Blog » NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
29 July 2020
The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.
1. What exactly was the CJEU’S ruling in relation to the Privacy Shield?
It is recalled that the Privacy Shield Framework was a mechanism to facilitate personal data transfers from the EU to the U.S. Based on the Privacy Shield Framework U.S. companies could self-certify themselves and in this regard, the European Commission recognized that the U.S. provides an adequate level of protection for personal data transferred to those companies. This meant that for such data transfers no further guarantee was required.
In his judgement however the CJEU found that the Privacy Shield mechanism does not provide adequate protection to personal data transferred to the U.S. therefore considered it as invalid.
The reason for this is that the U.S. domestic law and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, offers limited protection to data subjects and does not grant actionable rights before the courts against US authorities.
2. What was the CJEU’ ruling in relation to SSCs?
Standard contractual clauses (SSCs) are data protection clauses approved by the European Commission which parties can enter into to regulate a transfer of personal data from within the EU to any non-EU country.
The CJEU examined the SSCs under which EU-based data controllers can transfer personal data to non-EU based data processors. In this regard, the CJEU found that SCCs establish effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law.
This does not mean however that entering into such SSC will make the data flow legitimate. Indeed, before any data transfer from the EU to a non-EU recipient takes place, the parties shall verify whether the non-EU country meets the level of protection required by EU law. If this is not the case the data transfer cannot take place. Further, if the non-EU processor informs the EU data controller of any inability to comply with the SCCs, the latter must suspend the data transfer or terminate the contract.
3. Then what about our data transfers to the U.S. based on the Privacy Shield?
The CJEU’s judgement means that personal data transfers to the U.S. which are based on the recipient company’s certification under the Privacy Shield are illegal.
It shall be pointed out that the CJEU has invalidated the Privacy Shield Framework without maintaining its effects which means that there is no grace period with regards to such data transfers.
To sum up, if your company is transferring personal data to U.S. based on the Privacy Shield Framework, including that you are using an U.S.-based service provider who stores the transferred personal data in the U.S., you would need to check whether you can do so based on another legal basis.
4. Can we transfer personal data to the U.S. based on SSCs?
Such other basis could be the SSCs which are still valid. However, you must consider that the CJEU also ruled in his judgement that any company that uses the SCCs is required to assess the laws of the country to which data is being transferred to determine if those laws sufficiently protect personal data.
You must remember that the CJEU ruled in relation to the Privacy Shield that the U.S. law does not provide adequate protection to personal data transferred to the U.S. Therefore, it would be highly doubtful that data transfer to the U.S. based alone on the SSCs were legal. However, if you put certain supplementary measures in place, data transfers could still be legal. What those supplementary measures can be is still a question, the European Data Protection Board (leading the EU data protection authorities) envisaged to provide guidance in this regard.
Nevertheless, if it is your final conclusion is that appropriate safeguards would not be ensured, you should stop transferring personal data to U.S. In case if despite this conclusion, you intend still to transfer data to the U.S., you must notify the competent data protection authority.
5. What about other exceptions?
It is true that even without an adequacy decision or the appropriate safeguards (like the SSCs) in certain cases you are allowed to transfer personal data to non-EU countries.
This is the case when the data subject explicitly consented to the data transfer after having been informed about the risk or if the transfer is necessary for the performance of a contract concluded with the data subject. Another exception is if the occasional data transfer is necessary for the legitimate interests of the controller, if these are not overridden by the data subject’s interests.
However, we warn against using such exceptions for mass data transfers as it will always be decided on a case-by-case basis whether the conditions were fulfilled or not which could jeopardize the lawfulness of the data transfer.
The CJEU decision put companies transferring personal data to the U.S. in a difficult position. If you are transferring personal data to non-EU countries, especially to the U.S. we advise you to conduct a review on your data transfer activities and assess the adequacy of your data transfer mechanisms. In case you were transferring personal data to the U.S. based on the Privacy Shield Framework, you shall find another valid legal basis or, failing this, as a last resort, stop your data flows to the U.S.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »