European Union: CJEU destroys the EU-US Data Protection Shield: Employer Will Have to be More Careful when Transferring Personal Data to the US
In the Schrems II decision (C-311/18) of July 2020, the CJEU invalidates Commission Decision 2016/1250 on the adequacy of the protection provided by the “EU-US Data Protection Shield”. This means that personal data cannot be transferred quasi automatically to the US any longer, as the US does not provide an adequate level of data protection (which was the case according the Commission). This decision can have important implications for Multinational Enterprises when they, e.g. want to transfer employee data to their seats in the US.
The GDPR sets certain conditions for transferring personal data to third countries outside the EU. According to Article 45 of the GDPR, the Commission may find that a third country ensures an adequate level of protection. In the absence of such an adequacy decision, such transfer may take place only if the EU-based exporter of the data provides appropriate safeguards, e.g. by including standard data protection clauses (as set out by the Commission Decision 2010/87) in a contract or if binding corporate rules ensure that data subjects have enforceable rights and effective legal remedies. Furthermore, the GDPR details the conditions under which such a transfer may take place in the absence of an adequacy decision or appropriate safeguards.
In the case at hand (which was not employment-related), an Austrian privacy-activist Mr. Schrems complained that Facebook was transferring his personal data from Facebook Ireland to the US, as this third country does not offer sufficient data protection. He sought the suspension or prohibition of future transfers of his personal data from the EU to the US, which Facebook Ireland carried out pursuant to the standard data protection clauses (set out in the Annex to Commission Decision 2010/87). Therefore, the CJEU had to rule both on the validity of the use of standard protection clauses according to Decision 2010/87, as well as on the validity of the Commission’s “EU-US Privacy Shield” Decision (Decision 2016/1250).
What concerns Decision 2010/87, the CJEU stated that data subjects whose personal data are transferred to a third country, pursuant to standard data protection clauses, must be afforded a level of protection essentially equivalent to that guaranteed by the GDPR. The assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards the possible access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country. The CJEU adds that it is most important that there are effective mechanisms in the third country that make it possible, in practice, to ensure compliance with the level of protection required by EU law and that transfers of personal data, pursuant to such clauses, are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them. The Court finds that Decision 2010/87 establishes such mechanisms, because it imposes an obligation on a data exporter and the recipient to verify, prior to any transfer, whether that level of protection is respected in the third country concerned and that the decision requires the recipient to inform the data exporter of any inability to comply with the standard data protection clauses, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former. Therefore, it is still possible to use the standard contractual clauses as set out in Decision 2010/87, when transferring data to the US.
Next, the CJEU examines the validity of Decision 2016/1250 which forms the basis of the EU-US privacy shield. The Court notes that EU-US Privacy Shield Decision holds the position, that the requirements of US national security, public interest and law enforcement have primacy, which allows for interference with the fundamental privacy rights of persons whose data are transferred to the US. The CJEU rules that these restriction of the protection of personal data connected to the access and use by US public authorities of such data transferred from the EU are “not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality”, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
The US rules on access of data by the public authorities do in fact lay down certain conditions, but they do not grant data subjects actionable rights before the courts against the US authorities. Therefore, the EU-US Privacy Shield Decision is invalid. This means that data exporters, like EU employers (which are e.g. branches of MNE’s) can no longer rely on the adequacy decision of the Commission regarding the US, when they want to transfer personal data (e.g. on their employees). In contrast, they will have to rely on other options (mentioned in Article 46 of the GDPR), like the standard data protection clauses, which can be found in Commission Decision 2010/87. It will be very important for these employers to provide such contractual clauses (or binding corporate rules) before the transfer of data, in order to avoid a breach of their obligations under the GDPR.
For more information on these articles or any other issues involving labour and employment matters in European Union, please contact Chris Van Olmen (Partner) of Van Olmen & Wynant at email@example.com or visit www.vow.be.