The flow of personal data is an essential aspect of the growth of international cooperation and trade. However, every transfer of personal data must be carried out in full compliance with the GDPR. The Privacy Shield—an EU-U.S. agreement on the transatlantic transfer of personal data from the European Union to the United States for commercial purposes—until recently allowed entities engaged in economic activities to transfer EU citizens’ personal data to the U.S. without having to meet additional specific conditions. However, this data transfer has been blocked.
Complications Arising from a Filed Complaint
The turning point came following a complaint filed by Austrian internet activist Maximilian Schrems, who claimed that the Irish subsidiary of the global social media platform—Facebook Ireland Ltd.—transfers its users’ personal data to the United States, where it is further processed in an inappropriate manner. The EU Commission responded by adopting a decision in which it stated that it had assessed the measures taken by the U.S., namely the establishment of an ombudsman, and concluded that the safeguards for the rights of data subjects were sufficient in this case. Schrems’ complaint was thus dismissed.
Facebook eventually explained that personal data is transferred based on standard contractual clauses, not on the Commission’s adequacy decision. M. Schrems was asked to reformulate his complaint, in which he this time argued that there were insufficient safeguards due to weak data protection when transferring personal data from the EU to the US. The result of this several-year-long dispute was the Court of Justice’s decision to invalidate the Privacy Shield. However, the decision regarding standard contractual clauses was not annulled.
Standard Contractual Clauses
Standard contractual clauses are considered to be clauses that provide adequate safeguards with regard to the protection of privacy and the fundamental rights and freedoms of individuals, as far as the exercise of the relevant rights is concerned. These clauses may be incorporated into a broader contract between a processor and a subprocessor, or supplemented with additional safeguards that do not conflict with the clauses adopted by the European Commission or a supervisory authority, nor in any way undermine the fundamental rights of data subjects.
The level of protection in a third country should be equivalent to that provided by the GDPR. If a third country does not ensure adequate protection of personal data and the supervisory authority considers that the clauses are not, or cannot be, complied with, the transfer of personal data to such a third country must be suspended or completely prohibited by the supervisory authority.
Statements from some companies on the issue
Google announced via an official email that, effective August 12, 2020, it will amend its terms of service regarding analytics services and Google Ads so that transfers of personal data to third countries, which were previously secured through the EU-US agreement on transatlantic data transfers, will be secured on the basis of standard contractual clauses.
The court’s decision did not affect the ability to transfer personal data between the EU and the US using the Microsoftcloud. Microsoft stated that it has been providing customers with overlapping protection under the aforementioned standard contractual clauses for years.
Facebook itself is also addressing the implications of the European Court’s decision. Eva Nagle, Facebook’s legal counsel, stated that they are carefully considering the implications of the Court of Justice’s decision and, in this regard, look forward to any regulatory guidance. She also adds that Facebook will ensure that data published on its platform is kept secure.
Outcome & Recommendations
The transfer of personal data is thus not completely prohibited. In this case, however, the entire responsibility shifts to the controller. It is advisable to include the necessary clauses in contracts with intermediaries or, if necessary, consider changing the processor. Beyond the clauses, the addition of security safeguards is also considered, such as the transfer of data from the U.S. back to the EU. As a further minimum measure, data subjects whose personal data is being processed should be informed of the risks associated with the transfer of their personal data to a third country. Controllers should also include encryption and pseudonymization methods in their assessment.
Sanctions
Companies that until recently relied on the Privacy Shield for personal data transfers must promptly assess whether they can ensure transfers under a different legal mechanism than before. Otherwise, they risk being fined up to €20,000,000 or up to 4% of their global turnover, whichever is higher.
Sources:
- https://blogs.microsoft.com/eupolicy/2020/07/16/assuring-customers-about-cross-border-data-flows/
- https://curia.europa.eu
- https://dataprotection.gov.sk/uoou/sk/content/stanovisko-k-privacy-shield
- https://www.reuters.com/article/us-facebook-privacy-eu-statement/facebook-studying-eu-court-ruling-on-data-transfer-idUSKCN24H1UN
- GDPR Regulation
