Invalidation of “Privacy Shield Pact” on Data Transfers Between European Union and the United States
On July 16th, 2020 Court of Justice of the European Union (“the Court of Justice”) made a decision known as “Schrems II” which strikes down the Privacy Shield Decision Numbered 2016/1250 allowing data transfers from European Union (“EU”) to the United States.
The General Data Protection Regulation (“GDPR”) provides that the transfer of such data to a third party may,in principle, take place only if the third country in question ensures an adequate level of protection. According to the GDPR, the Commission may find that a third country ensures, by reason of its domestic law or its international commitments, an adequate level of protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards, which may arise, in particular, from standard data protection clauses adopted by the Commission, and if data subjects have enforceable rights and effective legal remedies.
II. What is Privacy Shield? Why is it invalidated?
1. Schrems I Decision – Invalidation of Safe Harbour Pact
In 2013, Maximillian Schrems,an Austrian national residing in Austria, filed a complaint with the Irish data Protection Commisioner stating that his personal data is transferred by Facebook Ireland to servers belonging to Facebook Inc. that are located in the United States where it undergoes processing and the US National Security Agency (“NSA”) has access to these data, mentioned transfers must be prohibited. However, that complaint was rejected on the ground in the Safe Harbour Decision, which finds that the United States ensured an adequate level of protection.
Later during the process since Mr. Scherms filed and application in the Irish High Court, the case was taken to the Court of Justice. In 2015 the Court of Justice annuled the Safe Harbour Agreement (“Schrems I Decision”).
2. Privacy Shield Pact
Right after Schrems I, European Commission constituted the Privacy Shield mechanism which enables data transfers between the EU and the United States in 2016, nad all the EU member states were engaged to it. Privacy Shield was meant to provide;
new safeguards to people including more control over how their information is used;
the right to go to courts in the United States if they thought that a company or the United States government had misused their data;
a guarantee that the United States government could not collect data without sufficient cause.
3. Schrems II Decision: Annulment of Privacy Shield Pact
Now, nearly two years after, the Court of Justice declares that the Privacy Shield pact is invalid because of the reasons below:
the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by the United States public authorities of such data transferred from the European Union to that third country are not circumscribed in a way that staisfies requirements that are essentially equivalent to those required under the EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.
although those provisions lay down requirements with which the United States authorities must comply when implementing the surveillance programmes in question, the provisions do not grant data subjects actionable rights before the courts against the United States authorities.
Additionally the Court of Justice considers;
that the EU law, and in particular the GDPR, applies to the transferof personal data for commercial purposes by an economic operator established in a member state to another economic opertor established in a third country, even if, at the time of that transfer of thereafter , that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
this type of data processing by the authorities of a third country cannot preclude such a transfer from the scope of the GDPR regarding the level of protection required.
Briefly, such data transfers must meet GDPR’s high data protection standards.
III. Impacts of the Annulment
The ruling affects thousands of multinational companies that need to transfer any kind of personal data such as financial records, human resources materials,marketing databases, customer records etc., to keep business going. The question is how these European resident companies can transfer data to the United States without the Privacy Shield Pact?
The Court of Justice holds that the data exporter established in the EU and the recipient of the transfer established in the United States can keep transferring data by agreeing the “standard contractual clauses” which affords a level of protection essentially equivalent to that guaranteed within the EU by the GDPR. We may state that these “standard contractual clauses” are almost identical with the provisions of the “Undertakings” used for international data transfers from Turkey to abraod. The level of protection will be assessed by taking into account both the security measures taken in the data recipient country, as well as the domestic law regulations of the third party country's (in this case, the United States) access to the transferred data.
Another method is applying Binding Corporate Rules which are used for the transfer of personal data abroad for multinational group companies operating in countries where adequate protection is not available and that ensures adequate protection in writing. Group companies resident in both the EU and the United States can transfer data between each other by Binding Corporate Rules method.
As Turkish data protecton practice is closely watching how GDPR is applied, we expect that the international data transfers at least for a while, will take place by using Undertakings ( the Standard Contractual Clauses) or the Binding Corporate Rules method requesting the Turkish Data Protection Board’s (the Board) consent since the safe country list has not been announced.
Kindly submitted for your information. Please see the public statement of the Court of Justice here .
For any questions , please contact us at firstname.lastname@example.org and +90 216 687 03 22.