The transfer of personal data between Europe and the United States has been a thorny subject for years. The infamous Safe Harbour principles were declared invalid by the EU Court of Justice some time before the GDPR took effect, and that same institution recently handed down its judgment in Schrems II, holding that the Privacy Shield mechanism that replaced the Safe Harbor principles did not offer European citizens appropriate safeguards. In that same ruling, the EU Court of Justice suggested that the transfer of personal data on the basis of Standard Contractual Clauses (SCCs) cannot be considered to be automatically valid in all circumstances. Without additional measures, privacy watchdogs must suspend or prohibit transfers outside the EU pursuant to SCCs if data protection in the US cannot be assured.
Data Protection Commission
The ink on the EU Court of Justice judgment had only just dried when it was followed by a decision of the Irish Data Protection Commission (“DPC”) halting the flow of personal data of European Facebook users to the United States. According to the DPC, Facebook was unable to meet the EU Court of Justice's demand for additional safeguards, as Facebook clarified in this statement on its website.
Facebook responded by taking the matter to the Irish courts - winning the first strike. On 14 September, the High Court handed down an order temporarily freezing the ban, meaning that Facebook is able to continue the transatlantic transfer of data until further notice. The reasoning behind the High Court's order is not known, as the order has not been made public yet.
More to come?
Although Facebook's practices are not immediately impacted by the decision of the Irish DPC, future implications of the proposed measures are as yet uncertain. After all, thousands of companies transfer data to the United States all the time or store their data on servers based in the US. If other authorities take their cue from the Irish DPC, or if the DPC decides to extend the ban to other tech giants that have set up shop in Ireland, such a step could cause widespread business disruption. In addition to the enormous cost involved in adjusting corporate processes in such a way that all data will remain within the EU, the practicalities of such adjustment would present hugely complex issues for internationally operating companies.
The standpoint of the European Data Protection Board
In a statement on the Schrems II judgment, the European Data Protection Board (“EDPB”) confirmed that it had identified in the past major flaws in the Privacy Shield. However, it also underlines the importance of transatlantic transfer of personal data and stands ready to play a constructive part in building a secure framework for that purpose.
The EDPB articulated in its statement that the CJEU's judgment recalls the importance for the data exporters and importers to comply with their obligations included in the SCCs and that it had issued guidelines on the transfer of personal data. The EDPB placed particular emphasis on the fact that although supervisory authorities have the duty to suspend or prohibit a transfer of data to a third country pursuant to SCCs if adequate protection of the data transferred cannot be ensured, consistency is key. Thus, the EDPB appears to cautiously impress upon national supervisors that rather than setting their own rules, they should be open to an EU-wide approach.
However, the FAQ issued by the EDPB in response to the Schrems judgment does make clear that parties transferring data to the US may face huge issues after all. The EDPB says:
“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment,
taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.”
Apart from presenting a laborious task, this obligation creates legal uncertainty aplenty.
Jumping to the occasion, the authority for the German state of Baden-Württemberg tried to tackle the “problem” created by Schrems II by issuing recommendations for supplementary provisions that can be used to bridge the gaps left by the SCCs. It seems recommendable in any event to make use of these supplementary provisions.
The EU's course
In light of the complications following a possible ban on a continued data flow with the US, the stance of the EDPB, the representative body of all European supervisory authorities, makes it unlikely that a ban without alternatives will be the adopted course of the EU.
The question remains, though, for how long and under what (supplementary) conditions the SCCs will remain viable option and what mechanism to ensure an adequate level of protection can be erected to bridge the chasm between US and EU legislation. It is now up to the EDPB to put their minds to those questions.
We will of course keep you up to date on developments.
The transfer of personal data between Europe and the United States has been a thorny subject for years. The infamous Safe Harbour principles were declared invalid by the EU Court of Justice some time before the GDPR took effect, and that same institution recently handed down its judgment in Schrems II, holding that the Privacy Shield mechanism that replaced the Safe Harbor principles did not offer European citizens appropriate safeguards. In that same ruling, the EU Court of Justice suggested that the transfer of personal data on the basis of Standard Contractual Clauses (SCCs) cannot be considered to be automatically valid in all circumstances. Without additional measures, privacy watchdogs must suspend or prohibit transfers outside the EU pursuant to SCCs if data protection in the US cannot be assured.
Data Protection Commission
The ink on the EU Court of Justice judgment had only just dried when it was followed by a decision of the Irish Data Protection Commission (“DPC”) halting the flow of personal data of European Facebook users to the United States. According to the DPC, Facebook was unable to meet the EU Court of Justice's demand for additional safeguards, as Facebook clarified in this statement on its website.
Facebook responded by taking the matter to the Irish courts - winning the first strike. On 14 September, the High Court handed down an order temporarily freezing the ban, meaning that Facebook is able to continue the transatlantic transfer of data until further notice. The reasoning behind the High Court's order is not known, as the order has not been made public yet.
More to come?
Although Facebook's practices are not immediately impacted by the decision of the Irish DPC, future implications of the proposed measures are as yet uncertain. After all, thousands of companies transfer data to the United States all the time or store their data on servers based in the US. If other authorities take their cue from the Irish DPC, or if the DPC decides to extend the ban to other tech giants that have set up shop in Ireland, such a step could cause widespread business disruption. In addition to the enormous cost involved in adjusting corporate processes in such a way that all data will remain within the EU, the practicalities of such adjustment would present hugely complex issues for internationally operating companies.
The standpoint of the European Data Protection Board
In a statement on the Schrems II judgment, the European Data Protection Board (“EDPB”) confirmed that it had identified in the past major flaws in the Privacy Shield. However, it also underlines the importance of transatlantic transfer of personal data and stands ready to play a constructive part in building a secure framework for that purpose.
The EDPB articulated in its statement that the CJEU's judgment recalls the importance for the data exporters and importers to comply with their obligations included in the SCCs and that it had issued guidelines on the transfer of personal data. The EDPB placed particular emphasis on the fact that although supervisory authorities have the duty to suspend or prohibit a transfer of data to a third country pursuant to SCCs if adequate protection of the data transferred cannot be ensured, consistency is key. Thus, the EDPB appears to cautiously impress upon national supervisors that rather than setting their own rules, they should be open to an EU-wide approach.
However, the FAQ issued by the EDPB in response to the Schrems judgment does make clear that parties transferring data to the US may face huge issues after all. The EDPB says:
“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment,
taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA.”
Apart from presenting a laborious task, this obligation creates legal uncertainty aplenty.
Jumping to the occasion, the authority for the German state of Baden-Württemberg tried to tackle the “problem” created by Schrems II by issuing recommendations for supplementary provisions that can be used to bridge the gaps left by the SCCs. It seems recommendable in any event to make use of these supplementary provisions.
The EU's course
In light of the complications following a possible ban on a continued data flow with the US, the stance of the EDPB, the representative body of all European supervisory authorities, makes it unlikely that a ban without alternatives will be the adopted course of the EU.
The question remains, though, for how long and under what (supplementary) conditions the SCCs will remain viable option and what mechanism to ensure an adequate level of protection can be erected to bridge the chasm between US and EU legislation. It is now up to the EDPB to put their minds to those questions.
We will of course keep you up to date on developments.