The ECJ invalidated the Privacy Shield adequacy decision – Another milestone in the legislative development on international data protection law

By: Dr. Buzás Anna

The 16 July 2020 ruling of the European Court of Justice invalidated the Privacy Shield Agreement earlier established between the EU and the USA, an utmost important decision in the field of international data protection and transfer legislation. The ruling may fundamentally reform global digital culture where the right to prosecute crime will eventually come only second to the right to protect individual citizens’ personal data.  

The decision of the ECJ and the background of the proceeding

A data recipient can no longer simply refer to the adequacy of the Privacy Shield as a guarantee for safe personal data transfer outside of the EEA, as according to the ECJ it provides neither adequate protection against potential misuse nor effective legal remedies to European citizens.

The verdict was preceded by a complaint procedure initiated by an Austrian Facebook user before the Irish Data Protection Authority in 2013, as a result of which the ECJ also ruled in a preliminary ruling procedure that the Safe Harbor institutional system, the predecessor of Privacy Shield, was invalid. Following this decision, the Commission accepted the Privacy Shield Agreement, which replaced the Safe Harbor. Nevertheless, the Austrian applicant upheld the complaint and asked the authorities to ban the transfer of his personal data to the US, as Facebook's Irish subsidiary, highlighting that Facebook Ireland (the subsidiary of the US parent company) transferred his data to the US to Facebook Inc., to be eventually be exposed to the US security- and intelligence service for screening purposes, which, however, violates fundamental civil rights enshrined in the Charter of Fundamental Rights of the Union. The complainant also highlighted that US law, in its framework of extensive criminal prosecution, obliges Facebook’s parent company to provide the users’ data for security screening, no matter whether the personal data belong to foreigners (Europeans, for that matter), which, however, is contrary to the rights of citizens of the European Union enshrined in the Charter of Fundamental Rights and in the GDPR.

The data protection complaint proceeding was initiated against the Irish subsidiary of Facebook Inc. as the Irish company was responsible for the transfer of all European users’ personal data to the US parent company. The implications of the case however, extend beyond FB Ireland’s data protection law infringement: the Irish Supreme Court initiated a preliminary ruling proceeding before the ECJ, to review two data protection compliance decisions, on one hand on the Standard Contractual Clauses mechanism and on the other, the Privacy Shield Agreement, which hitherto provided the legal grounds for transferring personal data in compliance with GDPR, to non-EEA-states, including the USA.  The GDPR currently in force provides that personal data, as a matter of principle, can only be transferred to third countries if the recipient state guarantees adequate data protection. The GDPR sets out that the Commission is entitled to establish whether a third country’s national law or international agreement guarantees adequate level of data protection. In lack a of so-called adequacy decision, companies established outside the EEA shall comply with additional criteria of data protection to guarantee that they may lawfully receive such data.

Such an adequacy decision was made in 2016 on the Privacy Shield, to be confirmed again in the 2017 and 2018 reviews by the European Commission, which all concluded that the mechanism provided an adequate safeguard to the transfer of personal data from Europe.  In practice, the application of the mechanism meant a simple green-pass on data protection compliance criteria granted to thousands of US-based corporations that applied online for a Privacy Shield Certificate issued by the US Trade Department. Corporations that acquired the certificate were regarded as an EEA member state or a state that qualified as compliant with data protection requirements in line with the Commission’s decision. Considering that the compliance with the Privacy Shield exempted corporations from several other statutory obligations – which corporations established in third countries would otherwise be obliged to perform -, more than 5000 US corporations decided to obtain the certificate. However, the operations of these companies have changed dramatically since the latest decision of the ECJ.

The ECJ ruling highlighted that the Privacy Shield mechanism, similarly to the preceding Safe Harbor mechanism, declared the priority of state security, public order and criminal prosecution that justifies the (federal/state) authorities’ intervention to the rights of those private persons whose data were transferred from the EU to the US.  The ECJ declared, in this regard, that the mechanism still failed to provide, before all, an effective system of legal remedies, which would allow the injured parties to enforce their rights before court against authorities that had possibly infringed their rights. For these reasons, the ECJ decided to invalidate the adequacy decision on the Privacy Shield Agreement. 

What’s next?

Since the US-based corporations were qualified by the Commission as compliant with data protection principles only on the grounds limited to the validity of the (now void) Privacy Shield, several thousands of corporations will be obliged to transform their data transfer mechanism in the near future. The US Trade Department responded in light of the ECJ ruling that it intends to proceed with the adequacy certification process and will update the registry of  member companies that joined the Privacy Shield, yet this does not mean that corporations shall wait passively for a positive outcome. Until the legal grounds for data transfer are merely certificates based on the void Privacy Shield, the ECJ and national data protection authorities will likely ignore these, and will conclude such data transfers unlawful, imposing significant amounts of penalty on the involved corporations.

At the same time the ECJ declared that the ruling will not cause a legislative gap as the GDPR expressly regulates cases and criteria that (third-country) corporations shall follow in lack of applicable adequacy decisions or any other guarantees. As for now, corporations shall review their data protection systems and processes, to ensure compliance with all GDPR criteria set out for them. Among other precautions, a company may decide to:

  • obtain the involved party’s express consent to data transfer;
  • certify that the data control shall take place to perform public order obligations;
  • certify that data transfer is necessary to perform contractual obligations;
  • certify that data transfer is necessary for the submission, enforcement of legal claims or protection of rights;
  • apply mandatory corporate rules;
  • apply the code of conduct approved and based on the GDPR; or
  • transfer to the use of SCC (Standard Contractual Clause) mechanism adopted by the European Commission.

No matter how an involved corporation decides to proceed, after the ECJ ruling it will no longer suffice to ground the compliance of data transfer simply by reference to a code of conduct, or in itself not even the SCC mechanism approved by the Commission. The consequences of the ruling for  multinational companies is that data transferors will be obliged to carry out comprehensive and extensive investigation and evaluation of the target recipient company to determine whether the necessary guarantees of personal data protection  apply in the particular recipient state. In lack of investigation, the data controlling will be held unlawful, and European member states’ data protection authorities will be obliged to suspend or ban the transfer of personal data to the US (or other non-EEA country) , if the case investigation leads authorities to conclude that the protective instruments set in the GDPR are disregarded or they contradict the existing rules of law of the recipient country, and that the protection set in the EU Charter cannot be guaranteed otherwise.