On 16.7.2020 the European Court of Justice (ECJ) struck down the EU-US Privacy Shield. This ruling affects, among others, all website operators who use the services of US companies. In this article, I will explain what the ruling means for you as a website operator or agency and what you need to do now.
All data processing requires a legal basis
Any processing of personal data requires a legal basis (Art. 6 (1) GDPR). The most important legal bases in relation to websites are:
- the consent of the person concerned (for example, to set cookies);
- the fulfilment of a contractual obligation (for example, in the case of online shops);
- the legitimate interest of the responsible person or website operator (for example, in answering email enquiries).
Consent is traditionally obtained for websites by means of a checkbox. The best example of this is cookie banners, where a website visitor consents to the setting of certain cookies (for example marketing or tracking cookies). If you want to learn more about this topic, you'll find detailed information in my articleCookie Banner - Done Properly! 7 Things You Should Pay Attention to".
However, the legal bases mentioned above only concern the actual data processing itself.
Additional legal basis required for data transfers to non-European countries
If data processing is not to take place in the EU but in a non-European country - i.e. in a so-called third country - an additional legal basis is required.
These legal bases for transfers of personal data to third countries can be found in Art. 44 et seq. GDPR.
Of particular relevance to website operators are the adequacy decisions of the European Commission (Art. 45 GDPR).
The European Commission decides with such a decision that a third country provides an adequate level of data protection and that personal data may be transferred to the third country.
Adequacy decisions have been taken in the past with a large number of countries including Switzerland, Australia and New Zealand.
The Privacy Shield
The Privacy Shield was a European Commission adequacy decision for data transfers to the USA. It was adopted in July 2016 only a few months after the repeal of the Safe Harbor framework (the predecessor regulation of the Privacy Shield) by the ECJ.
Under the Privacy Shield, US companies could voluntarily commit themselves to respect a certain level of data protection when processing personal data from the EU. After this self-certification, they were allowed to transfer personal data from the EU.
The Privacy Shield judgment of the ECJ
The ECJ ruling was prompted by a reference for a preliminary ruling from the Irish High Court to the ECJ, which was based on a case brought by Austrian data protection activist Maximilian Schrems against Facebook Ireland Ltd.
In its ruling of 16 July 2020, the ECJ declares the Privacy Shield invalid. This means that with immediate effect all those transfers of personal data from the EU to the USA previously based on the Privacy Shield as a legal basis are now inadmissible.
That sounds dramatic - and it is.
Consequences of the judgment for website operators
Almost every website is likely to be affected by the consequences of the ruling. This is because almost every website has integrated at least one service from a US company, which is provided not only by European subsidiaries (such as Facebook Ireland Ltd. and Google Ireland Ltd.) but also by the respective US parent company (such as Facebook Inc. and Google LLC).
For many of these services, personal data is transferred to the USA (possibly depending on the default settings). Examples of such services are:
- Google services like Google Analytics, Google Maps or Google Fonts (if they're not integrated locally)
- Newsletter services (e.g. Mailchimp)
- Social media plugins (Facebook, Instagram, YouTube, Twitter etc.)
- Cloud backup services
- Online shop solutions.
If a website operator has drawn up their data protection declaration correctly, the following information should be found on it for every service where data could be transferred to the USA:
"The US company XYZ also processes your personal data in the USA and has committed to the EU/US Privacy Shield. For more information on the Privacy Shield, please see: https://www.privacyshield.gov/EU-US-Framework."
Possible alternative legal bases for data transmissions
Data transfers to the US previously based on the Privacy Shield are, with immediate effect or until a new adequacy decision is made by the Commission, only allowed if they have another legal basis.
In this case, the following legal bases can be considered:
Consent of the data subject
The most relevant legal basis for website operators is the express consent of the data subject (Art. 49(1) GDPR). However, this is subject to the condition that the data subject has been informed about the risks of data transfer before consent is given.
Transmission for the performance of a contract
It is also conceivable that the transfer of personal data to the USA is necessary for the fulfilment of a contract between the person concerned (the website visitor) and the person responsible (the website operator).
