Will the landmark decision really change much for most companies?
The decision C-311/18 of the European Court of Justice (ECJ) on international transfers of personal data from the EEA, published on 16 July 2020 and known as "Schrems II", is causing a big stir among data protection professionals. What it means in practice remains to be seen, but it is clear that it will make data transfer to certain countries more complicated. But will it really change much for companies in Switzerland?
Invalidation of the EU-US Privacy Shield
In its decision, the ECJ firstly annulled the decision of the European Commission regarding the "EU-US Privacy Shield". The "Privacy Shield" is a US self-certification program in which US companies publicly and bindingly promise to comply with data protection according to the European standards. On this basis, personal data could also be transferred to such companies in the US under the GDPR, although the US does not have adequate data protection legislation from a European perspective.
The "Privacy Shield" was particularly important for US-based companies that offer data-based services to consumers, i.e. people with whom they did not want to or could not conclude separate data protection contracts prior to them transferring personal data of third parties out of Europe. Such data protection contracts are the alternative to Privacy Shield, and are used by the majority of companies in the private sector. They are based on standard contracts, which originate from the European Commission and are normally concluded without modification with all companies in unsafe countries to which personal data from the EEA is made available. This way, data protection is at least contractually guaranteed in those countries as well. These standard clauses have been in existence for many years and are well established; the GDPR expressly provides for them. The third option is "Binding Corporate Rules". This is the more elaborate, but tailor-made variant of contractual data protection abroad. It is rarely used in Switzerland.
Switzerland also adopted Privacy Shield
What applies to the EEA is similarly true for Switzerland, even though up to now neither Privacy Shield nor the use of data protection contracts in Switzerland has formally required the consent of the Swiss authorities. Nevertheless, the Federal Data Protection and Information Commissioner (FDPIC) has stated on his "list of countries" that he considers Privacy Shield in the Swiss version negotiated with the USA on the basis of the EU model as a sufficient protective measure for exports of personal data to the USA. He also considered the European Commission’s standard contractual clauses to be sufficient up to now.
In its “Schrems 1” decision, the ECJ already repealed the predecessor program "Safe Harbor" in 2015 for similar reasons: In the opinion of the ECJ, both programs did and do not adequately protect data transferred to the US from lawful access by US authorities, given that the US does not limit itself to what is absolutely necessary and does not provide European data subjects with sufficient legal remedies against such lawful access. Because this violates EU constitutional law, the European Commission should not have approved "Privacy Shield". Its decision was therefore revoked with immediate effect. The ECJ decision mainly dealt with the rights of US authorities in the field of foreign cable intelligence (interception of data transmissions abroad) regarding non-US persons.
Criticism of the use of standard contractual clauses
The ECJ also dealt with standard contractual clauses. It did not abolish them, as some people had feared, but made it clear that it was not enough to simply adopt them without further consideration. The data controller must assess the circumstances of the specific data transfer and ask itself to what extent the standard contractual clauses actually provide adequate protection for the data transferred. Depending on the type and country of the recipient, it will have to take additional protective measures or refrain from exporting the data to the country or recipient in question if protection is not guaranteed despite the contract.
Ultimately, the basic problem here is the same as with Privacy Shield: neither instrument necessarily provides adequate protection against access by the authorities of the foreign country, so it must be clarified whether these access rights are acceptable or not from a European perspective. However, the ECJ does not say what this means in practice. This will ultimately have to be assessed by the data protection authorities, and the ECJ emphasizes that they have the right to take action against individual data exports irrespective of the use of standard contractual clauses.
Consequences under Swiss law
Under the Swiss Data Protection Act (DPA) nothing will change at first. The European Court of Justice's ruling does not apply to the DPA, and the legal bases are slightly different in Switzerland. As with the Safe Harbor ruling, companies in Switzerland can continue to use the Swiss version of the Privacy Shield as long as it is offered. This would not change legally if the FDPIC were to remove Privacy Shield as an accepted means of protection from his list of countries. Until the revised DPA comes into force, each data exporter must decide for itself whether Privacy Shield offers adequate protection. This can still be done if there are good grounds, since the reasons for the ECJ's repeal of the Privacy Shield were also known in Switzerland from the outset. Nevertheless, it was negotiated, concluded and assessed as sufficient by the FDPIC.
If the FDPIC now removes the Privacy Shield from his list, it is likely, even expected, primarily in order to win the EU over to Switzerland's imminent renewal of its adequacy decision. Of course, the Swiss courts are also free to declare Privacy Shield inadequate in a specific case, but there have not been any such cases to date. It is also conceivable that the USA will now give up Privacy Shield and thus render it invalid. However, neither of these threats is imminent. This is why companies that only have to comply with the DPA are not under any immediate pressure to find an alternative for data exports from Switzerland to the US.
Privacy Shield is not the main problem
Either way, however, due to the factual effect of the ECJ decision, it is to be expected that Privacy Shield will no longer be applied in Switzerland in the future. In practice, it usually makes no sense to use a solution for exports of personal data under the DPA that is different to the one already deemed sufficient under the GDPR. Providers in the US will also want a solution for the whole of Europe. As a first immediate measure, they will adapt their contracts so that they now refer to the standard contract clauses of the European Commission, if they do not already do so. Following the ECJ ruling on Safe Harbor in 2015, most companies already adapted their contracts; therefore this part of the ECJ ruling will not really affect many companies.
