What is it about?
A legal dispute between a private individual (Maximilian Schrems) and the Irish regulatory authority regarding the transfer of his personal data by Facebook Ireland to Facebook's parent company in the USA
The General Data Protection Regulation (GDPR) is also applicable to the transfer of personal data to a third country in cases where, for reasons of national security or defense, access by the secret services of that country is necessary.
The exceptions in Art. 2 (2) a, b, d of the GDPR apply only to the Member States.
The so-called "Privacy Shield", an adequacy finding of the Commission under Art. 45 GDPR (2016/1250 of 12.07.2016, referring still to the Data Protection Directive 95/46/EC), by which the Commission decided in 2016 that the USA had provided an adequate level of protection for the data of natural persons under certain circumstances and had thus made the transfer of data to the USA generally possible, is invalid with immediate effect.
Due to the powers of the US secret services and the legal situation in the USA, an adequate level of data protection cannot be guaranteed (among other things):
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the secret services and no guarantees for non-US citizens
- Presidential Policy Directive 28 (PPD-28) does not provide effective remedies against measures taken by U.S. authorities and does not provide safeguards that would ensure measures are proportionate
- the ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the secret services
The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05.02.2010), Art. 46 (2) c GDPR, remain valid.
A level of protection for personal data must be ensured which is equivalent to that in the European Union.
However, the standard contractual clauses cannot bind the authorities of the third country and therefore do not provide adequate protection in cases where the authorities are empowered under the law of the third country to intervene in the rights of data subjects without additional measures being taken by the parties.
- They must be interpreted in the light of the EU Charter of Fundamental Rights and with regard to Article 46(1) of the GDPR: appropriate guarantees from the controller and processor, enforceable rights and effective remedies for data subjects
- Not only the contractual relationship between data exporter and data importer is relevant here, but also the possibility of access to the data by authorities of the third country and the legal system of that country in general (legislation and jurisprudence, administrative practice of authorities)
The data controller must assess on a case-by-case basis whether the law of the third country provides an adequate level of protection and take appropriate additional measures or agree upon them with the data importer.
- in cases where the controller cannot provide suitable protection even with additional measures, he must suspend / terminate the transfer
- this applies in particular if the law of the third country imposes obligations on the data importer that are likely to contravene contractual rules providing for appropriate protection against access by state authorities
If such an adequate level of protection is not ensured, the data protection supervisory authority must suspend or prohibit the transfer of data if the protection cannot be achieved by other means.
Who is affected by the court's decision?
Although the judgment of the European Court of Justice initially only has an inter partes effect, it is therefore only binding on the Irish court making the reference. In fact, however, it is already binding on all authorities and courts of the Member States that are dealing with the same question of interpretation and must interpret and apply the GDPR in accordance with the case law of the ECJ.
If the ECJ declares a Community legal act (such as the Privacy Shield) invalid, all courts and authorities in all Member States are bound by it and thus also all companies subject to EU law (erga omnes effect).
In this respect, the decision affects all public authorities or companies that transfer data to the USA, especially if they have previously based the transfer on the Privacy Shield, but also if they have used standard contractual clauses for this purpose (more details in the following).
Examples ( non-exhaustive):
- You are in commercial relations with companies based in the USA and exchange personal data with them relating to customers (delivery addresses, complaints, orders, etc.) or your employees (contracts, networks, etc.)
- You store data in a cloud hosted by a company in the USA outside the EU.
- You use a videoconferencing system from a US provider that collects data on participants and transmits it to the USA.
At the same time, the ruling contains general statements on the use of standard contractual clauses for transfer of data to third countries, so that all public authorities or companies that transfer data not to the USA but to another third country are also affected by the ruling.
Example: You transfer data to the United Kingdom.
The effects of the court decision are therefore conceivably extensive.
What does the ruling mean in practical terms?/ What is to be done?
If you transfer data to the USA or use a processor who transfers data to the USA:
the Privacy Shield no longer constitutes a valid legal basis for the transfer, but any data transfers carried out nevertheless are illegal and may result in fines and claims for damages.
Although a transfer based on standard contractual clauses is conceivable, it will only rarely meet the requirements that the ECJ has set for an effective level of protection:
In this case, the controller must provide additional guarantees that effectively prevent access by the US secret services and thus protect the rights of the data subjects; this would be conceivable in the following cases:
- Encryption in which only the data exporter has the key and which cannot be compromised even by US secret services
- Anonymisation, or Pseudonymisation where only the data exporter can determine the assignment
Transfer under Article 49 of the GDPR is conceivable; however, the overall restrictive character of this provision must be taken into account here, please see also Guidelines 2/2018 on the exceptions under Article 49 of Regulation 2016/679 of the European Data Protection Committee (EDSA) of 25 May 2018, available at https://edpb.europa.eu/our-work-tools/our-documents/directrices/guidelines-22018-derogations-article-49-under-regulation_de:
The wording of the title "Exemptions for specific cases": Exceptional nature of Art. 49 as a derogation from the prohibition of transfers to third countries where an adequate level of data protection is not provided
for Art. 49 (1) subparas. 1 b, c and e GDPR (required for the contract or to assert legal claims) additionally:
wording EC 111: "occasional" data transmissions, not systematically repeated
even more restrictive: Art. 49 (1) subpara. 2 for cases where there is no exception for specific cases (transfer not repeated, only a limited number of data subjects, necessary to safeguard the controller's compelling legitimate interests, no overriding interest nor the rights and freedoms of the data subject)
In addition, according to Art. 49 (3) GDPR, Art. 49 (1) subparas. 1 a, b and c as well as (2) do not apply to public authorities when exercising their sovereign powers
If you transfer data to another third country:
In this case, you should check the legal situation in the country in question, especially with regard to the access possibilities of the secret service and the rights and legal protection possibilities to which the data subject is entitled, and also include the supplements to the guarantees of the standard contractual clauses mentioned under IV.
Where and how to start?/ Checklist
You should immediately
In the event that data transfer would not be permissible after these verification steps, the last resort would be to transfer data in accordance with the exceptional provision of Art. 49 GDPR.
This can be considered in particular in the case of data transmission within the Group or in the case of individual contractual relationships. In this case, it would have to be examined whether the restrictive character of the norm does not prevent the transfer.
The main focus of the further procedure of the LfDI Baden-Württemberg is to examine whether there are reasonable alternatives without transfer problems in addition to the service provider/contract partner you have chosen. If you are unable to convince us that the service provider/contract partner with transfer problems you are using is irreplaceable in the short and medium term by a reasonable service provider/contract partner without transfer problems, the LfDI Baden-Württemberg will prohibit the transfer of data.
We are aware of the fact that the ECJ ruling could possibly result in extreme burdens for individual companies. The LfDI will base its further action on the principle of proportionality. We will continue to monitor developments and will continuously review and develop our positions accordingly.
IAPP News article: https://iapp.org/news/a/germanys-bfdi-releases-data-transfer-guidance/
Original in German: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/LfDI-BW-Orientierungshilfe-zu-Schrems-II.pdf