrong to do so, and that Privacy Shield is invalid, and may not be used to transfer personal data to the US. The main reason is that Edward Snowden revealed that data sent to the US from abroad is routinely spied on by the NSA, which means EU personal data is not adequately protected. This is another major victory for the privacy expert and campaigner Max Schrems, who commented:

The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.

It was the second time, because a previous framework to allow personal data transfers, known as Safe Harbor, was also struck down by the CJEU, following an earlier legal challenge by Schrems. Privacy Shield was devised in response to that defeat, but has now been found to offer insufficient privacy protection for EU citizens. Since both Safe Harbor and Privacy Shield have been ruled as “invalid” by the CJEU, it seems unlikely that further attempts to draw up yet another framework will succeed.

As Privacy News Online explained a couple of years ago, there is an alternative approach for legal data transfers, involving the use of standard contractual clauses (SCCs), also known as “model clauses“. These are essentially contracts that promise to provide adequate data protection for data sent to the US. A second important aspect of the latest CJEU judgment is that it confirms that SCCs are indeed a legal way to send EU personal data to the US – with one important proviso. Schrems explains: “in a first step EU companies and non-EU recipients of data have to review the law in the respective third country. Only if there is no conflicting law, can they then use the SCCs.” For many, this is unlikely to be a big problem, provided precautions are taken: Schrems’ organization NOYB has put together a useful guide outlining the next steps for EU companies who wish to continue using SCCs.

However, big Internet companies like Facebook are subject to Section 702 of the FISA Amendments Act. This allows the collection of foreign intelligence from non-Americans located outside the United States. In particular, it allows information to be gathered about EU citizens when their data is transferred to the US by companies like Facebook. In its latest judgment, the CJEU has ruled that companies subject to this kind of US government surveillance may not use standard contractual clauses to transfer EU personal data to the US.

Another important facet of the CJEU judgment is that it confirms that Data Protection Authorities in EU countries have a “duty to act”. In other words, they can’t choose to “look away” if illegal data transfers across the Atlantic are taking place. They are obliged to ensure that the GDPR is fully enforced, which potentially means serious fines for companies that refuse to comply – up to 4% of global turnover. For Facebook, that would currently be around $3 billion. Finally, it is important to underline the fact that “necessary” data flows can still take place:

Despite the invalidations made by the judgment, absolutely “necessary” data flows can continue to flow under Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user, which can be withdrawn at any time. Equally the law allows data flows for what is “necessary” to fulfil a contract. This is a solid basis for most legal transactions with the US. In simple words: the US has now been brought back to the “normal” situation that the EU has with most other third countries, but lost its special access to the EU market over US surveillance.

In other words, the CJEU judgement is carefully calibrated, such that it doesn’t affect vital, everyday transfers of data across the Atlantic. However, it will have a big impact on companies that are subject to US surveillance laws like FISA. It mostly affects the Internet giants like Facebook, which now seem to have no legal means of transferring EU personal data to the US – neither under Privacy Shield, nor using SCCs. Since the CJEU decision cannot be appealed, that leaves two main ways forward. One is to keep EU data in the EU – data localisation. That may be unwelcome for companies like Facebook, but it will be relatively easy to implement. The other option – that the US changes its laws to give foreigners greater privacy protection – is much harder to bring about, and seems unlikely in the present political climate.

Featured image by NOAA/Institute for Exploration/University of Rhode Island.