On July 16, 2020 CJEU invalidated the Privacy Shield, a set of legal instruments allowing for transfer of personal data from the EU to the US.
CJEU invalidated the Privacy Shield referring basically to the same argumentation as in the so called Schrems I judgment, i.e. lack of procedural guarantees for non-US citizens subject to mass electronic surveillance on basis of the US law. Three main US legal acts are being referred to in this context Foreign Intelligence Surveillance Act Executive (“FISA”), Executive Order 12333 (“E.O. 12333”) and Presidential Policy Directive 28 (“PPD28”). In a way the Court has, euphemistically saying, disapproved effects the European Commission’s negotiation with the US concerning replacing earlier invalidated “Safe Harbour” arrangements with the currently invalidated Privacy Shield.
In CJEU’s opinion powers of American governmental agencies concerning data of non-US citizens are so broad and arbitrary that it is not possible to consider the Privacy Shield as affording to EU residents a level of protection of their data adequate to that in the EU. The Court pointed out that the US law differently (much more) protects US citizens, not giving corresponding guarantees (no legal guarantees in reality) against electronic surveillance to foreign (non US) persons. In plain language, the CJEU pointed out that the Privacy Shield is a fake.
At the same time the Court though formally upholding validity of so called Standard Contractual Clauses, explained that it does not necessarily mean that a data transfer (out of the EU) based on SCC is legal. The Court explained that the legality of a data transfer based on the SCCs has to be validated in the context of the legislation of the country of destination. If the law of the country of destination does not provide appropriate legal guarantees for data subjects from the EU and allows for arbitrary access to personal data of EU residents of the governmental agencies in the country of destination, then the level of protection afforded by specific SCC executed might not be considered as adequate. In result such data transfer, based on valid SCCs, might remain illegal or may be considered as such by a supervisory authority and then forbidden.
Combining the Courts conclusions regarding the SCCs with the Courts findings regarding the US self-granted rights to electronic surveillance of foreign persons, as well as lack of procedural guarantees for foreigners (nonUS citizens) we come to the conclusion that the SCC as such no longer validate transferring data from the EU to the US. Or at least that SCC based transfer is now „suspicious” and the real level of data protection of such transfer needs to be evaluated.
Opinions are now formulated, including an important voice of NOYB – European Center for Digital Rights – a foundation established by Mr Max Schrems – the activist who’s efforts resulted in invalidating first the Safe Harbour and now the Privacy Shield, that all “big” data transfers to the US, based on which global cloud computing services are being provided, should be regarded as illegal.
For sure it will be difficult to defend legality of the transfer between Facebook Ireland and Facebook Inc, leading to the commented judgment. All what Helen Dixon (Irish Data Protection Commissioner) can do for Facebook at the moment is delaying her decision delegalising sending Facebook’s EU users’ data to Menlo Park (Facebook Inc).
Still, in my opinion, it is possible to defend legality of certain types of cloud computing services where some data are being transferred to the US is based on the SCCs. Services where the so called user generated content is not being sent to the US, so only telemetric data (or even basic user data – ie address book of users) are being sent to the US. Also services protected by end-to-end encryptions seem to remain compliant. Also services where data are not stored (they are deleted after completion of specific processing), though in this case a particular attention should be given to technical data storage, cleaning buffers and dumps etc. Of course, as the National Security Agency has access to data transferred through the Atlantic via underwater cables, all data in transfer should be properly encrypted at appropriate TSL standard. In each case a real ability to spy on users of a service should be reviewed and based on such finding decide on the adequacy of data protection in that service.
These are my first reflections after reading that landmark judgment, so please do not attach to them too firmly.
Maciej Gawroński
