As already reported in our previous articles (Does the US Privacy Shield fall because of Max Schrems? and EU-US Privacy Shield overturned by the ECJ), Max Schrems, privacy activist and user of Facebook, had complained about the transfer of his personal data from Facebook Ireland Ltd. to its parent company, Facebook Inc: In his opinion, the USA does not have an adequate level of data protection that would allow data exchange between the EU and the USA, despite the EU-US Privacy Shield or the fact that a contractual agreement on data exchange had been agreed between Facebook Ireland and Facebook Inc. The European Court of Justice has protected this point of view wholesale. (Case C-311/18)Specifically, the ECJ examined the compatibility of the Privacy Shield Decision with the DSGVO, which must be interpreted in the light of the EU Charter of Fundamental Rights. In particular, the EU fundamental rights to respect for private and family life, the protection of personal data and the right to effective judicial protection were examined. The privacy shield decision gives priority to the requirements of national security in the United States over these fundamental rights. For example, surveillance programmes of the US authorities may access personal data provided by EU citizens. However, in the opinion of the ECJ, the provisions in the privacy shield decision on the powers of the American authorities are inadequate and do not meet the requirements of Union law, in particular to treat all people equally, whether or not they are US citizens. The interference of the authorities with the fundamental rights of the Union citizens concerned is disproportionate, since the surveillance programmes of the US authorities are not “limited to what is strictly necessary”. This assessment relates in particular to the two programmes PRISM and UPSTREAM of the US security authorities. The judgment shows that the two programmes allow for comprehensive and unprompted governmental mass surveillance of both US and EU citizens. Judicial control of surveillance and data processing is also not possible or only possible to a limited extent. The privacy shield makes no provision for the EU citizens concerned to be able to enforce their rights effectively in court against the US authorities. According to the European Court of Justice, this is also not taken into account by the possibility of turning to the ombudsman in the event of possible legal infringements, which is doubted about the independence and his binding decision-making authority vis-à-vis US intelligence services.
In contrast, the Court held that Decision 2010/87 on the EU standard contractual clauses on which Facebook relies when transmitting data was valid. Facebook Inc. has contractually certified to Facebook Ireland with regard to data transfer that a level of data protection in the USA is maintained in accordance with EU standards. The EU standard contractual clauses were declared contractually binding. This contract, however, only has effect between the two parties to the contract. In order to ensure that the standard contractual clauses are reviewed, the ECJ in the present ruling has imposed obligations on the data protection authorities of the Member States. The aim is therefore to ensure that Art. 49 DSGVO is complied with. According to the ECJ, “a transfer of personal data to a third country shall be suspended or prohibited if the standard contractual clauses are not complied with in the third country”. It is crucial for the validity of Decision 2010/87 that it provides for effective mechanisms to guarantee the EU level of data protection. Thus, in individual cases, the parties to a data transfer as well as the data protection authorities would have to assess whether the relevant level of protection is respected in the third country. In the present case, the Irish data protection authority is obliged to suspend or prohibit the flow of Facebook user data to the US if the clauses are not complied with.As the Federal Data Protection and Information Commissioner (FDPIC) announced, he has taken note of the ECJ ruling. However, the ECJ ruling is not directly applicable to Switzerland. Therefore, the FDPIC is examining the argumentation in order to issue a statement at a later date. Since the Swiss-EU Privacy Shield provides for mechanisms which allow Swiss citizens to complain to the Ombudsman, it is likely to be open at present whether Switzerland will terminate the Swiss-U.S. Privacy Shield.As a result of the ECJ ruling, companies are forced to examine the exchange of personal data with third countries and in particular the USA. Now, such an exchange cannot be based on the EU-U.S. Privacy Shield, but must be based on the so-called EU Standard Contractual Clauses.
In addition, companies must ensure that the technical and organisational measures are implemented to ensure an adequate level of data protection between the parties in accordance with the provisions of the DSGVO.
If third countries access the personal data of EU citizens in violation of the rule of law without the latter being able to defend themselves against this by legal means, data transfer is prohibited
The implementation of these requirements is difficult, especially since the guarantees of the rule of law can only be provided by legislators of third countries. It remains to be seen and further clarification will be required as to which obligations companies must meet in order to comply with the requirements of the ECJ and the DSGVO. A first set of rules of interpretation can be found in the catalogue of questions and answers of the European Data Protection Authorities [2] In any case, it can be assumed that control mechanisms such as audits, reviews, encryption, etc. will become even more important.
Sources:
- Urteil EuGH Rechtssache C-311/18
- European Data Protection Board