On July 16, 2020 the Court of Justice of the European Union (CJEU) passed a groundbreaking ruling on Privacy Shield and standard contractual clauses, which will have a significant impact on international data transfer, particularly on data transfer between the USA and the Federal Republic of Germany. In particular, the ruling means that the transfer of personal data to the USA is no longer possible on the basis of certification in accordance with the Privacy Shield. However, the CJEU has confirmed standard contractual clauses, while pointing out the guarantees and obligations of the contractual partners under the standard contractual clauses.
- The transfer of personal data to a country outside the European Union is in principle only permitted if this country offers an adequate level of data protection and the European Commission has determined this in a so-called adequacy decision.
- The adequacy decision of the European Commission concerning data transfers to the USA on the basis of Privacy Shield is invalid.
- Data transfers to Non-EU countries on the basis of standard contractual clauses are still permissible. Compliance with the guarantees and obligations under the standard contractual clauses must be critically reviewed with the contractual partner, especially in the case of data transfers to the USA.
Background of Privacy Shield
After the possibility of self-certification by the US Department of Commerce and the European Commission (so-called Safe Harbor) was declared invalid by the CJEU on October 6, 2015, the US Department of Commerce, together with the European Commission, subsequently drew up a new catalogue of principles, which was given the name Privacy Shield. By decision of July 12, 2016 the European Commission declared that the United States ensures an adequate level of protection for personal data transferred from the European Union to an organisation in the US under the Privacy Shield.
Judgment of the CJEU
The CJEU ruled that the decision of the European Commission concerning Privacy Shield of July 12, 2016 is invalid.
The CJEU justified its ruling, inter alia, by the fact that the decision of the European Commission concerning Privacy Shield gives priority to the requirements of national security, public interest and compliance with US law, which allows interference with the fundamental rights of the persons whose data are transferred to the US. The principle of proportionality is not respected, since the surveillance programs based on US legislation are not limited to what is strictly necessary.
Furthermore, the data subjects are not provided with effective legal protection before the Ombudsman. The data subjects would not benefit from guarantees equivalent in substance to those required under Article 47 of the Charter of Fundamental Rights of the European Union.
The CJEU confirms the validity of the decision of the European Commission of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in Non-EU countries. The decision contains effective mechanisms that can ensure in practice that the level of protection required by European law is complied with.
However, according to the CJEU, the parties must first check whether the standard contractual clauses and thus the required level of protection can be met in the Non-EU country concerned.
Consequences for the M&A-Practice
Data transfers to the US that have been based on Privacy Shield so far have to be stopped or changed to another legal basis (e.g. standard contractual clauses). Without appropriate measures, data transfers to the USA are illegal with immediate effect and can be fined.
The parties must critically examine whether the obligations contained in the standard contractual clauses can be complied with, so that breaches of obligations do not give rise to claims for damages for the person concerned or fines.
On the seller’s side, when concluding the non-disclosure agreement (NDA), it must be checked whether prospective buyers come from outside the EU. In the absence of an adequacy decision by the European Commission, standard contractual clauses must be concluded. It must be discussed with the prospective buyers whether they can really comply with the guarantees and obligations in the standard contractual clauses. If necessary, the data room provider should also be consulted.
On the purchaser side, in the due diligence it must be examined whether the target company transfers personal data to Non-EU countries, and whether this is based on Privacy Shield or on standard contractual clauses. Depending on the result, appropriate guarantees or indemnifications must be included in the share purchase agreement (SPA) in line with the CJEU’s jurisdiction.