First things first: There is much talk and interpretation concerning the European Court of Justice’s ruling on case number C-311/18, but terribly little knowledge. To remedy this, here is the link to the original wording of the judgement: Judgement C-311/18 of 16 July 2020.
Now for the explanation, which is not complicated. Beyond a purely private context, anyone who transfers personal data processes it. The EU General Data Protection Regulation (GDPR) then assumes that any processing of data (and therefore any transmission) is in principle unlawful unless the data subject consents to the processing or there is a legal provision in place that allows the data to be processed, even without consent. For those who enjoy reading legal standards: This legal rule follows from Article 5(1)(a) GDPR in conjunction with Recital 40 GDPR. If the controller does not wish to carry out this kind of processing operation itself and instead procures assistance (e.g. by outsourcing), the controller may do this without consent or any other legal basis, provided that it chooses the service provider carefully and contractually binds it – positively draconian. For rule fetishists, reference should be made in this respect to Article 28 GDPR.
However, anyone who wishes to transfer personal data to a country outside the European Union (or otherwise process it there) needs more than ‘just’ consent or a legal provision that does not require consent. This is because the GDPR assumes that the same level of data protection does not generally exist outside the European Union. Because of this, an additional basis for authorisation is needed to process personal data outside the European Union. Possibilities include
- that the European Commission concludes that an adequate level of data protection is in place in a particular country outside the EU (known as an adequacy decision);
- that the entity processing the data outside the European Union contractually agrees to respect the principles of data protection principles stipulated by the European Union, using either a model contract document provided by the Commission (called standard contractual clauses, available in different variants) or a self-written contractual document approved by a supervisory authority (known as binding corporate rules);
- that the data subject consents to processing outside the European Union in full knowledge of the risks involved.
Other possibilities are conceivable. But the limits of a blog post format require that I don’t go into too much detail.
To summarise, the following is true: Anyone who wishes to process the personal data of an EU citizen outside of a purely private context needs grounds permitting them to do so (either the consent of the data subject or a legal provision allowing them to process personal data without consent). If processing is to take place outside the European Union, at least in part, there must be a legal basis for the data crossing of the border in addition to the grounds permitting this to happen (e.g. an adequacy decision, a contractual commitment to apply EU data protection principles or the explicit consent of the data subject). For those who like to read laws, please refer to Articles 44 to 49 GDPR.
The special case of the US
Having said this, let’s turn our attention to transferring data to the US. First, a banal factoid: Sending data to the US is part of everyday life in Europe. Many companies take advantage of the marketing opportunities provided by Facebook and Google, and quite a few have long since stored their data in the cloud, for example using companies like Microsoft, Amazon Web Services or, once again, Google. Numerous websites and marketing campaigns, including from well-known companies, are largely based on the excessive use of such providers. The truth is that very few companies do this with the intention of abusing data or allowing it be abused. Quite often it is simply habit.
How can we judge this in terms of data protection? Well, I’ll go ahead and start by stating the obvious: The US is not part of the European Union. Consequently, data processing by US service providers is lawful if
- the data subject consents or a legal provision independent of consent permits it;
- and there is an additional legal basis for processing data outside the European Union.
The question of grounds for permission under data protection law (consent, legal provision) depends on the specific individual case, but it is not uncommon for companies to rely on consent.
More interesting is the question of which additional legal basis applies to processing in the US. And here’s where things get a bit special: The European Commission has not been able to bring itself to certify that the US offers an adequate level of data protection. And rightly so. However, the European Commission recognised early on that US-based data processing is also an indispensable part of everyday business life in Europe. So it ended up choosing a special path – by reaching an agreement with the US government. Under this agreement, the US is not considered a safe third country, but certain US companies can become ‘safe companies’. To do so, they must self-certify and agree to be entered onto a list. Yes, we are talking about the Privacy Shield framework. Every company that was part of the Privacy Shield framework was considered a secure third-party company. There was therefore additional justification for them to process personal data. And that’s all there is to it.
What has now been decided
The European Court of Justice has now ruled that this Privacy Shield framework is not compatible with European law and is therefore invalid. To quote the ruling:
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
This means that EU companies that have data processed by US companies may no longer rely on the Privacy Shield to provide additional justification for processing outside the borders of the EU. The Court offers less detailed justification for its decision for this than I would have expected. I noted two arguments in particular:
First, the European Court of Justice assumes that US laws allowing state access to data do not comply with the principle of proportionality. Second, the European Court of Justice has criticised the fact that EU citizens do not have sufficient legal protection against possible infringements (such as rights to file legal action). One could be excused for thinking that the justification does not change the outcome. But that would be an all too rapid fallacy. Anyone who wants to tinker here and now with a solution for the future should have a careful read of the European Court of Justice’s reasoning.
What happens now?
Seldom has such a dull question been more justified. I strongly recommend that you quickly analyse your own need for possible action (here’s what that might look like). This is the only way to identify solutions. And that is precisely why this post was so important. Only those who understand the history behind the judgement and the judgement itself will be able to draw the right conclusions. I will be dedicating another blog post to some ideas for solutions.
All I can say is: The judgement is understandable from a legal policy point of view, but wrong from a legal point of view. This is because a European Court of Justice, which rightly upholds the principle of proportionality, has not itself observed it.