Data protection: Privacy Shield Does not Allow Data Transfer to the USA

Transfers of personal data to companies in the USA cannot be further based on a Privacy Shield certification of the data recipients. According to the European Court of Justice (ECJ, judgment of 16.07.2020 - Case C-311/18), the data protection agreement is invalid as the legal basis for a third country transfer.

Background

The Privacy Shield is based on a decision of the EU Commission (2016/1250), which was taken after the ECJ had already brought down the so-called Safe Harbor Agreement in October 2015 (judgment of 06.10.2015 - Case C-362/14).

The background to this is the fact that personal data may only be transferred to a third country if there is an adequate level of data protection in place in this country. For some countries (e.g. Switzerland, Israel, most recently Japan), the EU Commission has made this binding by means of so-called adequacy decisions, so that for data transfers to these countries there is nothing more to be considered than a corresponding situation within the EU. For the USA this is now (again) no longer the case.

More than 4,000 US companies had themselves certified under the Privacy Shield to enable group companies or business partners to transfer employee or customer data to them. However, since the access and monitoring of this data by US intelligence services was too extensive and non-transparent, and the individuals concerned could not obtain legal protection in the USA according to EU standards, the Privacy Shield does not guarantee an adequate level of data protection, according to the Luxembourg judges. The proceedings, which are formally directed against Facebook, were initiated by the Austrian data protection activist Max Schrems, who is also responsible for the invalidity of the Safe Harbor Agreement.

Effects

The decision of the ECJ on the invalidity of the Privacy Shield had been expected in this way - probably even by the EU Commission itself, which in a press release on the decision declared that it was already working on alternatives to the Privacy Shield. Nevertheless, all data transfers to the USA that are based on a corresponding certification are inadmissible with immediate effect.

In contrast, the EU standard contractual clauses, which were also the subject of the "Schrems II" proceedings, remain valid. These are contracts specified by the Commission in which data exporters and importers commit themselves bilaterally to adhere to certain data protection standards in order to ensure a legally secure transfer. In contrast to the Privacy Shield, the application of the EU standard contractual clauses gives EU supervisory authorities the power to prohibit unlawful transfers to the USA and the persons concerned are entitled to effective legal remedies in the event of unlawful data transfers.

The EU standard contractual clauses are already widely used and will become even more important as a result of the ECJ ruling. For companies that had already concluded these contracts, nothing will change; for all others, there is currently no real alternative but to use this legal instrument as well, unless they wish to make use of the only theoretical possibility of refraining from data transfers to the USA in the future.

There is a need for action in the case of companies who state in the data protection declaration of their website - especially in connection with social media plug-ins - that user data would be transferred to the mostly US plug-in providers on the basis of a Privacy Shield certification. The statement itself has been incorrect since the ECJ decision and appears to be vulnerable to attack under competition law due to the misleading nature of the statement. In this respect, a number of higher regional courts have now decided that violations of the General Data Protection Regulation can also be admonished as competition violations. Data transfer via corresponding plug-ins must now be arranged by the providers with EU standard contract clauses. If this is not guaranteed by the providers, the use of such social media plug-ins should be avoided for the time being.