What was the decision of the Court of Justice of the European Union?
On July 16, the Court of Justice of the European Union (CJEU) ruled in case C-311/18 that judgment known as Schrems 2, with serious repercussions for the international transfer of personal data to the United States.
In it The Court of Justice invalidates, with immediate effect, the so-called Privacy Shield.), which is simply the legal framework that allowed international transfers to the US, but only to those US entities that were members and complied with the principles of that security scheme, under Commission Implementing Decision (EU) 2016/1250 of July 12, 2016.
The decision to invalidate the Privacy Shield (just as its predecessor, Safe Harbor, was invalidated in 2015) stems from the CJEU's finding that it is impossible to provide European citizens with a level of protection of their rights to privacy and data protection equivalent to that enjoyed in the Union.
Specifically, emphasis is placed on the possibility that U.S. public authorities may, for reasons of public security, access and process personal data of European citizens as a whole, which would be contrary to the principle of proportionality, without any judicial oversight, which violates the right to effective judicial protection established by Article 47 of the Charter of Fundamental Rights of the EU.
In this regard, the CJEU considers that the supervision that can be exercised by the so-called Ombudsman (Ombudsman) in the field of data protection, as provided for in the Privacy Shield Decision, is not equivalent to judicial protection, since the Ombudsman it is not an independent body (part of the Department of State, appointed by the Secretary of State and no guarantees are provided regarding his possible dismissal) and, furthermore, there is no legal guarantee whatsoever regarding the binding nature of his decisions.
However, although the CJEU invalidates the Privacy Shield, on the other hand, save the standard contract clauses (Article 46.2 c) GDPR), which it claims provide a level of personal data protection equivalent to that provided by the GDPR within the EU.
However, the CJEU notes that the standard clauses included in the contract governing the international transfer of data will be binding on the signatories to that contract., but they do not oblige the public authorities of the state of destination, which are not contracting parties. Therefore, the provisions of these clauses may be useless, since the aforementioned authorities could process the data without any restrictions other than those imposed by their own national law.
Consequently, in order to assess the level of protection of each specific data transfer, account must be taken not only of the standard clauses included in the contract between the European controller or processor and the recipient of the data transfer, but also also the circumstances indicated in Article 45.2 GDPR, including the possibility of access to data by public authorities in the country of destination and the possibility for European citizens to take effective legal action to defend their rights.
Now what?
Now that the Privacy Shield, the legal framework that allowed international data transfers to the US, has been invalidated, it is normal for multiple questions to arise. doubts about how to proceed in the immediate future. Especially, considering the severe penalties that those responsible for or in charge of processing personal data could face if they carry out illegal international transfers, liabilities that may reach €20 million or 41% of annual turnover.
Furthermore, the CJEU ruling not only has an impact on transfers to the United States, but also its repercussions extend to all international transfers covered by standard contractual clauses, whether they are heading to the US or another country.
The first recommendation to be made is that of pay attention to any advice or guidance given by the Spanish Data Protection Agency (AEPD) or the European Data Protection Board (EDPB) in relation to the recent ruling. Taking into account the experience of the previous Schrems ruling (which invalidated Safe Harbor), it seems likely that these institutions will issue a statement in the coming days clarifying the consequences of this latest ruling by the Court of Justice.
In the meantime, it is advisable to accurately determine all international transfers of personal data carried out in each organization. With regard to each of them You must identify your country of destination and its legal basis.. According to the General Data Protection Regulation (GDPR), there are three possible legal bases for an international transfer of personal data: an adequacy decision by the Commission (such as the Privacy Shield, now invalidated), the provision of adequate safeguards (such as standard clauses or the adoption of binding corporate rules), or inclusion in one of the exceptional cases provided for in Article 49 GDPR.
With regard to transfers covered by adequacy decisions, those that have destination: the United States. and are carried out within the framework of the Privacy Shield, logically, can no longer be performed, as this specific adjustment decision has been invalidated.
Now then, the remaining adequacy decisions that have been issued by the Commission remain in force and, consequently, it is perfectly possible to transfer personal data to the countries referred to without being subject to any additional requirements. Here The list of countries for which the Commission has issued adequacy decisions can be found here.
With regard to adequate safeguards, in response to the claimant's claim in the Schrems 2 case, The CJEU ruling upholds the validity of standard contract terms.. These are some previously agreed contractual clauses. adopted by the Commission whose inclusion in the contract signed between the controller or processor of personal data in the Union and the recipient of the data abroad legitimizes its international transfer.
However, the Court of Justice points out that the inclusion of standard contractual clauses is not sufficient on its own, to ensure the legality of the international transfer. It must be ensured that the rights of the data subjects whose data are transferred enjoy a level of protection in the country of destination equivalent to that enjoyed in the European Union. This implies that it will also be necessary to assess the guarantees offered by the institutions of the destination country and, in particular, the possibilities of access to personal data by its public authorities, and the existence of legal actions that allow European citizens to assert their rights.