More critical are the question marks that the ECJ has raised with regard to standard contractual clauses, as these are essential for the global exchange of data. Although the ECJ did not invalidate them or the European Commission's decision approving them, it did make it clear that they are not necessarily sufficient to justify a transfer of data to a country without adequate legal data protection, because the problem here is basically the same as with Privacy Shield. That is correct, because the contractual obligation of a data recipient in the United States or any other country will not protect against their domestic authorities accessing the transferred data when necessary under their own law.
In which cases are standard contract clauses still sufficient?
Whereas the prevailing view so far was that the risk of such "lawful access" is sufficiently covered by the standard contractual clauses, this conclusion can no longer be drawn in general terms for the GDPR. What exactly this means is not yet clear and will de facto depend on what the individual data protection authorities in the EEA and the European Data Protection Board (EDPB) will demand. They could require that exports to companies with, from a European perspective, a particularly high risk of unauthorised access by authorities are no longer allowed, which would mean that companies would have to carry out a risk assessment of such access; this is already common practice in the area of professional secrets. If the risk of interception by US authorities due to encryption measures is sufficiently low and the remaining access possibilities of authorities are subject to full legal recourse, standard contractual clauses may still be sufficient.
It is also possible that in future companies will have to document their data exports in more detail in their contracts and obtain expert opinions regarding foreign access possibilities. Additional clauses, such as the obligation of the recipient of data to take legal action against such access using all legal means, may become necessary. In any case, it is expected that the European Commission will now draft new versions of its standard contractual clauses. That said, in needs to be pointed out that the lawful interception possibilities of the US authorities that were at issue in the ECJ decision mainly affect consumers using social media and other publicly available communication services of US online providers, and not businesses that transfer personal data through encrypted lines for instance between European and US affiliates. Hence, it is fully possible that appropriate data security measures may limit the risks of lawful interception referred to by the ECJ sufficiently for many of the scenarios in which the standard contractual clauses are used.
Effects under the Swiss DPA
Under the DPA it is still possible to work with the standard contract clauses. However, since in Switzerland the responsibility for adequate data protection has always rested not with the FDPIC but with the respective data exporter, the decision does not legally change anything either: anyone who transfers data to an insecure third country on the basis of a contract must (continue to) ensure that the contract actually offers adequate protection.
It may well be that the FDPIC, for the legal policy reasons mentioned above, will now take the view that in certain cases the standard contract clauses are no longer sufficient, although to date he has always considered them sufficient. The facts have, of course, not really changed. As far as data exports from Switzerland which are not subject to the GDPR are concerned, the standard contractual clauses of the European Commission can still be used; there is no immediate need for legal action under the DPA.
Does the FDPIC abolish the recognition of standard contractual clauses?
This would only change if and when the FDPIC withdraws his recognition of the standard contractual clauses, which does not invalidate them, but triggers an extended notification obligation under art. 6 para. 3 DPA, under which the data export regulations would have to be submitted to him within 30 days for an individual opinion. It remains to be seen whether the FDPIC really wants to do this, as it would massively increase his workload - companies would no longer be able to bring the use of the EU standard contractual clauses to his attention by a simple letter without further explanation, as is the case under existing law. Under the revised DPA, the situation will change somewhat, as it is the Federal Council that decides which countries have adequate protection. By then, however, Privacy Shield should no longer be an issue anyway, and hopefully there will also be clarity as to how the general position on standard contractual clauses will develop in Europe.
Another option for the FDPIC would be to maintain the recognition of the EU standard contractual clauses, but to demand additional protective measures within the framework of the processing principles under Art. 4 DPA and the requirement of data security under Art. 7 DPA for exports, at least to certain unsafe third countries. The FDPIC did a similar thing at the time when the ECJ declared the Safe Harbor to be invalid. However, this was also a purely policy motivated "change in practice" to please the EU; even then there was no real change in the legal and factual situation with regard to the risk of lawful access abroad.
The next necessary steps
For companies in Switzerland, this means that - as was already the case after the Safe Harbor ruling - sooner or later they will have to identify and document all exports of personal data from Switzerland (or elsewhere in Europe) to unsafe third countries and determine whether they are based solely on Privacy Shield or whether another legal reason applies. If the processing of the personal data in question is subject to the GDPR, they must begin immediately. Under the DPA they have more time. Where only Privacy Shield is used, they should in any case immediately conclude the standard contractual clauses under the GDPR to avoid the risk of a fine, even if many questions remain unanswered in this regard. The first (serious) recommendations from the data protection authorities will certainly be available soon; initial reactions such as those of the Berlin Commissioner for Data Protection and Freedom of Information demanding the immediate transfer all personal data stored in the USA back to Europe are certainly not reasonable. It will only be over the course of the next weeks and months that will we see how much the current practice of dealing with standard contractual clauses indeed needs to change. There was also a huge initial outcry after the Safe Harbor repeal, but over time it largely subsided and normality returned.
Author: David Rosenthal
Topics: Data & Privacy
Here you will find the frequent news alerts in the fields tax, litigation and arbitration, public sector and regulatory, corporate and commercial law and intellectual property law.