Schrems vs. Facebook: much ado about nothing? How organizations can transfer personal data to the USA

The judgment of the European Court of Justice ("ECJ") of 6 October 2015 (Case No. C-362/14) invited more media attention than one might expect from such a ruling. Maximilian Schrems, an Austrian lawyer and data protection activist, had brought this case on the allegedly unlawful transfer of his personal data by Facebook Ireland to Facebook USA. In the ruling, the ECJ sided with him and held that the Safe Harbor program was insufficient to create an adequate level of data protection in the USA. To put it differently, this judgment pulled the rug out from under the Safe Harbor program, as a consequence of which EU organizations have to implement other adequacy mechanisms for transfers of personal data to the USA.

Consequences for international data transfers

While the Safe Harbor judgment is most commonly mentioned in the context of social networks, the ruling has important consequences for the international transfer of personal data in general that can easily be underestimated. It applies to the support that many EU organizations receive from service providers located in the USA, for instance when it comes to IT tools for HR and customer management, hosting or cloud applications. The judgement applies as well to the transfer of personal data within groups of companies, such as the transfer of employee data from EU organizations to the parent company or to other entities of the group located in the USA (e.g. in the context of transfers within matrix structures).

Organizations should take action, because data protection authorities not only expect them to ensure that procedures for data transfers to the USA are in line with the General Data Protection Regulation ("GDPR"), but also to provide information on the safeguards that have been put into place. Many data protection authorities emphasise that companies will be fined if they continue to rely on the Safe Harbor program instead of implementing any of the alternatives that are in compliance with the GDPR.

Alternatives to the Safe Harbor program

Three possible alternatives to the Safe Harbor program will be discussed here: consent of the data subject, the EU-US Privacy Shield and the EU Standard Contractual Clauses. (Because binding corporate rules are commonly used for intra group data transfers only, this alternative is not explored.)

Consent

This discussion of the consent alternative uses the transfer of employee data as its example. Consent could be gathered from all data subjects, in this case from every employee; this would allow a company to transfer the personal data of its employees for certain purposes to a recipient in a third country that does not have adequate levels of data protection. However, this alternative was already criticized before the Safe Harbor judgment, considering that an employee’s consent can arguably not be given voluntarily in the context of the hierarchical relationship between employer and employee. Practical complications are likely to arise, too. Employees could refuse to give their consent or revoke it, so that their personal data may not be transferred to the USA and perhaps even needs to be deleted. It is therefore advisable to only base the transfer of employee data to the USA on consent in exceptional cases, e.g. when it is clearly in the employee’s advantage, for instance in the case of bonus programs.

EU-US Privacy Shield – Safe Harbor 2.0?

After the ECJ declared the Safe Harbor program to be invalid, the EU and the US agreed upon a new program: the EU-US Privacy Shield. The European Commission declared it admissible in July 2016. Like its predecessor, the EU-US Privacy Shield allows US organizations to commit themselves to complying with the data protection principles of the Privacy Shield through a process of self-certification. Increasingly, academics, lawyers and politicians criticize this approach, because problems that have arisen in the context of the Safe Harbor program appear to apply to its successor as well. Notably, the European Parliament and the predecessor to the European Data Protection Board have expressed their concerns about the self-certification process, which range from practical problems in the implementation process to adequate enforcement. Moreover, the EU-US Privacy Shield does not prevent US intelligence agencies from collecting personal data in the name of national security. These issues notwithstanding, the European Commission nevertheless confirmed at the end of 2018 that the EU-US Privacy Shield guarantees an adequate level of data protection. This is not the end of the matter, however, because Mr Schrems has already raised questions about the effectiveness of this new program with the ECJ. Considering that the EU-US Privacy Shield replaced the Safe Harbor Program after the latter was declared invalid, there remains the likelihood that its successor will suffer the same fate, rendering all data transfers on its basis illegal.

EU Standard Contractual Clauses

Last but not least, the EU Standard Contractual Clauses are a popular instrument for the creation of an adequate level of data protection. This type of contract is concluded between a company in the EU and the recipient of the personal data located in an unsecure third country like the USA. While the EU Standard Contractual Clauses cannot be modified, additional clauses can be agreed upon, as long as they do not contradict the EU Standard Contractual Clauses. In response to the ECJ ruling, service providers from the US have started offering their European customers alternatives to the Safe Harbor program in which the EU Standard Contractual Clauses play a central role. It can be complicated to adapt these alternatives to specific cases, however, considering that the EU Standard Contractual Clauses cannot be altered. Conducting a thorough (data protection) legal assessment is therefore advisable before opting for this approach.

Even though some of the reasoning in the CJEU judgment can also be applied to the EU Standard Contractual Clauses, the European data protection authorities consider them to be a suitable alternative for the Safe Harbor program (and its successor, the Privacy Shield). But, Mr. Schrems struck again. The CJEU heard oral arguments on the 9th July 2019 in case C311/18 to decide about the admissibility of the Standard Contractual Clauses as means of creating an adequate level of data protection for the transfer of personal data. This poses a huge threat to all data transfers to countries outside the EEA, as Standard Contractual Clauses are heavily relied upon for international data transfers outside the EEA. Taking the Standard Contractual Clauses down could lead to dire consequences for data transfers to the US, especially taking into account that there are only very few alternate appropriate safeguards. A decision of the CJEU is expected next year. Until then it remains unclear whether or not these clauses will still be sufficient in the future to ensure an adequate level of protection when transferring personal data to the US. Currently, this alternative to the Safe Harbor program nevertheless appears to be the most viable one.

Laureen Lee
(Lawyer, LL.M.)