Blog » NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
NOW WHAT WITH DATA TRANSFERS TO THE UNITED STATES? – CONSEQUENCES OF THE FRESH EU JUDGEMENT
29 July 2020
The recent judgement of the European Court of Justice (CJEU) invalidating the EU-US Privacy Shield raised several questions concerning international personal data transfers. Companies who normally transfer personal data to the U.S. and use U.S.-based service providers are asking themselves: are we still allowed to do this? If not, what should we do now? In this short article we will explain the judgement of the CJEU and the current situation.
1. What exactly was the CJEU’S ruling in relation to the Privacy Shield?
It is recalled that the Privacy Shield Framework was a mechanism to facilitate personal data transfers from the EU to the U.S. Based on the Privacy Shield Framework U.S. companies could self-certify themselves and in this regard, the European Commission recognized that the U.S. provides an adequate level of protection for personal data transferred to those companies. This meant that for such data transfers no further guarantee was required.
In his judgement however the CJEU found that the Privacy Shield mechanism does not provide adequate protection to personal data transferred to the U.S. therefore considered it as invalid.
The reason for this is that the U.S. domestic law and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, offers limited protection to data subjects and does not grant actionable rights before the courts against US authorities.
2. What was the CJEU’ ruling in relation to SSCs?
Standard contractual clauses (SSCs) are data protection clauses approved by the European Commission which parties can enter into to regulate a transfer of personal data from within the EU to any non-EU country.
The CJEU examined the SSCs under which EU-based data controllers can transfer personal data to non-EU based data processors. In this regard, the CJEU found that SCCs establish effective mechanisms that make it possible to ensure compliance with the level of protection required by EU law.
This does not mean however that entering into such SSC will make the data flow legitimate. Indeed, before any data transfer from the EU to a non-EU recipient takes place, the parties shall verify whether the non-EU country meets the level of protection required by EU law. If this is not the case the data transfer cannot take place. Further, if the non-EU processor informs the EU data controller of any inability to comply with the SCCs, the latter must suspend the data transfer or terminate the contract.
3. Then what about our data transfers to the U.S. based on the Privacy Shield?
The CJEU’s judgement means that personal data transfers to the U.S. which are based on the recipient company’s certification under the Privacy Shield are illegal.
It shall be pointed out that the CJEU has invalidated the Privacy Shield Framework without maintaining its effects which means that there is no grace period with regards to such data transfers.
To sum up, if your company is transferring personal data to U.S. based on the Privacy Shield Framework, including that you are using an U.S.-based service provider who stores the transferred personal data in the U.S., you would need to check whether you can do so based on another legal basis.
4. Can we transfer personal data to the U.S. based on SSCs?
Such other basis could be the SSCs which are still valid. However, you must consider that the CJEU also ruled in his judgement that any company that uses the SCCs is required to assess the laws of the country to which data is being transferred to determine if those laws sufficiently protect personal data.
You must remember that the CJEU ruled in relation to the Privacy Shield that the U.S. law does not provide adequate protection to personal data transferred to the U.S. Therefore, it would be highly doubtful that data transfer to the U.S. based alone on the SSCs were legal. However, if you put certain supplementary measures in place, data transfers could still be legal. What those supplementary measures can be is still a question, the European Data Protection Board (leading the EU data protection authorities) envisaged to provide guidance in this regard.
Nevertheless, if it is your final conclusion is that appropriate safeguards would not be ensured, you should stop transferring personal data to U.S. In case if despite this conclusion, you intend still to transfer data to the U.S., you must notify the competent data protection authority.
5. What about other exceptions?
It is true that even without an adequacy decision or the appropriate safeguards (like the SSCs) in certain cases you are allowed to transfer personal data to non-EU countries.
This is the case when the data subject explicitly consented to the data transfer after having been informed about the risk or if the transfer is necessary for the performance of a contract concluded with the data subject. Another exception is if the occasional data transfer is necessary for the legitimate interests of the controller, if these are not overridden by the data subject’s interests.
However, we warn against using such exceptions for mass data transfers as it will always be decided on a case-by-case basis whether the conditions were fulfilled or not which could jeopardize the lawfulness of the data transfer.
The CJEU decision put companies transferring personal data to the U.S. in a difficult position. If you are transferring personal data to non-EU countries, especially to the U.S. we advise you to conduct a review on your data transfer activities and assess the adequacy of your data transfer mechanisms. In case you were transferring personal data to the U.S. based on the Privacy Shield Framework, you shall find another valid legal basis or, failing this, as a last resort, stop your data flows to the U.S.
CAN THE CHOICE OF COURT AMOUNT TO THE CHOICE OF LAW? – THE SUPREME COURT DECIDED
Shall it be considered as the choice of the English law if the party first starts a litigation in England regarding to a Hungarian project? How much of a role do the procedural acts of the parties play in relation to the choice of law applicable to a contract? In this article we analyse the fresh judgement of the Supreme Court, in which, among others, the highest court addressed the issue of the tacit choice of law.Read more »
TEMPORARY EMPLOYMENT AT DIFFERENT EMPLOYER IN HUNGARY – NEW LEGAL RELATIONSHIP?
What are the main risks if you employ your staff at different employer, within or outside the company group? Is that a new legal relationship, is remuneration payable for that, or the “good old” labour contract can cover this situation? In a recent judgement the Hungarian Supreme Court Curia addressed these questions. In our short article we analyse the judgement and summarize what you as an employer should consider if you would like to temporary reassign your employee.Read more »
OVERVIEW OF THE TRAVEL RESTRICTIONS TO HUNGARY FROM 1st SEPTEMBER 2020
Travel restrictions to Hungary (“Travel Restrictions”) can be regulated on unilateral, bilateral or multilateral level. So far, we have knowledge about one unilateral and three bilateral travel restrictions adopted by the Hungarian government, so this overview will be focused on these. However, given the fast-changing nature of the situation, it can be the case that more bilateral agreement will be adopted, that change the current legal environment.Read more »