Today (16 July 2020), the ECJ handed down its long-awaited judgment on the validity of Standard Contractual Clauses in international data transfers (ECJ, judgment of 16 July 2020, case C-311/18). In a surprise move the Court of Justice declared the EU Commission's adequacy decision on the Privacy Shield - the agreement that allows data transfers to certain companies in the USA - to be invalid. On the other hand it confirmed the validity of the Standard Contractual Clauses. Since the ECJ also emphasizes the need for the companies involved to examine the level of data protection, even in the case of Standard Contractual Clauses, the ruling is of fundamental importance - and the companies have work to do.
The GDPR contains a differentiated regulatory regime for the transfer of personal data to countries outside the EU/ the EEA. According to Art. 44 et. sqq. GDPR, an additional legal basis is required in addition to the requirements for each data transfer. These may be an adequacy decision by the EU Commission for a particular third country (Art. 45 GDPR), appropriate safeguards (Art. 46 GDPR) or certain exceptions, such as consent by the data subject (Art. 49 GDPR). Appropriate safeguards include in particular Binding Corporate Rules and the Standard Contractual Clauses of the EU Commission. The Standard Contractual Clauses have been drawn up and adopted by the EU Commission (implementing decisions 2016/2297/EU and 2010/87/EU of the EU Commission). If they are agreed unchanged between the parties, they provide a legal basis for international data transfers to the non-EU country of the contracting party. The Standard Contractual Clauses can be used for transfers to all countries. From a practical point of view, they are a relatively easy to handle and important instrument for transferring data to other companies, such as contractual partners or group members.
Especially in the relationship between the EU and the USA, the Safe Harbor agreement initially applied besides the Standard Contractual Clauses. The Agreement was also recognized as a sufficient instrument for data transfers to the USA by means of a decision on adequacy. However, the ECJ declared the decision invalid in 2015. The background to this was a complaint filed by the Austrian data protection expert Max Schrems against Facebook Ireland Ltd. The company is a contractual partner of all Facebook users in the EU and EEA. It transferred the users’ data to its parent company Facebook Inc. in the USA on the basis of the Safe Harbor Agreement until the Agreement became ineffective. Following the ECJ decision, the EU and the USA agreed on a new agreement, the so-called Privacy Shield. By means of a renewed adequacy decision by the EU Commission, this agreement again became a sufficient safeguard for transfers. Provided that a US company fulfilled the procedures and requirements stipulated there, data transfers to the USA could take place on the basis of the renewed adequacy decision.
After the Safe Harbor ruling, Facebook Ireland Ltd. based its data transfers to the parent company on the Standard Contractual Clauses of the EU Commission. Facebook Ireland Ltd. had agreed on the clauses with the parent company. Schrems also filed a complaint against this with the Irish Data Protection Commissioner. The authority expressed doubts about the validity of the clauses and sought a judicial procedure to have them reviewed by the courts. Following the various instances in the Irish jurisdiction, the ECJ has now issued its ruling on this matter.
In contrast to the Privacy Shield Agreement, the validity of the Standard Contractual Clauses does not only concern data transfers to the USA, but to all countries of the world. Today's decision of the ECJ is therefore of great importance for international data transfers.
The ECJ has confirmed the validity of Standard Contractual Clauses. It has followed the recommendations of the Advocate General. In the opinion of Court, the Standard Contractual Clauses guarantee an adequate level of data protection. The Court considers it crucial that the clauses provide for effective safeguards to ensure an adequate level of protection and that data transfers are suspended in case of a breach of the clauses. In particular, the Court emphasized as an important safeguard that the parties check the legal situation in the country of destination in advance and that the Data Importer informs the Data Exporter if they can no longer comply with the clauses, with the consequence that the Data Exporter must suspend the transfers.
However, the Court of Justice stressed that the competent supervisory authorities may verify on a case-by-case basis whether the Standard Contractual Clauses are or can be complied within the country of destination. If they conclude that this is not the case, the authorities are obliged to order the suspension of transfers. The examination by the authorities is only waived if the EU Commission has issued an adequacy decision for the target country.
In this context, the European Court of Justice declared the EU Commission's adequacy decision on the Privacy Shield - although not actually the subject of the proceedings - to be invalid, thus removing this legal basis for transfers to US companies. In the opinion of the court, there is no adequate level of protection in the USA, as on the one hand the access possibilities of the US authorities are too extensive and on the other hand there is no effective legal protection against access for the affected persons. The procedure before an ombudsman, which the Privacy Shield provided for, does not meet the requirements.
After this decision, all companies using the Standard Contract Clauses of the EU Commission can initially be relaxed. The Standard Contractual Clauses continue to provide adequate protection for transfers in accordance with Art. 46 GDPR. However, in the absence of an adequacy decision by the EU Commission for the country of the Data Importer, the legal situation there must be kept in mind. If the Data Importer can no longer guarantee compliance with the provisions of the Standard Contractual Clauses due to contrary national regulations or official measures, the transfer must be based on a different legal basis or must be discontinued.
Especially with regard to transfers to the USA, it must be examined very carefully whether the Data Importer can guarantee this. The statements of the ECJ on the lack of protection in the USA can be transferred to the situation with Standard Contractual Clauses. The US authorities' extensive access possibilities and lack of legal remedies for affected parties also jeopardize the necessary guarantee of adequate protection in the case of the Standard Contractual Clauses. Here, the companies will have to seek intensive talks with their contractual partners in the USA.
In addition, the pronouncements and further action of the supervisory authorities must be taken into account. Their position was strengthened by the ECJ ruling. In the absence of an adequacy decision for the target country, they may conclude that compliance with the Standard Contractual Clauses is not guaranteed and, on that basis, prohibit the transfer. In fact, this can lead to the supervisory authorities carrying out their own assessment of the legal situation in the target country and possibly concluding that it conflicts with the Standard Contractual Clauses.
Apart from this, data transfers to US companies, which were previously based on the Privacy Shield, must be stopped immediately or put on another legal basis. The adequacy decision concerning this agreement is no longer valid as of today, so that corresponding data transfers are no longer legally compliant. Also, they need to check whether Privacy Shield was part of the contractual agreements with data processors and if so make amendments to the processing agreement.