Companies should again address data protection issues - this time in particular regarding their cloud service providers and other processes where personal data is transferred to the US. Internationally operating companies are likely to be particularly affected, but also all companies that use Google, Apple or Facebook services, for example.
As a result, companies are recommended - as far as possible - to refrain from transferring personal data to the USA at present and to look for cloud providers, for example, whose servers are located in the EU. If this is not possible, every company must deal more intensively than before with the question of how the transfer is legally justified and how the data is protected in the USA.
The background to this recommendation is that the European Court of Justice published another landmark decision on data protection on 16 July 2020 (C-311/18 Schrems II). After the Safe Habor Agreement with the USA was already overturned in 2015 at the instigation of data protection activist Max Schrems, the European Court of Justice has now also declared the so-called Privacy Shield (EU-US data protection shield) null and void. Background of the Privacy Shield is an agreement between the EU Commission and US authorities according to which US companies could commit themselves to certain data protection standards and thus certify with the Privacy Shield. Subsequently, companies based in the EU could lawfully transfer personal data to a certified company in the USA. Under the GDPR, such a transfer requires that the data exporter ensures suitable guarantees for the data abroad and that effective legal remedies are available to data subjects. The Privacy Shield could also be such a guarantee.
The EU-US Privacy Shield was ultimately overturned because US security services in the USA have unrestricted access to personal data of EU citizens under certain conditions and there is essentially no legal protection against this. This was by no means a surprise among data protectors. For the same reason, the Safe Habor Agreement 2015 had already been annulled.
The decision has far-reaching implications for European companies. For example, the FAZ Podcast "Einspruch" therefore titled: „Wie der EuGH das Internet in Europa ausknipst“ (how the ECJ is turning off the Internet in Europe).
In practice, the decision means the following for data transfer to the USA:
- Transfer based on the Privacy Shield
Companies that transfer personal data to the US, relying only on the EU-US privacy shield, should refrain from doing so. Maja Smoltczyk, for example, the Berlin Commissioner for Data Protection and Freedom of Information, has already pointed this out. There is no transitional period for this.
This problem can occur with all kinds of services, e.g. CRM systems, e-mail providers and web hosts based in the USA. Affected are global players such as Apple, Facebook, Google and Microsoft as well as other data-sensitive providers such as Workday.
One solution may be to find appropriate business partners in the EU. This would also support the European digital economy, which has been left behind in comparison to the US, which is probably seen as a pleasant side effect in many places.
- Transfer on the basis of standard contractual clauses
Companies that transfer data on the basis of standard contractual clauses cannot breathe a sigh of relief either.
The ECJ has not generally overturned these clauses - but the clauses do not alter the fact that security laws exist in the USA that largely undermine the protection of European personal data.
The European Data Protection Committee, in which the national data protection authorities in particular are involved, has issued a statement on this (https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf). In summary, data controllers have to assess, in accordance with the individual circumstances of the data transfer, whether the standard contractual clauses ensure adequate data protection despite the extensive powers of the US authorities. "Supplementary protective measures" are to be taken if necessary. It remains vague how this could look like.
Given that US security authorities will continue to have access to personal data of EU citizens, and that the services will not tolerate that certain data are removed from their access, we believe that the use of standard contractual clauses is also risky. In this respect, the ECJ has not done the legal subjects who have to live with the Schrems II judgment any favour and is once again creating legal uncertainty.