FAQs on the CJEU case

Jul 12, 2020

The CJEU received eleven questions submitted by the Irish High Court. The CJEU was free to reformulate the questions and address only some of them. This FAQ gives a simple overview of the judgment and the questions answered. It addresses the most relevant questions that people and companies may have about the CJEU’s judgment.

(I) Scope of the case

Which EU-US data transfers are not affected by this case?

In simple terms: “Necessary” transfers of personal data are not affected.

This case mainly concerns the voluntary “outsourcing” of processing of personal data to the United States.

The case does not concern: (1) data that is not “personal data”; and (2) “necessary” data transfers to the United States (e.g. emails to the US, bookings in the US etc.) - in most cases these transfers benefit from a “waiver” provided in Article 49 of the GDPR.

Therefore, this case does not mean that one cannot send emails or messages from the EU to the US. Any claim that suggests this is simply incorrect.

Despite this, many companies in the EU will still have to review their outsourcing practices if they have personal data processed by US providers. Recipients of this data in the US will also need to conduct a similar review if they are subject to obligations under relevant US surveillance laws such as FISA 702.

What is the difference between the “outsourcing” of processing and absolutely “necessary” data transfers to the US, including sending emails, hotel bookings or business transactions?

Necessarydata transfers: In most cases where data must be transferred to the US (e.g. booking a hotel, sending an email to someone in the US, standard business transactions between the EU and the US, etc), the waivers (“derogations”) in Article 49 of the GDPR will apply. These kinds of data transfers are allowed, independent of the validity of other legal instruments used for data transfers, such as Standard Contractual Clauses (SCCs), Privacy Shield or Binding Corporate Rules (BCRs).

Outsourcing: Outsourcing means that personal data is only stored in the US because it is easier, cheaper or more practical to store it with a US service provider than in Europe, even though the data could technically be stored within the EU/EEA. Here, there is usually no general waiver (“derogation”) under Article 49 of the GDPR for the transfer of data to the US. A legal instrument like the SCCs, Privacy Shield or BCRs must be used instead, but these instruments may be declared an invalid or not useable in certain situations by the CJEU. Today, Privacy Shield was declared invalid. Moreover, the SCCs cannot be used by Facebook and other US companies that fall under US surveillance.

Does this case concern data transfers to countries other than the US?

The case does not directly concern any such transfers.

However, the case has indirect consequences. Companies will need to review the actual level of protection afforded in non-EU countries much more closely than they have before. Regarding the SCCs, for example, conflict with surveillance laws is of equal relevance in respect to laws in countries like China or Russia.

(II) Consequences for Consumers

Can EU/EEA consumers still use US (or other third country) services directly?

In the most practical terms, users are free to knowingly send their own personal data directly to a third country, for example when using a Chinese website.

However, it is not possible to directly share data of other people (e.g. friends, colleagues) with a US provider unless you have obtained their freely given, specific, informed and unambiguous consent to do so.

Can EU/EEA consumers still use US (or other third country) services indirectly (via a EU subsidiary)?

In many cases, EU/EEA users have a contract with an EU subsidiary of a US company. Examples are Google Ireland, Facebook Ireland, Microsoft Luxembourg or Amazon Luxembourg.

In these cases, the EU companies are responsible for ensuring that “company-internal” flows of personal data to the US are GDPR-compliant. Companies will now have to take a close look at all such data flows and whether they need to host data in Europe or in any other country that provides better privacy protections, instead of being transferred to the US to a company that follows under US surveillance.

(III) Consequences for Companies

Can EU/EEA companies still perform “necessary” transfers of personal data to the US?

In most cases: Yes.

Article 49 of the GDPR has a list of “derogations” permitting such data transfers. This usually covers placing orders from businesses in the US, making bookings with US hotels, the sending of emails to the US, and in general any provision of service that logically needs an EU-US data transfer. Such transfers are not part of the case and are not affected by the judgment.

Can EU/EEA companies continue to “outsource” processing of personal data to the US?

In most cases: Probably not.

Most commonly used US data processors also fall under US surveillance laws such as FISA 702, which require them to disclose personal data to the US government without adequate protections. Transferring data to processors under such obligations violates the GDPR, as determined by the CJEU.

Can EU/EEA companies continue to outsource processing of personal data in countries other than the US?

Yes, if there are no conflicting laws in that country.

The case does not change the GDPR rules for data transfers. As before, each EU company must check if there are laws in a third country that may override EU privacy laws. In such cases, personal data cannot be outsourced to that third country.

For example, if the processing of personal data is outsourced to Country A, the EU controller has to ensure that the recipient has the necessary arrangements in place, but also that there is no conflicting law that applies in Country A and overrides these arrangements.

Are all data transfers from the EU/EEA to the US now prohibited?

No, not at all – for two reasons:

  1. Most data transfers do not contain “personal data” but some other form of data. Such data transfers are not even regulated by the GDPR.
  2. Most “necessary” data transfers of personal data (e.g. when sending an email, a message or a hotel booking) still fall under a waiver in Article 49. These transfers can continue after the judgment and are not affected by it.

Does the case concern all US recipients of EU data?

No. it is only relevant for companies that are subject to US surveillance laws, or for companies that use providers that fall under these US surveillance laws.

For example, FISA 702 only applies to “electronic communication service providers”. Industries like banks, airlines, hotels, shipping companies, sales of goods and the like are usually not understood to be covered by these laws. There is, however, some ambiguity about these terms and US law. A clarification by the US government appears necessary.

