Privacy Shield ECJ

ECJ declares Privacy Shield invalid - What the ruling means for website operators

On July 16, 2020, the European Court of Justice (ECJ) declared the Privacy Shield invalid. Among other things, this ruling affects all website operators who use services from US companies. In this article, I explain what the ruling means for you as a website operator or agency and what you need to do now.

Initial legal situation

All data processing requires a legal basis

Any processing of personal data requires a legal basis (Art. 6 para. 1 GDPR). The most important legal bases in connection with websites are

  • The consent of the data subject (for example, to the setting of cookies);
  • the fulfillment of a contractual obligation (e.g. for online stores);
  • the legitimate interest of the controller or website operator (e.g. responding to email inquiries).

Consent is traditionally obtained on websites by means of a checkbox. The best example of this is cookie banners, by means of which the website visitor consents to the setting of certain cookies (e.g. marketing or tracking cookies). If you want to find out more about this, you can read my article "Cookie banners - but the right way! These 7 things you should keep in mind".

However, the above-mentioned legal bases only concern the actual data processing itself.

Additional legal basis required for data transfers outside Europe 

If data processing is not to take place in the EU, but in a non-European country - i.e. a so-called third country - an additional legal basis is required.

These legal bases for transfers of personal data to third countries can be found in Art. 44 et seq. GDPR.

So-called adequacy decisions of the European Commission (Art. 45 GDPR) are particularly relevant for website operators.

With such a decision, the Commission decides that a third country offers an adequate level of data protection and that personal data may be transferred to the third country.

Appropriateness decisions have been made in the past with a large number of countries, such as Switzerland, Australia and New Zealand. 

The Privacy Shield

The Privacy Shield was an adequacy decision by the European Commission for data transfers to the USA. It was adopted in July 2016, just a few months after the Safe Harbor Agreement (the predecessor to the Privacy Shield) was repealed by the ECJ.  

As part of the Privacy Shield, US companies were able to voluntarily undertake to comply with a certain level of data protection when processing personal data from the EU. Following this certification, personal data from the EU may be transferred to you.

The Privacy Shield ruling of the ECJ

The ECJ ruling was prompted by a request for a preliminary ruling from the Irish High Court to the ECJ, which was based on proceedings brought by Austrian data protection activist Maximilian Schrems against Facebook Ireland Ltd.

In its ruling of July 16, 2020, the ECJ declared the Privacy Shield invalid. This means that all transfers of personal data from the EU to the USA that were previously based on the Privacy Shield as a legal basis are now inadmissible.

That sounds dramatic - and it is.

The consequences of the ruling for website operators

Almost every website is likely to be affected by the consequences of the ruling. As a rule, almost every website has at least one service of a US company integrated, which is not only provided via European subsidiaries (such as Facebook Ireland Ltd. and Google Ireland Ltd.), but also via the respective US parent company (e.g. Facebook Inc. and Google LLC).

Many of these services transfer personal data to the USA (possibly depending on the default settings). Examples of such services are

  • Google services such as Google Analytics, Google Maps or Google Fonts (unless these are integrated locally);
  • Newsletter services (e.g. Mailchimp);
  • Social media plugins (Facebook, Instagram, YouTube, Twitter etc.)
  • Cloud backup services;
  • Online store solutions.

If a website operator has drawn up its privacy policy correctly, it should contain the following information for each service where data could be transferred to the USA:

"The US company XYZ also processes your personal data in the USA and has submitted to the EU/US Privacy Shield. For more information on the Privacy Shield, see: https://www.privacyshield.gov/EU-US-Framework."

Possible alternative legal bases for data transfers

Data transfers to the USA previously carried out on the basis of the Privacy Shield will only be permitted with immediate effect or until a new adequacy decision is issued by the Commission if they can be based on another legal basis.

The following may be considered as such:

Consent of the data subject

The main legal basis for website operators is the express consent of the data subject (Art. 49 (1) (a) GDPR). However, this requires that the data subject has been informed of the risks of data transfer before giving consent.

Transmission for contract fulfillment

It is also conceivable that the transfer of personal data to the USA is necessary for the performance of a contract between the data subject (the website visitor) and the controller (the website operator).

