First update on ECJ decision on EU-US Privacy Shield
On July 16, 2020, the European Court of Justice (ECJ) announced the end of the EU-US data protection shield. The ECJ ruled that the "Privacy Shield" is no longer a valid basis for data transfers to the USA. The European Court of Justice has not granted a transitional or grace period. So the question remains if and how such data transfers are still possible without the Privacy Shield.
Standard Data Protection Clauses
A data transfer to a third country is still possible, provided that the controller or processor has planned appropriate safeguards, as defined in the GDPR. Until now, this was usually the case if the data exporter responsible for the data transfer agreed upon so-called “Standard Contractual Clauses” (SCCs) adopted by the European Commission with the data importer in the third country.
However, the ECJ has now ruled that the SCCs are no longer acceptable if the law of the recipient’s country imposes obligations on the data importer that contradict the SCCs, and are therefore likely to undermine the contractual guarantee that the data processing secures an comparable level of protection. This becomes an issue, for example, if the foreign authorities have supervisory powers that go too far from a European data protection perspective. Unfortunately, such a situation exists in the USA. US law provides the US intelligence agencies with rather extensive surveillance powers. For this reason, the ECJ only permits the use of SCCs in relation to the USA if the data exporter responsible takes additional measures to ensure that the intended level of protection is maintained. In their current form, the SCCs can therefore only be used for data transfer to the USA in exceptional cases.
But what kind of “additional measures” does the responsible party have to take in order to continue transferring data to the USA using SCCs?
Many local data protection authorities have since commented on this subject. A clear line is not yet apparent from these statements. The State Commissioner for Data Protection and Freedom of Information in the German country of Baden-Württemberg believes that the ruling means that large parts of the American digital economy are blocked for Europeans. Others take a more cautious position for now.
The European Data Protection Board (EDPB), the committee composed of the European national supervisory authorities, has indicated an answer to the crucial question of what needs to be done now, but does not yet dare to venture out of cover: "The EDPB is continuing to examine what these additional measures could consist of". In an FAQ published on July 23, the EDPB is already becoming more specific: These measures could be of a legal, technical or organisational nature. Thus, it appears that it could still be in the hands of the companies to legalise the export of data. The powers of the US intelligence agencies are not an insurmountable obstacle.
A first recommendation for actions to be taken was issued from Rhineland-Palatinate (German Language). Those responsible for data transfers are to
- check the laws of the third country that the data importer to whom they wish to transfer the data and, if applicable, their other contractual partners in the business relationship are subject to, and whether these laws affect the guarantees provided by the standard contractual clauses,
- where appropriate, analyse the specific data flows to determine which laws of the third country are applicable in each case,
- document the tests and results in order to meet the accountability requirements of Art. 5 Para. 2 DS-GVO.
Binding Corporate Rules
For data transfers within a group of companies, approved Binding Internal Data Protection Regulations, or Binding Corporate Rules (BCRs) are another possibility. Some corporate groups have completed the process to produce BCRs at great expense to enable international data transfer. Each individual set of BCRs has been explicitly approved by the relevant supervisory authority.
Unfortunately, however, even with approved BCRs there is no "business as usual". In its FAQs published on July 23, the EDPB also questioned the BCRs and demanded a supplement for data transfer to the USA. Just as with the SCCs, paper is patient with the BCRs. The existing regulations must be adapted to the local situation. This statement was also endorsed by the joint conference of the German data protection authorities (DSK) in a press release on July 29.
However, it is expected that further communications on this topic will soon be published in the coming weeks. HEUSSEN will continue to monitor the situation and advise our clients on how best to react to the end of the Privacy Shield. Please do not hesitate to contact us if you have any questions on this subject.