In practice, however, a bank (that is not covered by FISA) may itself use an “electronic communication service provider” (that is covered by FISA). This means the bank’s data can be accessed via the “electronic communication service provider”. Or, it may transfer data that is improperly encrypted, which, for example, would allow the data to be “tapped” while being sent across underwater cables (as permitted under EO 12.333). As such, the entire data flow has to be assessed.

How can a ruling from the CJEU be enforced in practice?

After the judgment, companies have to individually review if they need to change their practices. They are under a duty to stop data transfers that are illegal. This is nothing new. After the "Safe Harbor" judgment, many EU companies switched away from US providers.

Companies that are now transferring data to US recipients illegally will be required to stop all such transfers as quickly as possible in order to avoid facing fines of up to 20 million Euros or 4% of their global turnover under the GDPR. The national Data Protection Authorities (DPAs) have a responsibility to enforce these penalties.

Users of EU companies can request that these companies stop transferring their personal data to the US. If companies do not follow these requests, users can file complaints with a DPA or file a lawsuit with their local court. This may lead to preliminary injunctions and/or emotional damages. In many EU countries, consumer groups, workers’ councils and other bodies can also file collective or class actions if a company continues to transfer personal data without a legal basis.

What can EU/EEA companies do?

Companies need to assess if their processing of personal data needs to be outsourced to US processors. If it does, they need to identify the legal basis for the data transfer (e.g. derogations in Article 49 GDPR, SCCs, Privacy Shield or BCRs).

Most US cloud service providers qualify as “electronic communication service providers” and therefore fall under the relevant US surveillance laws such as FISA 702.

While most other industry sectors do not fall under these laws, they may use “electronic communication service providers” that do, which in effect gives indirect access to the data. Other surveillance instruments such as EO 12.333 also have to be taken into account. EO 12.333 permits “surveillance in transit”, such as the accessing of data that is not properly encrypted while it is passing over transatlantic cables.

If they cannot use any of the legal instruments permitting a transfer as provided under Articles 44-50 of the GDPR, companies will need to transfer all relevant personal data back to the EU/EEA and find a processor within the EU/EEA or in any other country where an adequate protection of personal data is assured.

What can US companies do?

US companies need to review if they or their sub-contractor(s) are subject to relevant US surveillance laws, and if their data transfers are encrypted to a level that ensures that “tapping” during transfer is not possible. Following such a review, they will need to communicate to their EU/EEA customers if their processing of personal data is affected by the judgment.

In the long run, it may be advisable to shift certain processing out of the US or talk to elected representatives about the fallout that US surveillance laws are having on US companies’ ability to conduct business with foreign customers. We also hope that US businesses will talk to the US legislator about the lack of protection afforded to their international customers.

 (IV) POLITIAL CONSEQUENCES

How can the conflict between US surveillance laws and EU privacy laws be solved in the long run?

If the US wants to keep its position as the main provider of IT services in the world, US surveillance laws will need to be reformed urgently. The US will need to introduce baseline privacy protections that are at least equivalent to those already granted to US citizens. Otherwise, it is very unlikely that foreign customers will continue to use US service providers.

As soon as US surveillance laws are reformed in this way, EU companies will be able to resume data EU-US transfers again and the European Commission will be able to issue new stable instruments to allow for this.

How could EU-US data transfers continue in the future?

At the core, we are facing a conflict between EU privacy and US surveillance laws: EU laws require the protection of personal data, while US laws require surveillance.

The right to privacy and data protection are fundamental rights in Europe, as enshrined in Article 7 and 8 of the EU’s Charter of Fundamental Rights. All 27 Member States would have to agree, unanimously, on any change to these fundamental rights. The European Commission has tried to pass exceptions like "Safe Harbor" and "Privacy Shield", but without the necessary reform of US surveillance laws, these continuously fail to satisfy EU fundamental rights. The result is decisions like this one, rendering the exceptions invalid.

The US introduced far-reaching surveillance laws for non-US persons in 2008. If the US were to roll back these surveillance laws, or guarantee the same protections for non-US persons as those that apply to US persons, then it would be very likely that the US would be seen as a country that ensures “adequate protection” to personal data under EU law if there is adequate redress.

Can the EU simply pass another Decision if the Privacy Shield gets invalidated?

In theory, the European Commission could (knowingly) issue another invalid decision if the CJEU invalidates "Privacy Shield". Given that the problem lies in US law, this would most likely lead to a legal challenge that would result in the new decision also being invalidated by the CJEU. It is very unlikely that this would be politically acceptable. Businesses are also in need of a legally stable resolution.

This judgment and the previous one in relation to "Safe Harbor" are both based on the Charter of Fundamental Rights. A unanimous agreement between all 27 EU Member States would be required to change the EU treaties to allow the European Commission to issue a legally sound data transfer decision for EU-US transfers.

The solution, therefore, lies in the hands of the US legislator, which needs to adapt or roll back current US surveillance laws.

Isn't this just protectionism by the EU?

No. This case is actually brought against the European Commission.  EU law allows for many options for international data transfers - as long as baseline privacy protections are observed.

In reality, the political arm of the EU (the European Commission and the Member States) support EU-US data transfers, but the CJEU has raised doubts before about the legality of these deals with the US given the potential violation of EU fundamental rights. Equally, the European Parliament has also raised doubts about these deals.

Comparing "Privacy Shield" as it applies to US companies with the EU's internal GDPR, it is clear that US companies can access the EU's large market by following much weaker rules than EU companies must follow. This gives US companies a competitive advantage.