The ECJ today ruled in the Schrems II judgment (C‑311/18) according to the Motions of the Advocate General decided that
- the standard contractual clauses continue to apply,
- but the Privacy Shield is invalid with immediate effect.
This may sound like a partial victory for transatlantic data traffic, but it hardly is.
On the invalidity of the Privacy Shield and its effects
Immediate discontinuation of the Privacy Shield
First, on the Privacy Shield: The ECJ declares the Privacy Shield to be invalid because
- National security, public interest, or law enforcement requirements override the Privacy Shield principles (para. 164 et seq.) and access under U.S. law is too broad; and
- data subjects do not have sufficient legal remedies; the ombudsman mechanism is too weak (paras. 186 ff.).
This invalidity – nullity – exists expressly as of now:
[202] On the question of whether the effects of this decision should be maintained in order to avoid the creation of a legal vacuum […], it should be noted that. in view of Art. 49 of the GDPR, the annulment of an adequacy decision such as the DSS decision cannot in any case create such a legal vacuum. This provision clearly regulates the conditions under which personal data may be transferred to third countries if there is neither an adequacy decision pursuant to Art. 45(3) of the GDPR nor appropriate safeguards within the meaning of Art. 46 of the GDPR.
A list of the certified companies can be found on the Privacy Shield List.
Preliminary assessment of the impact
The ECJ’s ruling here is unsurprising. In particular, it should mean the following:
- The Privacy Shield, like the Safe Harbor agreement before it, no longer applies. Data transfers to recipients in the U.S., which are only have relied on the Privacy Shield are inadmissible (both new transfers and transfers previously made on this basis if the relevant data continues to be located in or accessible from the U.S.).
- However, some contracts with Privacy Shield certified companies provide that additionally the standard contractual clauses or that these apply eo ipso should the Privacy Shield fall. In this case, the transfer may still be permitted, but it does not have to be (see below on standard contractual clauses).
- Some contracts also provide only for the duty of the certified recipient, Close standard contractual clausesif the Privacy Shield ceases to apply. Standard contractual clauses must therefore be concluded anew here (as well as additional agreements if necessary, see below). The same applies if no corresponding provisions have been agreed with the certified recipient.
- At least when standard contractual clauses are to be newly concluded and this is expected to take a longer period of time, an Setting of transmissions checked be
- Recipients that have contractually agreed to comply with the Privacy Shield (which occurs, sometimes explicitly even when the Privacy Shield no longer applies) remain still bound to this. While the Privacy Shield has not yet provided sufficient security according to the ECJ’s findings, it is better than nothing. In these cases, replacement by standard contractual clauses may be less urgent.
- In such cases, the exporter also has the option of arguing that, although the Privacy Shield is not generally effective, according to the ECJ’s decision, that it is nevertheless sufficient in this specific case due to particularly low risks.. Standard contractual clauses should also be concluded in such a case, but here the exporter may not be in breach by then.
- Not to forget Exceptions to the prohibition of transmission to third countries according to Art. 49 DSGVO (e.g. explicit consent, contract performance, safeguarding of legal claims, etc.)
What the CH/US Privacy Shield concerns, so
- he is not formally canceled. However, the Privacy Shield was recognized by the fact that the list of states of the FDPIC within the meaning of Art. 6 (1) FADP was supplemented accordingly. However, the list of states only establishes a presumption, not a fiction. It is therefore conceivable – but hardly relevant in practice – that a transfer on the basis of the Privacy Shield is or was already contrary to data protection today;
- it will probably be lifted soon, i.e. the FDPIC is expected to adjust the list of states. However, the FDPIC must or should first check whether the standard of adequacy is the same as that under the GDPR. It should be noted that the Charter of Fundamental Rights invoked by the ECJ in this context does not, of course, apply to Switzerland. Rather, adequacy is to be determined according to the standard of the Council of Europe Convention 108 to assess. From a legal point of view, it is therefore not necessarily mandatory for the FDPIC to come to the same conclusion – even if it is of course very likely from a practical point of view.
On the effectiveness of standard contractual clauses
No invalidity…
More surprise potential – at least if one leaves aside the Advocate General’s indications – has the considerations on standard contractual clauses. Although the standard contractual clauses are still valid.
… at the price of high requirements
However, these clauses are assessed in the abstract and not in relation to a specific country or territory, which is why they do not take all possible risks into account. This does not lead to their ineffectiveness, but conversely, they are not to be understood as conclusive either. On the contrary, Recital 109 of the GDPR states that controllers and processors may even “should be encouraged” to “provide additional safeguards with contractual obligations that supplement standard protective clauses.“
Accordingly, the data exporting controller or processor has the right to supplement the clauses as necessary. The ECJ starts at this point, but by no means leaves it at that.
Rather
- a risk assessment is required in each individual case, and
- there may be an obligation to supplement the standard clauses (paras. 133 and 134).
This means,
- that it is not sufficient to conclude standard contractual clauses indiscriminately (in the case of exports from Switzerland, perhaps adapted to Swiss peculiarities and with a notification to the FDPIC) and otherwise rely on the recognition of the clauses as a sufficient guarantee.
