ECJ: EU-US-Privacy Shield invalid - Standard contractual clauses still valid - what do the authorities advise in Germany?

• Germany

• Privacy, data protection and cybersecurity

17-07-2020

Following the EJC Schrems II decision, some supervisory authorities have expressed their view on the way forward, in particular with respect to the continued use of the Standard Contractual Clauses (SCC). Below we have summarized the key messages and findings:

Hamburg

The Hamburg data protection authority concludes: “If the invalidity of the privacy shield is primarily due to the escalating intelligence activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable for protecting data subjects from state access.” However, they also see that “in addition to binding corporate rules and individual agreements, it is above all the SCC that can be used as a basis for transfers to third countries. At the same time, however, uncertainty has increased this time: The ECJ is passing the ball to the European supervisory authorities.” Johannes Casper, Commission Officer of the Hamburg DPA states: “After today's ECJ decision, the ball is once again in the court of the supervisory authorities, who will now be faced with the decision to critically question the overall data transfer via standard contractual clauses. Ultimately, however, this will not only affect states which, like the USA, have at least made an effort to give the impression that they are creating adequate structures for data protection. For countries like China, such data protection precautions are a long way off. With regard to Brexit, too, the question of permissible data transfer will arise. Hard times are dawning for international data traffic. The bottom line is that in recent years the USA, but also the EU Commission, has not succeeded in implementing a viable basis for adequate data protection that meets European data protection standards. The consequences of this ruling affect international data transfer as a whole. Data transfer to states without an adequate level of data protection will therefore no longer be allowed in the future. Here, the supervisory authorities are particularly called upon to develop and implement a common strategy.”

Federal Commissioner

At the same time, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) Professor Ulrich Kelber associates today's ruling of the European Court of Justice (ECJ) on international data transfer with a strengthening of the rights of those affected: "The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Special protective measures must now be taken for data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which the ECJ has declared ineffective. We will, of course, be giving intensive advice on the changeover".

Rhineland-Palatinate

A very pro-active approach was already taken by the Rhineland-Palatinate DPA. Just a few hours after the ECJ decision, a FAQ document on the ECJ decision was published. On the question what data exporters now have to do in relation to the SCC, they conclude: “Data controllers must check the laws applicable to the data importer in the third country to which they intend to transfer the data and, if applicable, to its other contractual partners in this business relationship and whether these laws affect the guarantees provided by the standard contractual clauses. If necessary, the specific data flows must be analyzed to determine which laws of the third country are applicable in each case. These obligations apply to data transfers to all third countries, not only to the USA. If necessary, this examination can be circumvented in cases where other transfer instruments of Chapter V of the GDPR or an exception under Art. 49 DS-GVO can be used. The latter is often considered for travel bookings, for example. The ECJ ruling is likely to relate primarily to typical outsourcing scenarios, i.e. services that could also be provided in the EU/EEA, but which are easier, cheaper or better provided in a third country.”

In more detail and on the question whether the SCC do no longer work in general for US data transfers, they advise that this does not apply generally: “It is only in cases where the guarantees contained in the standard contractual clauses cannot be respected that they cannot serve as a basis for data transfers. This does not apply across the board to all entities in the USA. Example: The security laws in the USA, such as the Foreign Intelligence Surveillance Act (FISA) 702, which allows the US security authorities to access personal data without a court order, applies primarily to telecommunications companies. As a rule, the standard contractual clauses cannot be used for data transfers to such companies. However, the law may also have an impact on other companies, e.g. if these companies use services from telecommunications providers, such as cloud services. In this case, there is a possibility that the US security authorities will gain access to the data in this way after all. In addition, in connection with data transfer to the USA, it should be noted that, under US Executive Order 12.333, monitoring of insufficiently encrypted data can also be carried out when it travels through the transatlantic cables.”

To conclude, there is some good news also insofar, as the authorities acknowledge that the SCC still work as a basis. We do expect that the authorities will allow organisations a grace period to bring themselves into compliance in relation to transfers following the judgement. A 6 month grace period was allowed after the fall of Safe Harbor in 2015. Given the broader impacts it would be reasonable to repeat this now and potentially to extend this period.