Unexpected new world war. This time, trade.

The leading positions in CEOWORLD magazine’s Top 10 Most Valuable Brands ranking (2019) are held by Apple, Google, Amazon, Microsoft, and Samsung. I have no doubt that the next ranking will confirm the domination of these companies, with several more probably being added to the list, e.g. facebook.

What all these companies have in common is that they are building up their position by collecting and using huge customer information. It is as though the digital world needs fewer real products and services and feeds on information instead. Covid-19 and compulsory isolation have probably reinforced this trend.

Thus, data, including personal data, are constantly circulating around the globe and in ever increasing quantities. At the same time, threats to privacy are growing, and at different levels. In the last few days alone, CNN has reported several times on hacking attacks (compromised Twitter accounts belonging to Joe Bidden, Barack Obama, Bill Gates, Elon Musk and Apple; Russian hacking group APT29 attack on Covid-19 research centres).

Aware of these risks, global democracies have been striving for years to protect personal data, though they are doing so in different ways. From this perspective, the EU traditionally deems that the European model is exemplary on a global scale, and that specific requirements have to be met for data to be transferred to countries outside the EU (including the USA, Australia, China and India (“third countries”).

The European Commission (the EC, i.e. the executive branch of the EU) may facilitate the transfer of personal data from the EU to third countries, inter alia, by adopting adequacy decisions (determining that a country outside the EU offers an adequate, i.e. European-like level of protection). The EC has so far recognised, among others, Argentina, Canada (commercial organisations only), Israel, Japan, New Zealand and Switzerland as providing adequate protection. The USA also used adequacy decisions (Privacy Shield framework) to a certain narrow extent until 16 July. Moreover, the EC is authorised to adopt standard data protection contractual clauses (SCC) providing adequacy protection comfort. To date, copying and pasting these SCC into a commercial contract has been considered sufficient to ensure the legality of the transfer of data out of the EU.

On 16 July 2020, the highest European court – the Court of Justice of the EU (the CJEU) dealt a significant blow to the instruments identified to improve the transfer of data outside the EU.

1. EU-USA relations based on Privacy ShieldAs regards data transfers from the EU to the US, the CJEU declared the Privacy Shield framework invalid. Thus, overnight, around 5,300 undertakings transferring data from the EU to the US under the Privacy Shield lost this particular legal basis for data transfers. Among the companies that have used the Privacy Shield to date are Google and facebook.
   The reason? First and foremost, the illusory nature of the protection afforded to personal data transferred from the EU to the USA under the Privacy Shield framework in view of the broad powers of the US intelligence agencies. This means primarily powers to collect personal data under the FISA (1978), Presidential Executive Order 12333 (1981) and Presidential Policy Directive 28 (PPD-28) (2014).
   Interestingly, the CJEU judgment is generally a repetition of the 2015 judgment in which the CJEU declared the EU-US Safe Harbor framework invalid. At that time, Safe Harbor was used by about 4,000 undertakings.
2. EU-US and EU-other third countries – relations
   As regards data transfers from the EU to the USA and to other third countries under the widely used SCC, the CJEU declared that the SCC adopted by the EC are still valid, but may require “the adoption of supplementary measures, depending on the prevailing position in a particular third country” in order to ensure compliance with this level of protection. And it is the data exporter (i.e. the EU-based company) that is responsible for assessing such a prevailing position in a third country. To conduct an adequacy test in line with EU law, account needs to be taken of: the rule of law, respect for human rights and fundamental freedoms, relevant legislation (both general and sectoral), access of public authorities to personal data, the existence and effective functioning of independent supervisory authorities, international commitments. Good luck….
   The good/bad news is that the CJEU has just carried out a test of this type as regards the US and the results are, from a data protection perspective and due to the powers of the US intelligence authorities, negative. Therefore, the transfer of personal data from the EU to the USA, based on both the Privacy Shield and SCC (without additional protection measures – what kind? – being applied) is illegal.
3. Administrative fines and right to compensation
   Illegal transfers of personal data to a recipient in a third country (including the USA, China, India, Australia, Russia, Brazil and South Africa) are subject to administrative fines of up to EUR 20,000,000 or up to 4% of the undertaking’s total worldwide annual turnover (whichever is higher). On top of this, anyone who suffers material or non-material damage due to a breach of EU data protection rules is entitled to receive regular compensation.

Final conclusions 

1. The Privacy Shield no longer exists.
2. Widely used SCC need to be supported by an adequacy analysis and, if necessary, “supplementary measures”.
3. Companies operating in the EU must establish the basis on which they transfer personal data outside the EU.
4. Businesses using cloud solutions need to consider when, how and on what basis personal data may be transferred and stored outside the EU.
5. Watch out for further guidance from supervisory authorities, the European Data Protection Board and the European Commission.

The article is available at the CEOWORLD magazine website.