The flow of personal data is a necessary aspect of the expansion of international cooperation and international trade. However, any transfer of personal data must be carried out in full compliance with the GDPR. Privacy Shield – an agreement between the EU and the US on the transatlantic transfer of personal data from the European Union to the United States for commercial purposes – until recently allowed persons engaged in economic activities to transfer personal data of EU citizens to the US without having to meet any further conditions. However, this data transfer has now been blocked.
Complication of the situation based on a complaint
The turning point came following a complaint by Austrian internet activist Maximilian Schrems, who claimed that the Irish subsidiary of the global social media platform Facebook Ireland Ltd was transferring its users' personal data to the United States, where it was being processed in an inappropriate manner. The EU Commission responded by adopting a decision in which it stated that it had assessed the measures taken by the US, namely the establishment of an ombudsman, and concluded that the safeguards for the rights of data subjects were sufficient in this case. Mr Schrems' complaint was therefore dismissed.
Facebook finally explained that personal data was transferred on the basis of standard contractual clauses, not on the basis of a Commission decision on adequate protection. Mr. Schrems was invited to reformulate his complaint, in which he argued this time that there were insufficient safeguards in the weak protection of personal data when transferring personal data from the EU to the US. The result of several years of litigation was the Court of Justice's decision to annul the Privacy Shield. However, the decision on standard contractual clauses was not annulled.
Standard contractual clauses
Standard contractual clauses are considered to be clauses that provide adequate safeguards with regard to the protection of privacy and fundamental rights and freedoms of individuals with regard to the exercise of their rights. These clauses may be included in a broader contract between the processor and another processor, or additional safeguards may be added to them, provided that they do not conflict with the clauses adopted by the EU Commission, the supervisory authority, or in any way affect the fundamental rights of the data subjects.
The level of protection in the third country should be equivalent to that provided by the GDPR. If the third country does not ensure adequate protection of personal data and the supervisory authority considers that the clauses are not or cannot be complied with, the transfer of personal data to that third country shall be suspended or prohibited by the supervisory authority.
Statements from some companies on the issue
Google has announced in an official email that, as of 12, they will amend their terms of use for analytics services and Google Ads so that transfers of personal data to third countries that were previously secured through the EU-US agreement on transatlantic data transfers will be secured on the basis of standard contractual clauses.
The court's decision has not changed the ability to transfer personal data between the EU and the US using Microsoft's cloud. The company said it has been providing overlapping protection to customers for years under the aforementioned standard contractual clauses.
Facebook itself is also addressing the implications of the European Court's decision. Eva Nagle, Facebook's legal representative, said that they are carefully considering the implications of the Court's decision and look forward to any regulatory guidance in this regard. She added that Facebook will ensure that data posted on its platform remains secure.
Outcome & recommendations
The transfer of personal data is therefore not completely prohibited. In this case, however, all responsibility is transferred to the controller. It is advisable to add the necessary clauses to contracts with intermediaries or consider changing the processor. In addition to clauses, security guarantees, such as the transfer of data from the US back to the EU, are also considered. As a further minimum solution, data subjects should be informed about the risks of transferring their personal data to a third country. Controllers should also include encryption and pseudonymization methods in their assessment.
Sanctions
Companies that have until recently relied on the Privacy Shield for the transfer of personal data must promptly assess whether they are able to ensure transfers based on a different legal mechanism than before. Otherwise, they risk being fined up to €20,000,000 or up to 4% of their global turnover, whichever is higher.
Sources:
- https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/
- https://curia.europa.eu
- https://dataprotection.gov.sk/uoou/sk/content/stanovisko-k-privacy-shield
- https://www.reuters.com/article/us-facebook-privacy-eu-statement/facebook-studying-eu-court-ruling-on-data-transfer-idUSKCN24H1UN
- GDPR Regulation
