I. Introduction – The Issue at Hand
Does the General Data Protection Regulation ("GDPR") of the EU allow for the transfer1 of personal data from the EU ("EU Personal Data") to the USA ("US") and, if so, under which circumstances?
This is, in a nutshell, the issue in dispute between the Irish Data Protection Agency and Maximilian Schrems, an Austrian citizen, since several years.
Focussing on the transfer of personal data from Facebook's Irish affiliate to Facebook Inc. in the US with regard to EU-based users of the social network "Facebook", the Court of Justice of the European Union ("CJEU") had already nullified the EU/US "Safe Harbor"-framework established by the Commission of the EU ("Commission") in its decision 2000/520, stipulating that this framework was no sufficient safeguard of data privacy for personal data originating from the EU (decision dated 6.10.2015, case no. C- 362/14 – "Schrems I").
In the aftermath of this judgment, the Commission replaced the "Safe Harbor"-concept by the confirmation of the so-called "Privacy Shield"- framework, stating that such framework established an adequate level of protection for personal data transferred from the EU to the US if the receiving enterprise complied with the prerequisites stipulated in the "Privacy Shield" (Commission decision 2016/1250). As such prerequisites mostly relied on self-constraint and –control of the receiving (private) entity in the US and were not binding to US authorities in any way, it was doubted from the beginning whether the Privacy Shield was sufficient to erase the flaws in the protection of EU Personal Data in the US which the CJEU had found in
"Schrems I". In particular, the broad scope of possibilities of US intelligence and security agencies to gain access to or request disclosure of such EU Personal Data from the recipients in the US without offering the EU individuals concerned ("Data Subjects") effective remedies to effectively prevent such access or disclosure.
II. The End of the Privacy Shield – And of the Transfer of EU Personal Data to the US?
In a much anticipated decision, the CJEU has now decided that the Privacy Shield is invalid under EU law as, under the given circumstances, it cannot be said that the level of protection for EU Personal Data in the US is adequate as compared to the level of protection granted under the GDPR; however, such material adequacy would be a prerequisite for the Privacy Shield to be a valid decision by the Commission (decision dated 16.7.2020 – C- 311/18 – "Schrems II"). And even though the
CJEU further held that also the use of Standard Contractual Clauses ("SCC")2 issued by the Commission could still be sufficient to enable a transfer of EU Personal Data to jurisdictions outside the EU, the CJEU implicitly noted that this does not apply to the US as, based on the arguments of the CJEU with regard to the invalidity of the Privacy Shield, it cannot be expected that US authorities would respect limitations set by such SCC when approaching a US party bound by SCC for access to or disclosure of EU Personal Data. As the same reasoning would likely apply to the instrument of "Binding Corporate Rules"3 which serves the purpose to ease the exchange of personal data within groups of enterprises, it seems doubtful whether those could still justify the transfer of EU Personal Data to the US, even if the Schrems II-judgment is silent on this issue.4
That said it is now, in fact, the only possibility to legally transfer EU Personal Data to the US under the GDPR the catalogue of justifications for such transfer in Art. 49 GDPR, which also has its flaws from a practical point of view (see below item 3).
III. Initial Suggestions – What should Companies that want to transfer EU Personal Data to the US do now?
Unlike in the Schrems I-judgment, the CJEU has not granted a grace period during which the Commission, US authorities and the entities affected by the judgment could try to establish a legal framework with regard to the transfer of EU Personal Data to the US which would allow the EU data protection agencies – and the entities effecting such transfers – to assume that the US offers an adequate level of protection for such EU Personal Data. That said enterprises transferring EU Personal Data to the US should carefully review their situation and, if required, adapt to the new situation. The following initial steps could be helpful in such process in which the data protection officer of the respective enterprise should be duly involved:
- Review of transfer of EU Personal Data to the US: Where and to what extent occurs a transfer of EU Personal Data to the US in the course of business, (i) within the enterprise or enterprise group and/or (ii) with regard to service providers used by the enterprise or enterprise group?
- Can such transfer be justified under Art. 49 GDPR?: It should be reviewed for each category of EU Personal Data Transfer to the US whether such transfer would fall under one of the exceptions stipulated in Art. 49 para. 1 GDPR. Under this provision, the transfer of EU Personal Data to the US would, inter alia, still be allowed if
- lit. a: the data subject has explicitly consented to the proposed transfer (after they were duly informed that their personal data would be exposed to possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards in the US);
However, even though it would be beyond the scope of this information to discuss this in more detail, it is worth noting that valid consent is difficult to obtain under the GDPR and may be freely revoked by the Data Subject at any time; moreover, valid consent generally requires that the Data Subject is duly informed about any and all circumstances of the (intended) use of the respective data.
- lit. b, c: the transfer is necessary for the performance of a contract (i) between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or (ii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
These exceptions are less extensive than they appear prima facie, they are limited to transfers of personal data necessary for the performance of a contract as such. For example, this will not be the case with regard to advertising in connection with an existing agreement and is at least doubtful with regard to company group administration (e.g. transfer of employee data from the EU subsidy which is the employer of a Data Subject to the mother company in the US); with regard to the specifically relevant field of social media services, it would be very difficult to determine which transfer of EU Personal Data to the US is necessary for the performance of the respective social media contract and which transfer is not.
- lit. e: the transfer is necessary for the establishment, exercise or defence of legal claims.
The other possible justifications (transfer necessary for important reasons of public interest, protection of vital interests of the Data Subject or other persons when the Data Subject is incapable to consent, transfer from public registers, Art. 46 para. 2 lit. d, f, g GDPR) will be less relevant for most enterprises.
- If not: Can the transfer be avoided? If it is not possible to justify a transfer of EU Personal Data to the US under the said provision, such transfer should be avoided, e.g. by shifting the processing of EU Personal Data from the US to the EU or by anonymizing the data in question (which, however, ususally is technically very difficult).
This review and adaptation process is a matter of urgency: Any transfer of EU Personal Data illegal under the GDPR would be subject to fines up to EUR 40m or 4% of the annual global turnover of the enterprise, whichever is higher.
It remains to be seen how policy makers in the EU and the US will react to the Schrems IIjudgment. As it is of major importance for the economy in both jurisdictions that the transfer of personal data from EU to US is possible with relative ease, it has to be expected that a solution will be negotiated in the short term. However, leaving aside the further uncertainties involved with such process, a necessary prerequisite for a solution would likely be that US authorities vow to establish and respect effective safeguards for EU Personal Data under US law. At the end of the day, in a global perspective, this could either mean the major breakthrough for the EU data privacy concept – or, in case of failure, the beginning of its end.
1 And other processing of personal data from the EU in the US.
2 Commission decisions 2001/497, 2004/915 and 2010/87; also see Art. 46 para. 2 lit. c GDPR.
3 See Art. 46 para. 2 lit. b, 47 GDPR.
4 Other possible instruments for such transfer stipulated in Art. 46 para. 2 GDPR do also not seem promising as they are either only applicable between public authorities (lit. a ) at least the issue of interference of the US authorities with regard to EU Personal Data transferred to the US remains (lit. d, e, f).
This client information contains only a non-binding overview of recent developments in German competition law and is not meant to replace legal advice. In case of comments or questions, please contact:
Dr. Thomas Nägele
Dr. Simon Apel
Dr. Steffen Henn