However, it is not sufficient for the website operator to use the services of a US company to process the contract (e.g. a US online store plugin). Rather, it is necessary that the contract itself has a US connection, i.e. is ordered from a US online store, for example.

Standard data protection clauses of the European Commission

It is not very likely that the transfer of personal data to the USA can be based on the standard data protection clauses issued by the European Commission (Art. 46 para. 2 lit. c GDPR).

The standard data protection clauses are model contracts that can be concluded between a data exporter based in the EU and a data importer based in a third country. With these, the non-European data importer guarantees the data exporter that the transferred personal data will enjoy a level of protection comparable to the GDPR.

In its ruling on the Privacy Shield, the ECJ decided that the content of the standard data protection clauses is not objectionable. However, it must also be possible to effectively enforce compliance with them in the third country.

Whether this is actually possible for data transfers to the USA appears extremely doubtful. This is because the ECJ has declared the Privacy Shield invalid, among other reasons, because EU citizens have no suitable legal protection against the data surveillance programs of the US authorities. And this situation is likely to be practically identical for the standard data protection clauses.

For this reason, the ECJ also ruled in its judgment that the data protection supervisory authorities are obliged to suspend or prohibit a transfer of personal data to a third country based on standard data protection clauses if they are of the opinion that the standard data protection clauses are not or cannot be complied with in the third country. 

It is therefore to be expected that data transfers to the USA based on the standard data protection clauses will be objected to by the data protection authorities and declared inadmissible.

What you need to do now as a website operator

As all transfers of personal data to the USA based on the Privacy Shield are prohibited with immediate effect, website operators should implement the following measures:

#1 Select European server

Some US companies offer to provide their services via European servers. If this is the case, website operators should select the European server.

#2 Obtaining the consent of the data subjects

If it is not possible to choose a European server, the explicit consent of the data subject should be obtained for the transfer of their personal data to the USA. This consent could be given by means of a checkbox, as is the case when cookies are set.

Since every website that sets cookies should have a cookie banner with corresponding information and checkboxes for setting the individual cookies, this could be supplemented with further (risk) information and checkboxes regarding the intended data transfers to the USA. As with every checkbox, it must of course be ensured that the website visitor has to click on the checkbox themselves (opt-in), as checkboxes that are activated by default (opt-out) are inadmissible according to the case law of the Federal Court of Justice.

Admittedly, the only "disadvantage" of this consent solution is that the corresponding service may not be active on the website if consent is not given.

What this means is briefly explained here using the example of Google Fonts:

Sometimes Google Fonts are not integrated locally on the website, but are only loaded by the web browser from the Google servers when the page is called up. If this takes place on an American Google server, the web browser data, i.e. personal data of the website visitor, is transmitted to this Google server in the USA.

It is already questionable whether the reloading of Google fonts can be based on a legitimate interest of the website operator at all (I personally have great doubts about this), as Google fonts can also be integrated locally. But even if one were to assume this legitimate interest, an additional legal basis would be required for the transfer of personal web browser data to the American Google servers. This additional legal basis was previously the Privacy Shield. As this is now ineffective, the reloading of Google fonts from American Google servers would now require the consent of the website visitor. If this consent is not given, the Google fonts may not be downloaded.

This means that Google Fonts should be integrated locally on the website from now on at the latest.

#3 Customize privacy policy

It is important to adapt the privacy policy to the new legal situation.

Since the privacy policy must fully and accurately reflect the processing of personal data taking place on a website, it is not sufficient to simply delete the previous references to the Privacy Shield - at least if the corresponding services continue to be used.

In fact, if the data transfer is now based on the consent of the website visitor, this should also be stated accordingly. In addition, in the case of consent, the risks associated with the transfer of data to the USA should also be explained, namely that the personal data transferred to the USA will be evaluated by US authorities as part of American data surveillance programs and that EU citizens have no suitable legal protection options in this respect.

Outlook

After the ECJ declared the Safe Harbor Agreement invalid, it only took a few months for the European Commission to negotiate the Privacy Shield with the USA.

Due to the importance of transatlantic data exchange, which should not be underestimated, it will certainly not be long before a new regulation is found and the European Commission adopts a new adequacy decision for the transfer of personal data to the USA.

And if this takes up the concerns of the ECJ and creates more data protection for EU citizens in the USA, this will also be a good thing for website operators.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *