No More Data from Germany? European Court of Justice Invalidates the EU-U.S. Privacy Shield
Axel Spies
German attorney-at-law (Rechtsanwalt)
Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).
On July 16, 2020, the “Grand Chamber” of the European Court of Justice (ECJ) invalidated the EU-U.S. Privacy Shield. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration in 2016 to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
The immediate reaction from the Berlin Data Protection Agency sounds dramatic: “The Berlin Commissioner […] calls on all data controllers under her supervision to comply with the decision of the ECJ. Data controllers who transfer personal data to the USA—especially when using cloud services—are now required to switch immediately to service providers in the European Union or in a country with an appropriate level of data protection. […] We accept the challenge that the ECJ explicitly obliges the supervisory authorities to prohibit inadmissible data transfers.”
Strong words—whereas the reaction of U.S. Commerce Secretary Wilbur Ross sounds much different: “The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
Not the First Time the ECJ Steps In
How to make sense of this discrepancy?
In 2015, the Austrian activist Max Schrems already scored a victory before the ECJ. It came from a complaint he brought to the Irish Data Protection Commissioner where he challenged the transfer of his data (and the data of EU residents generally) to the U.S. The case led the ECJ on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the U.S. What followed were almost frantic negotiations that led to an agreement between the European Commission and the Obama administration on the Privacy Shield in May 2016.
Since then, approximately 5,300 U.S. companies have signed up and given their commitments to the U.S. Department of Commerce to honor the “Privacy Shield Principles”—70 percent of them small and medium-sized companies. This Privacy Shield decision was then challenged by Mr. Schrems. So the ECJ has now ruled a second time on EU-U.S. data transfers. But the 5,300+ U.S. companies cannot easily walk away from their commitments under the Privacy Shield Framework because it was made under U.S. law and is enforced by the Federal Trade Commission. While the companies are not in an enviable situation, Mr. Ross’s statement makes sense, especially since the separate Swiss-U.S. Privacy Shield continues to apply. With the Trump administration, there is no Plan B at the EU for quick fixes as in 2015/16 with the Obama administration. The Trump administration is currently not on friendly terms with the EU, and there are serious disputes over Germany’s Nord Stream 2 Pipeline, France’s new Digital Services Tax law, EU airline subsidies, and the trade deficit with the EU, to name just a few issues.
The ECJ’s Privacy Shield decision is more complex than for Safe Harbor. The court focuses on government surveillance practices in the U.S., which the ECJ views as unjustly prioritizing national security over the rights and freedoms of EU data subjects. In particular, the ECJ noted that Section 702 of the Foreign Intelligence and Surveillance Act (FISA) and Presidential Policy Directive 28 lacked the requisite protections. Moreover, the ECJ ruled that the Privacy Shield did not provide European data subjects with actionable rights in court against the U.S. government. These U.S. laws are not likely to change any time soon. The FISA Amendments Reauthorization Act of 2017 went into law in January 2018, FISA’s Section 702 allows the National Security Agency to conduct searches of foreigners’ communications without warrant. There is no foreseeable majority in Congress in an election year to revise FISA to accommodate the ECJ.
No More Data Exports from Germany?
There is no grace period in the ECJ’s decision because the judges believe that the decision does not create “a legal vacuum.” However, it is wishful thinking to expect that the ECJ ruling will immediately stop or even significantly reduce data flows from Germany to the U.S.:
- Interrupting the data flows will hurt German companies that have longstanding business relationships with their U.S. counterparts. While the concept of “data sovereignty” sounds good for individual EU citizens, it is easier said than implemented, given the current extent of international data flows and need for extensive global cooperation (e.g., in the fight against COVID-19).
- Other legal tools remain available to data exporters, such as the Standard Contractual Clauses (Model Clauses) for transferring data out of the EU. Many U.S. companies will now look at their data transfer agreements and negotiate amendments if necessary. The all too common “sign-and-shelf approach” for the Model Clauses is a thing of the past. Rather, the individual data exporters and importers will need to amend these Model Clauses to ensure that the data importers provide “adequate data protection” as required by the ECJ. They will look for guidance from the regulators on these amendments and on additional safeguards that they will need to impose on the data importers in the U.S. via a contract.
- The ECJ decision only allows individual decisions of the national regulators: The Court states that if a supervisory authority “considers that transfers of data to a third country must, in general, be prohibited, [it must] refer the matter to the European Data Protection Board (“EDPB”) for an opinion, which may […] adopt a binding decision, in particular where a supervisory authority does not follow the opinion issued.” This process gives a degree of discretion to the national data protection agencies but does not entitle them to prohibit data flows to the U.S. on a general level without the “opinion” (authorization) of the EDPB. It remains currently open how individual “proactive” national data protection agencies in the EU will use the discretion.
- Individual actions and sanctions by a German data protection authority could likely be challenged in court, e.g., under the equal treatment clause (Art. 3) of the German Basic Law. If the regulators open cases against data flows into the U.S., they must also investigate similar data flows to China, India, Russia (and even Israel).
- Other German regulators are already more cooperative than Berlin. For instance, the German Federal Data Protection Office (BfDI) has already stated that “companies and public authorities can no longer transfer data on the basis of the Privacy Shield that the ECJ has declared ineffective. We will provide intensive advice on the transition.” It will take weeks, if not months for the German regulators to agree on a joint approach.
The ECJ decision will also have an impact on the current negotiations between the EU and the UK for the Post-Brexit agreement. The transition period for Brexit will end on December 31, 2020. It cannot be extended beyond that date. UK surveillance is a sore point for many activists in the EU. Thanks to the ECJ decision, it is now even less likely that the European Commission will grant the UK “adequacy status” by December 31 without a lengthy review process. As of this date, the UK will likely become a country of “inadequate data protection” for the EU. If the UK and the U.S. will then continue with the Privacy Shield, the UK may even gain an advantage for international data transfers vis-a-vis the EU.