Schrems II: ECJ sets GDPR as a global standard for IT-business

In a landmark decision the ECJ declared the Privacy Shield as invalid. The data transfer from the EU to the US can no longer be based on this Agreement between the EU Commission and the US Government. The court held that the Privacy Shield does not ensure „a level of protection essentially equivalent“ to GDPR: In several surveillance programmes the data access of US Authorities is not limited to the principle of proportionality. In addition, EU-citizens are not granted an effective judicial review in US courts.

The court states that the criterium “a level of protection essentially equivalent“ equally applies for the Standard Contract Clauses (SCC).1 In addition, the court considers that the US Authorities cannot be bound by SCC, while they are not parties to this agreement. Therefore, a data transfer to the US may not be based on SCC as a legal alternative to the Privacy Shield.

Since the relevance of the SCC is not limited to the US, the landmark of the ECJ will have a huge impact on the market of the global IT-business. With the requirement of “a level of protection essentially equivalent“ the court sets GDPR as a standard for the IT-business worldwide.

„Schrems I“ and „Schrems II“

In the decision “Schrems I“ the data protection activist Max Schrems succeed in his personal data of not being transferred by Facebook Ireland to Facebook US on basis of the Save Harbor Programme. The Save Harbor Programme was estimated by the EU Commission to provide an adequate level of data protection for EU-citizens in the US. Nevertheless, the ECJ did not share this opinion and declared the Save Harbor Programme as ‘invalid’.

In the second proceeding “Schrems II“ Max Schrems revised his original complaint against his personal data being transferred by Facebook Ireland to Facebook US on basis of SCC, which Facebook regarded as fall back scenario for the invalid Safe Harbor Programme. In this proceeding, Facebook holds the view that the Privacy Shield, which was implemented as sucessor of the Safe Harbor Progromme, needs to be taken into consideration.

The ECJ decided to form his analysis on the current legal situation with GDPR being implemented and not on the basis of the directive 95/46, which was the respective law, at the time Max Schrems issued his revised complaint.

Decision of ECJ

The ECJ considers the same aspects as required by the several instruments of data transfer outside the EU – like the ‘Adequacy Decision’ by the EU and the SCC. These instruments have the aim to ensure the “continuity of the high level“ of data protection of GDPR in the third country and shall “compensate for the lack of data protection“.

Therefore, the ECJ sets out the three conditions to be met:

• the level of protection is essentially equivalent to GDPR,

• the EU-citizens shall be granted with enforceable rights and

• effective legal remedies shall be available for EU-citizens.

The ECJ states, that the Privacy Shield fails to meet these requirement. In essense, the access of US Authorities in several surveillance programmes is not limited to the principle of proportionality. In addition, EU-cititzens have no access to US-courts to enforce their Right to Data Protection. The ombudsperson, which was implemented by the Privacy Shield, is not regarded equivalent to independent courts.

The decision of the EU Commission to implement and design the SCC, was in itself not considered as legally invalid. However, the data exporter has the responsibility to check whether the SCC meet the three conditions for data transfer? The controller has to evaluate both, firstly, the contractual clauses and secondly, the relevant aspects of the legal system in the third country. The SCC do not automatically implement an adequate level of data protection. However, the SCC are open to include clauses which contain additional safeguards to compensate what lacks in the legal system in the third country.2

What kind of legal basis are available for data transfer to US?

The ECJ did not directly answer the key question, whether the SCC are fit to compensate the Privacy Shield. Nevertheless, the ECJ clarified that the US Authorities cannot be bound by the SCC, since they are not the party to the agreement. Hence, no feasable approach seems to be available on how additional contractual clauses are added to the SCC that can compensate the excessive access of US Authorities to personal data of the EU-citizens. Until now, the European Data Protection Board (EDPB) similarly has not published any of such clauses in its FAQ.3

The best approch for the data transfer is to reach a new agreement between EU Commission and the US Government. However, it is questionable whether the US Government will allow to restrict the extent of their surveillance programmes with respect to EU-cititzens.

In addition, the ECJ established the national Supervisory Authorities (SA) with a duty to implement and enforce GDPR. That means, the SAs will closly follow how the data transfer to the US will be resolved and whether controllers will review respective data transfers based on SCC.

No data transfer to non-democratic countries?

Allthough, the US is a democratic society, the US does not provide an adequate level of data protection to EU-citizens.4 Surprisingly, there aren’t any accepted legal principles which states that the democratic societies grant a set of basic human rights to citizens of other democracies. In that respect, the ECJ clarified that “…the Fourth Amendment to the Constitution of the United States… does not apply to EU cititzens.“5 Similarly for example, the ‘Right to Assembly’ pursuant to the German Constitution (“Grundgesetz“) is solely granted to the German citizens. Therefore, it is likely to assume, that a new agreement between the US and the EU will be required to meet the criteria of the ECJ.

However, this aspect can be regarded from a different perspective. When a country does not grant a basic set of human rights to its own citizens, How can such a country grant an adequate level of protection to EU-cititzens? For instance, how can Turkey, Russia and China fulfil the requirement to grand sufficient rights to EU-citizens, when the legal system of the country does not grant such rights to its own? To put it in a nutshell, the ECJ seems to say that the country to which the data will be transferred must be a democratic society.

The ECJ establishes GDPR as gobal standard for the IT-business by setting a level which is “essentially equivalent“ for data transfers outside the EU. Since the extent of this criteria has to be elaborated further, however, is clear that “Schrems II“ leads to a significant shift in the market of Global IT-business.