It should be noted, however, that not every restriction of rights will be sufficient to deny the legality of the international transfer. It is tolerated that the law of the country of destination imposes certain limitations in order to safeguard public safety and defense., provided that such restrictions do not go beyond what is necessary in a democratic society. It follows from the text of the judgment that restrictive intervention by the public authorities of the country to which the data are transferred will be admissible provided that, first, be proportionate, that is, that the restriction on the rights of the interested parties is necessary to protect the aforementioned general interests and, secondly, that it is subject to independent judicial oversight, allowing interested parties to take effective action to defend their rights.
This obligation to assess whether the legislation of the destination country offers sufficient guarantees falls both on the exporter of the personal data (the controller or processor established in the EU), as in its recipient. The assessment must be carried out before that the international transfer takes place.
If, once the transfer of personal data has been made, a legislative change in the destination country that prevents the provision of protection for the rights of data subjects equivalent to that enjoyed in the Union, the recipient is obliged to notify the exporter. The exporter, in turn, will be obliged to terminate the contract or, at the very least, to suspend the transfer of personal data.
Evidently, these obligations introduce an element of uncertainty in international data transfers carried out under standard clauses, since the responsibility for verifying that institutions in the destination country provide sufficient protection for the rights of data subjects lies with controllers and recipients.
In view of the above, and taking into account that the Court of Justice ruling has declared the Privacy Shield invalid, precisely because US legislation allows public authorities, for security reasons, to access the data of European data subjects en masse, i.e., in a disproportionate manner, and because it does not recognize their right to take legal action to defend their rights, It seems clear that the level of protection of the rights of data subjects in the United States is not equivalent to that in Europe. and, consequently, No transfers of personal data to the US may be made on the basis of standard contractual clauses..
On the other hand, in principle, standard clauses continue to be a sufficient legal basis for the transfer of personal data. to countries other than the United States, but with all the precautions imposed by the obligation of the controller to ensure that the country of destination offers a level of protection of the rights of data subjects similar to that in Europe.
Therefore, when considering the possibility of international transfers covered by standard contractual clauses, The data controller (or processor, where applicable) must ask themselves whether there are laws in the destination country that allow public authorities access to the data and in what form.: Is this a one-off access or a bulk transfer? Similarly, it will be necessary to examine whether European data subjects will be able to defend their rights by bringing actions before truly independent judicial authorities in that country. Only if these requirements are met, and continue to be met, may personal data transfers take place.
Another instrument that has been used to legitimize international data transfers is adherence to binding corporate rules. The Schrems 2 ruling does not refer to them, but, Given that these are appropriate safeguards regulated in Article 46 of the GDPR together with the standard clauses, it seems that their treatment should be analogous to that of the latter.. In other words, it would not be sufficient to adhere to these standards; those responsible and in charge must ensure that the destination country offers a level of guarantee of the rights of the interested parties equivalent to that in Europe.
The last option for legitimizing international transfers is exceptional cases under Article 49 of the GDPR (explicit consent, necessity for the performance of a contract, etc.). However, it should be noted that, precisely because these are exceptions, its interpretation must be restrictive and strict compliance with the conditions for its application.
Conclusions
The latest ruling by the CJEU opens a time of uncertainty that calls for caution, especially considering the seriousness of the liabilities that would arise from a hypothetical illegal transfer of personal data.
Firstly, the CJEU ruling not only invalidates the Privacy Shield, but does so because it considers that the US legal framework is inadequate to provide the level of protection required for the rights of European data subjects. This legal framework will therefore also be insufficient to provide the level of protection equivalent to that in Europe required for transfers covered by standard contractual clauses or binding corporate rules. Consequently, the first consequence of the Schrems 2 ruling appears to be the inability to perform transfers of personal data to the United States.
On the other hand, the obligation to ensure that the country of destination offers a level of protection equivalent to that in Europe also applies to transfers to other countries (other than the US). This obligation therefore constitutes a new burden that will have to be borne by exporters and importers of personal data.
It is to be expected that, as happened following the previous Schrems 1 ruling, the Spanish Data Protection Agency (AEPD) and the European Data Protection Board (EDPB) will publish recommendations on how international transfers of personal data can and cannot be carried out, in light of the latest CJEU ruling.
Until then, The most prudent course of action is to avoid transfers to countries for which no adequacy decision has been made., which may entail the need to change providers of certain services.
If this is impossible or very difficult, unless there is certainty that the institutions and laws of the destination country will protect the rights of the interested parties in a manner analogous to European legislation, The most sensible thing to do would be to consult the AEPD beforehand. the data transfer it intends to carry out, and make its effective implementation subject to the authorization of said supervisory authority.
In summary, given the consequences of the Schrems 2 ruling, it is advisable for those responsible for and in charge of personal data processing to adopt risk minimization policies such as those indicated, while waiting for the foreseeable action of the supervisory authorities to clarify the situation.
[Article written by Luis Mª Benito Cerezo]