- Rather, the person responsible must Carry out a risk assessment before using the clauses (whereby not only risks of the law in the destination state may be decisive, but also counterparty risks, because if the receiving party is not in a position to cooperate to a certain extent, the obligations to cooperate provided for under the clauses come to nothing) and consider whether the clauses cover the specific risks and supplement them if necessary, insofar as this is possible.
- To the extent that specific foreign risks can be countered with further agreements, appropriate agreements must be concluded prior to the transfer. The ECJ is clear on this point:
[134] In this regard, as the Advocate General pointed out in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c). c of the GDPR is based on it, that the sense of responsibility of the controller established in the Union or its processor established there and, secondarily, of the competent supervisory authority is awakened. Consequently, it is primarily incumbent on that controller or its processor, as the case may be, to verify on a case-by-case basis, where appropriate in cooperation with the recipient of the transfer, whether the law of the third country of destination ensures, in accordance with Union law, an adequate level of protection of personal data transferred on the basis of standard data protection clauses and, where necessary, to provide more safeguards than those offered by those clauses.
However, this raises the question, which risks can be contractually countered at all:
- The risks that led to the Privacy Shield case are risks arising from U.S. law, and since public authorities are not bound by standard clauses, the emergence of these risks cannot be influenced. However, they will need to be assessed differently depending on the sensitivity of the data and the extent of its transfer and its modalities (e.g., physical transfer of data vs. access on a case-by-case basis, duration of on-site storage, etc.).
- However, it is possible that a Mitigation of their effectsFor example, by defining a procedure for how the data recipient responds to lawful access requests. Here the Cloud Guide from the Bankers Association Notes.
If the required protection cannot be guaranteed even with additional clauses, the exporter must Consistently suspend or terminate the data transmission (para. 135):
If the controller established in the Union or its processor established there cannot take sufficient additional measures to ensure such protection, it – or, secondarily, the competent supervisory authority – must obliged to suspend or terminate the transfer of personal data to the third country concerned. This is the case in particular if the law of that third country imposes obligations on the recipient of personal data transferred from the Union that conflict with the aforementioned clauses and are therefore likely to undermine the contractual guarantee that there is adequate protection against access to such data by the authorities of that third country.
A summary of these requirements can be found in paragraph 140 et seq:
[140] Clause 5(a) and (b) gives the controller established in the Union the right to suspend the data transfer and/or withdraw from the contract in the two cases it covers. Considering the requirements stemming from Article 46(1) and (2)(c). c of the GDPR in light of Articles 7 and 8 of the Charter, the controller is obliged to suspend the data transfer and/or withdraw from the contract if the recipient of the transfer is not or no longer able to comply with the standard data protection clauses. If the Controller failed to do so, it would be in breach of the obligations incumbent upon it under Clause 4(a) of the Annex to the SDK Decision, interpreted in light of the GDPR and the Charter. [141] Thus, Clause 4(a) and Clauses 5(a) and (b) of this Annex impose obligations on the controller established in the Union and on the recipient of the transfer of personal data, Before transferring personal data to a third country, ensure that the law of the third country of destination permits the recipient to do soto comply with the standard data protection clauses annexed to the SDK Decision. […] [142] […] The recipient of the transfer, pursuant to clause 5(b) of the Annex to the SDK Decision, shall be may be required to notify the responsible party that it cannot comply with the clauses, whereupon the controller must suspend the data transfer and/or withdraw from the contract.
It is probably too early to make predictions, but it is possible that the Schrems II ruling will lead to the following:
- Data transfers to countries without adequate protection will be generally controlled more cautiously. It was already questionable whether the widespread intra-group transfer agreements were still permissible, which made blanket reference to the standard contractual clauses without specifically defining the transfers covered, their parties and their subject matter for individual transfers. Now, with the requirement to assess risks on a case-by-case basis, this conclusion is likely to be even closer.
- Providers in the EEA are strengthened.
- At Data transfers in particular to the USA The question is how the risks of access by the authorities, which the ECJ criticizes, can be mitigated. However, the U.S. is far from the only country whose authorities have extensive surveillance and access powers. The U.S. is in the spotlight because of the Privacy Shield and ultimately the Snowden affair, but this should not lead us to regard all other countries as harmless.
- The Risk assessment for the transfer of personal data approaches that for the transfer of legally protected secretssuch as bank customer or patient data. The transmission of personal data becomes correspondingly more complex.
- The Information of the persons concerned for transfers to third countries is becoming more important.
- When the standard clauses are used, there will be a Naturalize additional clausesThe importer will have to clarify, tighten or supplement the obligations arising from the standard clauses. They will probably have to start with the importer’s obligations to cooperate.
- Some service providers outside Europe will try to show in negotiations, with white papers and the like, that their local law does not contain any powers of interventionthat contradict the standard clauses, or that such powers can be countered with additional clauses.
- Regulators will review - after a transition period – how companies assess and, if necessary, mitigate risks when transferring data to third countries.
- The Importance of anonymous data increasesThis also applies to the cross-border exchange of data within the Group.
In any case, it will be interesting to see how the standard contractual clauses are adapted or supplemented in the future. Work on this is underway within the framework of the EDSA.