Travel ban for European data?
What’s this about?
Within the scope of application of the General Data Protection Regulation, personal data may only be transferred to countries outside the European Union if they provide an adequate level of data protection. The EU Commission may explicitly stipulate in a so-called adequacy decision that a certain country provides an adequate level of data protection. To date, the EU Commission has adopted such an adequacy decisions for 13 countries, e.g. Canada, Israel, Japan and Switzerland.
One of the 13 adequacy decisions stood out: the EU Commission’s Adequacy Decision for the US did not stipulate that there is an adequate level of data protection in the US as a whole. Rather, an adequate level of protection should only exist in the case of data processing by US companies that had submitted to the rules of the EU-US Privacy Shield. The list of certified US companies is publicly available at https://www.privacyshield.gov/.
The EU-US Privacy Shield made it much easier for European companies to cooperate with certified US companies. That is because without an adequacy decision by the EU Commission, companies must themselves ensure an adequate level of protection when transferring personal data outside the EU by using and enforcing so-called Standard Contractual Clauses, which are still provided by the EU Commission under the EU Data Protection Directive.
And what does the ECJ say?
In its ruling of 16 July 2020 in case C-311/18 (the referring Irish court has to decide on the processing of personal data by the Irish Facebook subsidiary in the US), the European Court of Justice declares the EU Commission’s adequacy decision on the EU-US Privacy Shield invalid—and it expressly pointed out the immediate effectiveness of its ruling. The main reason given was that the EU-US Privacy Shield does not sufficiently protect EU citizens from surveillance by US authorities.
However, the ECJ expressly has no objection to the Standard Contractual Clauses of the EU Commission. However, these can only legitimate the transfer of personal data to a third-country, if the company receiving the data can actually comply with the requirements of such Standard Contractual Clauses.
Everything easy thanks to Standard Contractual Clauses?
Unfortunately, not. The same legal situation in the US, against which the EU-US Privacy Shield cannot provide sufficient protection according to the European Court of Justice, raise doubts as to whether US companies can effectively meet the obligations of the Standard Contractual Clauses. Organisational and/or technical solutions—e.g. a strong pseudonymisation prior to the transfer of personal data, which cannot be resolved by the US company—are conceivable, but their implementation can be complicated depending on the business model.
So, no more data to the US?
Rather not. What would certainly be the simplest solution from a legal point of view, seems to be impossible in practice. Even though in times of the corona pandemic hardly any Europeans (can) enter the US, our data cross the Atlantic Ocean daily with ease. Most of us use not only Facebook, but also Twitter, iPhones, Google and so on. Even if we stay, our data usually travel to the US.
And European companies processing large amounts of data can hardly do without US companies—be it the IBM Cloud, the Amazon Web Services servers, or the Microsoft Cloud.
In some cases, US companies offer to ensure that personal data are processed only on servers located within the EU. Whether or not this will satisfy the European Court of Justice or the data protection authorities of the European Member States in the long term is questionable at least. This is because the potential hunger of US authorities for personal data processed by US companies is no longer restricted to US territory since the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).
What do the data protection authorities say about this?
The first press releases of German data protection authorities (e.g. Hamburg, Rhineland-Palatinate, Thuringia and the Federal Commissioner for Data Protection and Information Security) indicate that they are initially seeking coordination at national and European level to ensure a uniform approach. The Berlin data protection commissioner is particularly relentless and states that companies that have so far been processing data of EU citizens in the US on the basis of the EU-US Privacy Shield must immediately switch to service providers in the EU or a country with an adequate level of data protection.
On the European level, the ruling has been discussed by the European Data Protection Board (EDPB) in its 34th plenary session. The EDPB seeks for a “complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU.” While the EDPB is analysing the judgment and its consequences, European companies may need to consider to undertake “additional measures to those included in the [Standard Contractual Clauses]”. In line with the EDPB, the Data Protection Commission Ireland highlights that the “assessments will need to be made on a case by case basis”. So far, most European data protection authorities have only referred to the statement of the EDPB and its central role in providing further guidance and clarification (cf. the data protections authorities of Latvia, Denmark, Sweden, Finland, Iceland, Czechia, Slovakia, Netherlands, Romania, Cyprus). Similarly, also the French as well as the Lithuanian data protection authorities adopted a rather wait-and-see attitude by referring to the expected analysing at a European level.
Apart from that, Estonian and the Bulgarian take a proactive stance and say that any transfer of data to US companies must immediately be examined to see whether the existing mechanisms, such as the Standard Contractual Clauses, suffice.
The Information Commissioner’s Office of the UK sees the situation somewhat more relaxed and recommends companies currently using the Privacy Shield to “continue to do so until new guidance becomes available.”
If the companies gain some time, due to the partly hesitant attitude of data protection authorities, this time should be put to good use! After all, the answer as to whether and how an adequate level of data protection can also be guaranteed in the US must ultimately be provided by the companies that process (or getting processed) data of EU citizens in the US.