Interview with Dr Friedrich Popp, Debevoise & Plimpton, on the Schrems II ruling by the European Court of Justice (ECJ)

“Companies that transfer European personal data to the United States on the basis of the Privacy Shield must now develop alternatives.”

Following its ’Safe Harbor’ ruling in October 2015, the European Court of Justice has now ruled for the second time that the data of European citizens is not sufficiently protected in the USA – and has overturned the ’Privacy Shield’ between the USA and the European Union. This poses political and diplomatic challenges for the EU Commission and the US government, and creates very specific challenges for the daily work of data protection officers in companies.

What challenges does the Luxembourg verdict pose for global companies?
First of all, the ECJ deserves thanks for being so clear about the contours of the European fundamental right to data protection. This eliminates some misconceptions in the USA, confirms the disturbance at numerous European supervisory authorities and removes the basis for inconsistent enforcement practices in Europe, together with their associated competitive distortions.

Companies that transfer European personal data to the United States on the basis of the Privacy Shield must now develop alternatives. The ruling also reminds parties that use standard contractual clauses for data exports to the USA or other third countries of their obligation to ensure an equivalent level of data protection in the recipient country. If this cannot be ensured, the primary responsibility for suspending the data transmission or terminating the contract rests with the contracting parties. The supervisory authorities are only obliged to suspend or prohibit these transfers as a secondary instance.

The data protection officer must now advise the company exporting the data to help it master these challenges. It may be reassuring to know that the European Court of Justice has requested consistent Europe-wide enforcement from the independent supervisory authorities. And unlike the situation after the Safe Harbor decision, the GDPR – which took effect later – regulates cooperation between the European supervisory authorities on the data protection committee in a far more differentiated way than under the former data protection directive. The committee’s practical work illustrates the efforts that are being made to apply the regulation consistently across Europe.

Initial statements on Schrems II by the Data Protection Committee emphasise this desire for consistent enforcement. And the German supervisory authorities represented at the data protection conference have already expressed their unanimous support for this common course.

One thing is already clear: given the economic ties between Europe and the United States, personal data will continue to flow across the Atlantic. But for a permanent solution, instead of going for maximum compromise both sides will need to share an attitude that respects the human freedom underlying the fundamental rights to data protection, private and family life, and that grants effective legal protection.

Which companies and industries does the ruling affect most?
The ECJ decision does not differentiate between companies or industries; it affects all data transfers for business purposes in third countries of the EU. That said, every data transfer has its own risk profile. This is due to the nature of the data, the industry affiliation of the sender and recipient, and how interested government authorities in the recipient country may be in accessing the data. For example, a foreign secret service might find information about recipients of payments made with a specific credit card a lot more interesting than vacation photos stored in the same cloud. So foreign official activities would certainly focus more on social media like Facebook, and on ’software as a service’-type cloud services. But after this ruling, other industries have to take a closer look at their data protection risk too.

Will agreeing standard contractual clauses suffice in future? And on what basis has Facebook transferred data to the USA up till now?
Strictly speaking, merely agreeing standard contractual clauses was not sufficient in the past either. In fact, both the clauses and the GDPR oblige users to analyze the transmission continuously to see whether they can guarantee the data subject a level of protection that is fundamentally equivalent to European data protection. If this is not, or is no longer, the case, after Schrems II they now have to check whether additional contractual guarantees can create the required standard. While the ECJ has left the matter of which measures could be involved open, the Data Protection Committee has taken up this idea, which was already set out in the GDPR, and promised guidance. If a data importer violates the clauses, or if legislation in his recipient country makes it impossible to guarantee an equivalent level of data protection, the data exporter must suspend the data transfer and possibly withdraw from the contract too.

Facebook only adopted the position of transferring a large part of its data to the USA on the basis of standard contractual clauses after the Safe Harbor process was completed. This is precisely why the clauses’ validity was the subject of the present ECJ proceedings. The Privacy Shield was only included because of the ECJ’s broad understanding of the subject matter of the proceedings.

In future, do you think supervisory authorities will prohibit more data transfers despite their using EU standard contractual clauses?
Even before Schrems II, data transfers to third countries were a hot topic in supervisory practice. After this ruling, the authorities will definitely be taking a closer look at transfers based on EU standard contractual clauses – and they will use their powers if necessary.

In this context, the question also arises of how supervisory authorities will react to the new standard data protection clauses that the European Commission will soon be agreeing. Factoring in the data protection committee’s views at an early stage, when the clauses are drafted, can make a big contribution to the legal certainty that is so important for companies.

Are the supervisory authorities likely to grant companies a transition period?
The ECJ has emphasised that the declaration of invalidity for Privacy Shield takes immediate effect, and has merely reminded those who use standard contractual clauses of their existing obligations under the clauses and the regulation. But that doesn’t necessarily mean legal enforcement will follow immediately.

Indeed, European data protection authorities acted very cautiously after the Safe Harbor decision and the introduction of the GDPR in 2018. Before they began enforcing, they advised companies first. And now the data protection committee has indicated a similar approach. I see no reason why the European authorities should deviate from this successful model.

Which countries or third countries are still secure, and what criteria apply?
The decision does not affect data transfers to member states of the EU and the EEA anyway, so they remain secure. The same goes for recipient countries covered by the European Commission’s adequacy decision, for example Japan, Switzerland or Israel.

Under the regulation as interpreted by the ECJ, other third countries are secure only if the transmitting parties afford the data subjects ‘suitable guarantees’ in the manner of standard contractual clauses or binding internal data protection regulations; comply with those guarantees; and are capable of complying with them. Data subjects must also have access to enforceable rights and effective legal remedies.

So one critical point is the legal situation in the recipient country. This is something transmitting parties cannot influence contractually, particularly in terms of access by authorities. While the primary responsibility for making this difficult assessment rests with the contracting parties, support from the supervisory authorities seems likely here too. Due to the Europe-wide effects, the ECJ has specifically suggested transferring the task of answering these questions to the Data Protection Committee’s ‘statement’ instrument as laid down in the GDPR.

The criteria developed in Schrems II are also important for the Commission’s upcoming reassessment and Adequacy Resolution on the security of third countries. It’s not clear whether all the decisions – some of which were made more than a decade ago and have never been reviewed – will come up to the new standards of the GDPR. The same yardstick will also have to be applied to efforts by South Korea and the United Kingdom to secure an Adequacy Resolution.

What do companies that use CRM or newsletter systems from US providers need to consider?
These systems collect personal data for transmission to and further processing in the USA, so they belong to the core area of ​​Schrems II.

Particularly in view of this ruling, the GDPR Accountability Principle requires European data exporters to take verifiable precautions to comply with European data protection law. That includes contacting the US data importer to verify their position on Schrems II and any subsequent improvements to the transmission mechanism. This is the basis for assessing the data protection risk and possibly developing alternatives. The supervisory authorities’ interpretation must also be kept in mind and well documented. It may be reassuring to know that European companies are not facing this task alone at the moment, and that the supervisory authorities are interested in establishing a consistent line across Europe.

Of course, the decision can also provide more impetus to control the compliance risk of third-country transfers, using the levers of data minimization and storage limitation.

The tasks of data protection officers were already diverse before the GDPR was introduced. Decisions like this one lend a totally new dynamic to the issue of data transfers to third countries. They also underline the need for ongoing training and the exchange of ideas between authorities and companies.

As a final thought, isn’t it remarkable how far the ECJ’s Safe Harbor decision has moved European data protection issues forward, and what basis we now have for discussing Schrems II? There are exciting times ahead. It will be really interesting to see where this judgment leads us in the next five years.