Following the European Court of Justice’s decision to declare the EU-U.S. privacy shield invalid, companies and authorities must now examine on what basis personal data can be transferred to the USA. Although standard contractual clauses are still valid, some data protection authorities believe that these are no longer suitable to justify the transfer of data to the USA. In this article, we have summarised the individual statements from authorities and other stakeholders:
|Supervisory authorities||Core statement|
|German Federal Commissioner for Data Protection and Freedom of Information|
Standard contractual clauses can still provide a possible basis for the transfer of data. However, a transfer of data to the USA can only be justified via standard contractual clauses if additional measures are taken to ensure the same level of data protection as in the European Union. The circumstances for a transfer of data must be considered on a case by case basis. This also applies to the transfer to other countries.
The German Federal Commissioner for Data Protection and Freedom of Information has adopted the FAQ of the European Data Protection Committee.
Following the ECJ’s decision, the ball is once again back in the court of the supervisory authorities, who are now faced with the task of deciding whether to critically examine the overall transfer of data to third countries via standard contractual clauses. Challenging times are approaching for the international transfer of data.
Those responsible will have to grapple with the legal situation in the destination country; they have to check which laws apply to the data importer in the third country and, if applicable, whether they also apply to the data importer’s subcontractors and whether these laws affect the guarantees provided in the standard contractual clauses. If necessary, the specific data flows must be analysed to determine which laws of the third country apply in each case. These obligations apply to the transfer of data to all third countries (e.g. Russia, China etc.) and not only to the USA.
The Commissioner for Data Protection and Freedom of Information for the State of Rhineland-Palatinate has announced that it will reach out to companies in the event of complaints or otherwise in the medium-term in order to obtain corresponding statements.
The Commissioner for Data Protection and Freedom of Information in Berlin has called upon all those persons responsible for data protection under its supervision to comply with the decision of the European Court of Justice. Those responsible for transferring personal data to the USA, especially those using cloud services, are now required to immediately switch to service providers in the European Union or in a country with an appropriate level of data protection..
“If the ECJ is now emphasising that the protective mechanisms of the standard contractual clauses and compliance with these must now be examined by the data exporter and the data recipient prior to the transfer, then I do not know how when transferring data to the USA an EU data protection-compliant test result will be achieved. According to the ECJ ruling, the European data protection supervisory authorities now also have an increased duty to answer this question,” said the Commissioner for Data Protection for the State of Thuringia.
The German and European regulatory authorities are working together to ensure a uniform understanding and implementation of the ECJ ruling. They are also working on recommendations for those persons who apply the law. The European Data Protection Board is offering support to the EU Commission to establish a new framework for the transfer of data to the USA. The European Data Protection Board is also examining what additional measures could be taken in the event that standard data protection clauses for a particular target country do not yet provide sufficient guarantees. Overall, the European Data Protection Committee will work on guidelines that take the judgment into account for those persons who apply the law. The German supervisory authorities contribute to the decision-making process of the European Data Protection Board and coordinate their activities in Germany. The supervisory authorities will deal with complaints from affected persons and investigate them appropriately. We will publish the guidelines and general advice on our website as soon as possible.
The Commissioner for Data Protection and Freedom of Information for the State of Mecklenburg-Western Pomerania refers to the statement made by the Federal Commissioner for Data Protection and Freedom of Information and the Commissioner for Data Protection and Freedom of Information for Hamburg.
The standard contract clause has not been declared invalid, but those responsible must check whether their agreement is sufficient. In the case of the USA, however, the result of this examination is obvious, because practically no American company can credibly guarantee that it will be spared access by the security services in the USA.
|Data protection conference|
Standard contractual clauses can still be used, but the responsible person and the recipient must check whether the guarantees they contain can be implemented in practice. If not, additional protective measures must be agreed; the actual effect of which must not be thwarted by the laws of the third country.
The considerations of the ECJ also apply to Binding Corporate Rules; these must also be supplemented by further protective measures if necessary.
|German Federal Commissioner for Data Protection and Freedom of Information|
The ECJ has confirmed and strengthened the role of data protection supervisory authorities. They must be able to check and verify that the high standards of the ECJ are met for each individual data processing operation. This also means that they prohibit the exchange of data if the requirements are not met. Both companies and authorities as well as the supervisory authorities, now have the complex task of applying the ruling in practice,. We will press for rapid implementation in particularly relevant cases.
Data Protection Commission (DPC), Ireland
The Irish data protection supervisory authority has stressed that it must be examined in each individual case whether the transfer of data to the US, which now appears doubtful in principle even using the standard contractual clauses, can be permitted. It looks forward to developing a common position among EU supervisory authorities so the ruling can have a meaningful and practical effect.
Commission Nationale de l'Informatique et des Libertés (CNIL), France
|The French supervisory authority has exercised restraint: “Beyond the summary shared by the CJEU in its press release, the CNIL is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States”.|
Information Commissioner’s Office (ICO), Great Britain
The ICO refers to the European Data Protection Board FAQ and understands the challenges now facing many UK companies.
The Commission had already worked intensively on a broad range of instruments for international data transfers, also taking into account the modernisation of the standard contractual clauses.
This will now be brought to a swift conclusion in consultation with the data protection authorities of the European Data Protection Council. “Today’s judgement gives us further valuable guidance and we will ensure that the updated instrument is fully in line with it.”
European Data Protection Board („EDPB“)
The standard contractual clauses remain valid, but in practice, the person responsible and the recipient must check whether an adequate level of protection can actually be achieved in the third country by applying them. This makes it necessary to examine the level of protection in the third country, taking into account the aspects not exhaustively listed in Art. 45 (2) GDPR. This also applies to the use of Binding Corporate Rules.
The EDPB has published FAQ on the ruling.
European Data Protection Supervisor („EDPS“)
As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge.
Therefore, we would like to make it clear: commercial customers can continue to use our services in accordance with European law. The ECJ ruling does not deprive them today of the possibility to transfer data between the EU and the USA via the Microsoft Cloud.
In particular, companies should review the transfer of data to the USA and, if data processing is based solely on the EU-U.S. Privacy Shield, agree as soon as possible that the standard contractual clauses are a suitable alternative guarantee. However, even if standard contractual clauses already exist, it must be examined in each case whether these can be complied with in accordance with the legal situation in the target country with regard to the access possibilities of state authorities (in particular intelligence services) in order to compensate for the lack of protection in the recipient country. If not, additional measures must be agreed in addition to the standard contractual clauses in order to establish an adequate level of data protection or the transfer of data must be suspended.