On 16 July 2020, the Court of Justice of the European Union ("CJEU") examined the validity of the European Commission’s Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield) as well as the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses between the data exporter in the EEA and the data importer in the third country ("SCCs"). While the CJEU ruled that the Privacy Shield Decision is invalid, it explicitly upheld the decision on the SCCs. So what does that mean for personal data transfers to the US and other non-EEA countries that do not guarantee an adequate level of data protection similar to the one in the EEA?
Implications of the CJEU's Decision
With all the attention that data privacy has been getting since the GDPR came into effect on 25 May 2018, it is common knowledge these days that countries outside the EEA typically do not offer an adequate level of data protection from a GDPR perspective, apart from a few exceptions. Hence, certain transfer mechanisms are required for a data exporter in the EEA to be able to transfer personal data to a recipient in a third country. Such mechanisms include the EU-US Privacy Shield and the SCCs.
Obviously, after the CJEU's decision, it is no longer possible to rely on the EU-US Privacy Shield. There is no grace period. This means that companies that used to rely on the EU-US Privacy Shield should have switched to another recognized transfer mechanism by now. But what are the alternatives? And what does the CJEU'S decision mean for the use of SCCs between the data exporter in the EEA and the data importer in the US or another third country?
Simply put, the CJEU ruled that the EU-US Privacy Shield Decision is null and void, as US authorities such as the NSA can basically access, in the interest of national security, EU citizens’ personal data that are transferred to the US at any time, and there is no legal recourse for the affected data subjects. As a consequence, the data importer in the US cannot possibly guarantee an adequate level of data protection in line with GDPR requirements. But the same is true as far as any of the other recognized transfer mechanisms under the GDPR are concerned, including the SCCs. The CJEU held that the SCCs are generally an acceptable means of safeguarding data transfers to third countries. But it reiterated that the GDPR imposes an obligation on the data exporter and the data importer to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is actually respected in the third country concerned. Where that is not the case, the data importer must inform the data exporter of its inability to comply with the SCCs, in which case the data exporter is obliged to suspend the transfer of personal data.
But there is a silver lining: the CJEU also pointed out that the data exporter and the data importer may consider taking appropriate supplementary measures in addition to the SCCs in order to protect the personal data that is to be transferred. If such measures ensure that foreign domestic law in the relevant third country does not impinge on the adequate level of protection the SCCs guarantee, a data transfer can be permissible.
So what are adequate supplementary measures? For the time being there is no clear-cut answer. Even the European Data Protection Board is clueless. The best they could do on short notice was to issue a statement whereby they will look into this question and provide further guidance.
On that basis, it is rather difficult to give practical advice, but companies may want to consider the following options:
- Suspending all non-essential data transfers to third countries; in particular, such countries for which there is no adequacy decision of the European Commission. This applies not only to the US; other countries come to mind that at some point might face similar issues based on the CJEU's rationale, such as China and Russia. It seems feasible to consider the available options in good time to make data transfers (both intragroup and to third parties such as service providers) future-proof.
- Where possible, companies may want to consider switching to service providers that are located in the EEA or a third country that is regarded as being “safe” based on an adequacy decision of the European Commission.
- Moreover, companies should look into end-to-end encryption as a supplementary security measure. One might think that this is just window dressing, as there is probably no encryption available that can actually prevent the NSA or similar authorities in other countries from accessing data. Also, if the data is available to the recipient in the third country, it is to be expected that authorities have ways to demand disclosure from that recipient and would not even need the key to the encrypted files. But there is a consensus that high-end encryption makes accessing data more difficult or, in some cases, maybe even impossible; Art. 32 para. 1 lit a) of the GDPR confirms that encryption is generally an appropriate technical measure to ensure the security of personal data.
- Also, encryption combined with a data transfer structure may effectively ensure that foreign domestic law in the third country does not impinge on the adequate level of protection the SCCs guarantee. For instance, if the data is hosted exclusively in the EEA or another safe country with no local copies being retained in the third country, it can only be accessed if the recipient in the third country has the key for the encryption, and the key can be changed by the EEA data controller at any time. That means that the EEA controller can effectively prevent access to the data by changing the key and, in that case, the authorities can hardly force the recipients in the third country to disclose the data, because they do not have access to it.
- Additional technical security measures can include the anonymization or pseudonymization of personal data, whereby only the data exporter can match the data to specific individuals.
Where data transfers to third countries cannot be avoided, it may be possible to justify the transfer upon the affected data subjects’ consent, even if there may not be an adequate level of data protection, or to resort to any of the other derogations for specific situations pursuant to Art. 49 GDPR, depending on the facts of the case (e.g. the necessity of the data transfer for the performance of a contract concluded with the data subject or in the interest of the data subject).
In any event, companies need to keep an eye on the developments; in particular, the guidance that the European Data Protection Board promised to provide and what the EU supervisory authorities have to say on the topic.