However, it is not sufficient for the website operator to want to use the service of a US company (for example, a US online shop plugin) to process the contract. Rather, it is necessary that the contract itself has a US reference, e.g. that it is ordered from a US web shop.
Standard data protection clauses of the European Commission
It is unlikely that the transfer of personal data to the US can be based on the standard data protection clauses adopted by the European Commission (Art. 46(2) GDPR).
The standard data protection clauses are model contracts that can be concluded between a data exporter established in the EU and a data importer established in a third country. By means of these clauses, the non-European data importer guarantees the data exporter that the personal data transferred will enjoy a level of protection comparable to the level of GDPR protection.
In its ruling on the Privacy Shield, the ECJ ruled that the standard data protection clauses are not called into question in terms of content. However, it must also be possible to effectively enforce the clauses in the third country.
Whether this is actually possible for data transfers to the USA seems highly doubtful. The European Court of Justice has declared the Privacy Shield to be ineffective, among other reasons, because EU citizens would not have suitable legal protection against the data monitoring programmes of the US authorities. And this situation is likely to be virtually identical in the case of the standard data protection clauses.
For this reason, the ECJ has also ruled in its judgment that data protection supervisory authorities are obliged to suspend or prohibit a transfer of personal data to a third country based on standard data protection clauses if they consider that the standard data protection clauses are not or cannot be complied with in the third country.
It is therefore likely that data transfers to the US based on the standard data protection clauses will be challenged and declared inadmissible by the data protection authorities.
What you need to do now as a website operator
As all transmissions of personal data to the USA based on the Privacy Shield are now inadmissible, website operators should implement the following measures:
#1 Select European servers
Some US companies offer to provide their services via European servers. If this is the case, website operators should choose the European servers.
#2 Obtain the consent of the person concerned
If it is not possible to choose a European server, the explicit consent of the data subject should be obtained for the transfer of their personal data to the USA. This consent could be given by means of a checkbox, just like when setting cookies.
Since every website that sets cookies should have a cookie banner with corresponding information and checkboxes for setting the individual cookies, this could be supplemented by further information (on risks) and checkboxes regarding the intended data transfers to the USA. As with any checkbox, it should of course be noted that the website visitor must activate he checkbox himself (opt-in), as the Federal Court of Justice has ruled that checkboxes activated by default (opt-out) are inadmissible.
Admittedly, the only "disadvantage" of this consent solution is that the corresponding service on the website is not allowed to be active if consent is not given.
What this means in practice is briefly explained here using Google Fonts as an example:
Sometimes Google Fonts are not embedded locally on the website, but are rather only loaded from the Google servers when the site is accessed from the web browser. If this is done on an American Google server, the web browser data, i.e. personal data of the website visitor, is transferred to the Google server in the USA.
It already questionable whether this loading of Google Fonts can be based on a legitimate interest of the website operator (I personally have great doubts), since the Google fonts can also be integrated locally. But even if this legitimate interest were to be assumed, it would require an additional legal basis for the transfer of personal web browser data to the American Google servers. This additional legal basis was previously the Privacy Shield. Since this is now ineffective, the loading of Google Fonts from American Google servers would now require the consent of the website visitor. If this consent were not granted, the Google Fonts would not be allowed to be loaded.
This means that Google Fonts needs to now be integrated locally on the website.
Indeed if the data transfer is now based on the consent of the website visitor, this should be mentioned accordingly. Moreover, in the event of consent, the risks associated with data transfer to the USA would also have to be explained; namely that the personal data transferred to the USA will be evaluated by US authorities within the framework of American data monitoring programmes and that EU citizens will therefore not have access to suitable legal protection options.
After the ECJ declared the Safe Harbor Agreement invalid, it took only a few months for the European Commission to negotiate the Privacy Shield with the USA.
Given the importance of transatlantic data exchange, which should not be underestimated, it will certainly not be long before a new regulation is found and the European Commission adopts a new adequacy decision for the transfer of personal data to the US.
And if it takes up the concerns of the ECJ and creates more data protection for EU citizens in the USA, this is also a good thing for website operators.