The CJEU ruled invalid the European Commission’s decision approving the so-called Privacy Shield, a broad agreement between the US and the EU that allowed the transfer of personal data from the EU to the US
The CJEU invalidated the Privacy Shield, raising essentially the same arguments as in the so-called Schrems I ruling, namely the lack of procedural safeguards for non-U.S. persons subjected to mass electronic surveillance under U.S. legislation. Three main US legal acts are being referred to in this context Foreign Intelligence Surveillance Act Executive (“FISA”), Executive Order 12333 (“E.O. 12333”) and Presidential Policy Directive 28 (“PPD28”). In doing so, the court euphemistically expressed its disapproval of the results of the EC’s negotiations with the US to replace the previously cancelled Safe Harbor agreement with this new Privacy Shield. In the court’s view, the powers of U.S. government agencies under U.S. legislation vis-à-vis “foreign data” are so large and so unchecked that it is impossible to conclude that the Privacy Shield actually gave EU residents protection adequate to EU data protection. The court pointed out that U.S. law protects U.S. citizens differently (much more so), with no comparable or, in fact, any guarantees of legal protection against surveillance for non-U.S. persons whose data the U.S. government may have access to. In colloquial terms, the court told the Commission that the Privacy Shield is “rubbish.”
At the same time, the court pointed out that while the standard contractual clauses remain valid in themselves (specifically, the EC decision adopting them). In contrast, it is not necessarily legal to transfer data on the basis of the SCC. The court pointed out that the legality of a data transfer based on the SCC should be examined against the background of the destination country’s legislation. If this legislation does not provide adequate procedural safeguards for data subjects (EU residents) and allows arbitrary access to such data by government agents of the destination country, then the data protection provided by the concluded SCC, cannot be considered to have a degree appropriate to the European one. And as a result, such a transfer will remain illegal or may be recognized as such by the supervisory authority and banned.
Coupled with the findings regarding the surveillance powers over foreigners that the U.S. has granted itself and the lack of procedural tools for foreigners under surveillance, this means that the SCCs themselves cease to be a good basis for the transfer of personal data from the EU to the U.S. and, at the very least, that any such case becomes “suspect” and the real adequacy of data protection in such a transfer should be reviewed.
So there are voices, including the important voice of the NOYB Foundation – the European Center for Digital Rights founded by activist Max Schrems, which led to both the previous ruling invalidating Safe Harbor and the current CJEU ruling, that all “big” data transfers to the US, based on which global cloud services are offered, should be declared illegal.
It will certainly be difficult now to defend the data transfer between Facebook Ireland and Facebook Inc, against which this landmark ruling was issued. What else Helen Dixon – the Data Protection Commissioner, or head of the Irish supervisory authority – can do for Facebook is to delay a decision on the case.
On the other hand, in my opinion, it is still possible to defend (that is, to consider that an adequate degree of protection is ensured) certain types of cloud services where there is a transfer of data to the US. I am thinking of those services where data transfer to the US does not involve so-called content (user generated content) – telemetry data and even basic user data (unified address book) are transferred, or in those where end-to-end encryption is ensured. It seems that so-called stateless services, that is, those in which no data storage takes place, can also be considered compliant. In the latter case, however, it would be necessary to verify what data is nevertheless deposited and how technical buffers are cleared. In addition, given the National Security Agency’s access to data sent to the US via transatlantic cables, of course, data in transit should be protected by appropriate encryption (TSL in the appropriate version). In each case, it will be necessary to verify the actual possibility of user surveillance in a given service and assess the adequacy of protection against this background.
These are, of course, my first thoughts, so please don’t get attached to these conclusions just yet.
Maciej Gawronski
