A few days ago, the Court of Justice of the European Union (the “CJEU”) invalidated the Privacy Shield program for personal data transfers from the EU to the US - Cā311/18 (CJEU) Data Protection Commissioner v. Facebook Ireland Ltd (July 16, 2020). Nevertheless, the CJEU upheld the Standard Contractual Clauses as a valid mechanism for transfers of personal data to jurisdictions outside the EU.
This is not the first time that the CJEU strikes down a mechanism for data transfers from the EU to the US. Five years ago, the CJEU invalidated the Safe Harbor program, the Privacy Shield’s predecessor, due to the mass surveillance programs conducted by US security and intelligence agencies under the national security laws in the US.
The CJEU’s decision raises the concern that the same invalidity considerations will be used amid the EU Commission’s reevaluation of the decade-old recognition of Israel as a country with adequate safeguards for the protection of personal data. The possible revocation of Israel’s adequacy status will adversely affect virtually every Israeli organization processing personal data of EU individuals.
About the ‘Privacy Shield’ Program
Under the EU General Data Protection Regulation (“GDPR”), personal data generally may be transferred outside the EU only to jurisdictions that provide an adequate level of protection of personal data or subject to appropriate data transfer mechanisms, such as the Standard Contractual Clauses established by the EU Commission.
The privacy laws in the US are radically different from the privacy regime in the EU. Therefore, the EU Commission and the US government had established a mechanism to legalize the transfer of personal data from the EU to the US. After the inaugural transfer mechanism – the ‘Safe Harbor’ – was invalidated by the CJEU in its 2015 decision, a new mechanism was established in 2016, the ‘Privacy Shield’.
The Privacy Shield allows American companies to voluntarily commit to stricter and more comprehensive data protection obligations than are ordinarily required under US law, in order to be certified to receive personal data of EU individuals. Since 2016, thousands of American companies have self-certified to the Privacy Shield, including tech giants such as AWS, Google, Facebook, Microsoft, and Apple.
The Privacy Shield’s Invalidation
The CJEU’s decision to invalidate the Privacy Shield emanates from principles similar to the ones expressed in its 2015 judgment invalidating the Safe Harbor program.
The CJEU’s decision explains that US legislation allowing the American intelligence and security agencies to indiscriminately collect and process mass personal data, including that of EU individuals, interferes with the fundamental rights of those individuals. The CJEU opined that US legislation allowing American intelligence and security agencies such access is disproportionate and is not limited to what is strictly necessary, as per the EU legal standards.
The CJEU also addressed the Ombudsperson mechanism, which the Privacy Shield established for EU individuals adversely affected by the American intelligence and security agencies’ practices. The CJEU noted that the Ombudsperson mechanism does not provide data subjects actionable rights against the US agencies. Also, the Ombudsperson lacks independence and authority to adopt decisions binding on the US intelligence services.
The Standard Contractual Clauses are Conditionally Valid
Years ago, the EU Commission had established Standard Contractual Clauses (SCCs) for the transfer of personal data from the EU to organizations located in jurisdictions outside the EU. By executing the Standard Contractual Clauses, a non-EU recipient of the data agrees to apply various measures to ensure a level of personal data protection similar to those provided under EU law.
The CJEU’s judgment also opined on the SCCs. The judgment held that although there is no reason to invalidate the SCCs as such, the two parties to each SCC are obligated to examine the various circumstances concerning the transfer of personal data. In particular, they are required to assess whether the SCC data recipient is capable of complying with the SCC obligations, considering the legal regime in its jurisdiction and any mass surveillance data access by the public agencies of that country. In certain circumstances, the data transferor should consider reinforcing the Standard Contractual Clauses with additional obligations to ensure that the level of protection for the personal data required by the EU is preserved.
The CJEU also held that EU data protection authorities must prohibit personal data transfers based on SCCs if they consider that the SCCs are not, or cannot be, complied with under the circumstances of a given transfer, and where the data transferred cannot be protected by other means.
The CJEU’s decision imposes additional cumbersome hurdles on the Standard Contractual Clauses mechanism. It is clear that EU law prefers transfers of personal data to countries recognized by the EU Commission as having an adequate level of protection of personal data.
Standard Contractual Clauses - Possible Implications on Israeli Companies
Many Israeli companies use US service providers, such as cloud computing providers, to process personal data of EU individuals. To be able to receive personal data from the EU, many US service providers certified to the now-defunct Privacy Shield program. However, anticipating the risk to the Privacy Shield program, some service providers, such as AWS, Microsoft, and Google also adopted the SCCs as a mechanism to legalize personal data transfers from the EU to them.
In light of the CJEU’s suggestions of the possible need to reinforce the Standard Contractual Clauses with further protective provisions, we expect that many US service providers offer to reinforce the SCCs they are committed to.
However, Israeli companies should bear in mind that the SCCs generally are not meant to legalize the transfer of personal data of EU data subjects from one non-EU organization (such as Israeli companies operating in the EU market and processing personal data of EU individuals, thus subject to the GDPR) to another non-EU organization (such as US service provider). Therefore, it is not clear whether the SCCs are an acceptable data transfer mechanism in these circumstances.
Other Possible Implications on Israel and Israeli Companies
The GDPR requires that the EU Commission periodically reassess the adequacy decisions it had made, which declare a non-EU country as having a sufficient level of data protection to allow seamless data transfers to it. In 2011 the EU Commission recognized Israel as having an adequate level of protection of privacy, thereby easing the flow of data from the EU to Israel. To date, this adequacy decision benefits numerous Israeli companies and organizations.
In 2019, the EU Commission began reevaluating Israel’s adequacy decision and is expected to publish its findings later this year. Recently, press reports revealed that the Israeli National Security Agency (the “Shabak”) maintains a database containing telecommunications data and other information of all individuals located in Israel. This database, whose existence and volume was disclosed in a news article published earlier this year,[2] likely was established under the National Security Agency Law and the Communication Law (Telecommunication and Broadcasting).
As it turns out, Israel’s legislation allows its security and intelligence agencies to collect and monitor personal data of every person in Israel, somewhat like the US. Moreover, the Israeli legislature, the Knesset, has authorized the Shabak to that database not only for national security purposes but also for public health, in the combat against the Coronavirus pandemic.
The CJEU already has ruled twice, in the US context, that such legislation, absent proportionality, and proper checks and balances, is sufficient reason to invalidate data transfer mechanisms to from the EU to the US. Therefore, it is likely that the EU Commission’s reevaluation of Israel will result in a decision to revoke Israel’s adequacy recognition for similar reasons.
If Israel’s adequacy is revoked, thousands of Israeli organizations that process personal data of EU data subjects generally will not be able to do so unless they adopt the SCCs, which also entail difficulties as described above. Affected organizations may include, among others, financial institutions, pharmaceutical companies conducting clinical trials in the EU, service providers that provide services in the EU, providers of tourism services to visitors from the EU, universities, and research institutions that collaborate with institutions in the EU, etc.
Therefore, we recommend that Israeli organizations that process personal data of EU data subjects prepare for the possibility that Israel’s adequacy will be revoked in the near future. For more information on this subject, please contact us.