The effects of the ECJ ruling on the privacy shield are more serious than expected. The reactions of the supervisory authorities now make it clear that this has enormous implications for companies.
In the so-called Schrems II ruling of 16.07.2020, the European Court of Justice declared the Privacy Shield, on which many data transfers to the US were based, invalid. Surveillance measures in the US are considered too extensive and therefore, as a rule, neither contractual obligations nor self-regulation by companies will be accepted.
The authorities are preparing to carry out audits:
- Whoever still justifies their data transfer policy with the Privacy Shield will be examined first and is likely to experience considerable problems.
- Those who do nothing in response to the Schrems II judgement will also face serious problems and will be subject to closer investigation in terms of data protection.
- Anyone who carries out the following steps will be placed behind in examinations and might get away without being fined.
Following the ECJ ruling, Mr Schrems has already submitted 101 complaints to the supervisory authorities about European companies which still send data to the US, e.g. Google and Facebook (status: 18.08.2020).
Do not allow yourself to be drawn into this focus and do not make the supervisory authority aware of you. This is a particularly serious infringement pursuant to Art. 83 (5) DSGVO, which, according to the penalty criteria, may well be accompanied by an increased severity level up to an actual 4% of annual turnover.
Following the decision, many companies based their data transfers on Art. 49 (1) lit. a) GDPR. However, since the supervisory data protection authorities of various countries (including the French authority CNIL) have declared that the wording of Art. 49 (1) (a) DSGVO does not permit such a broad application, justification via consents in data transfers pursuant to Art. 49 (1) (a) DSGVO is only permitted in absolute individual cases.
Companies are now obliged to carry out implementations. Based on the recommendations of the State Commissioner for Data Protection in Baden-Württemberg (Germany), we recommend the following steps:
1. FIRST, RECORD ALL DATA TRANSFERS TO THIRD COUNTRIES, IN PARTICULAR THE US.
- Record all your data transfers as well as those of your contract processors to the US.
- Instruct your processors to suspend US data transfers until the processor has ensured an adequate level of data protection.
2. CONSIDER REASONABLE ALTERNATIVES.
An important issue regarding further action will be whether there are reasonable alternative service providers for the services in question.
- Examine European alternatives.
- Replace service providers.
3. COLLECT FACTS ON DATA IMPORTERS AND THE LEGAL FRAMEWORK IN THE US AND COMPARE THE LEGAL SYSTEMS.
- Carry out benchmarking by issuing a questionnaire to your data importers. Ask for information
- About the service provider in general and its handling of data protection
- On the surveillance laws relevant to the service provider and the legal remedies against them
- Ask your processors to request the same information from their American subcontractors and provide it to you.
Attention: Accountability! Make sure to document every correspondence, every phone call and every test. Continuously check if measures are still in place.
4. AGREE ON ADAPTED CONTRACTUAL CLAUSES WITH THE DATA IMPORTER AND TAKE ADDITIONAL MEASURES IF NECESSARY.
- The higher the remaining risk after the above-mentioned audit result, the more provisions you should make and adapt your contract clauses.
- If necessary, the standard contract clauses must be supplemented with further measures, e.g. technical or organisational measures, to ensure adequate protection.
- Provide the clauses to your data importer and document any responses/reactions.
5. DRAW CONSEQUENCES
The state commissioner for data protection in Baden-Württemberg has confirmed again last month:
IF YOU DO NOT PROVIDE ADEQUATE PROTECTION OR THE DATA IMPORTER DOES NOT REPLY, YOU ARE OBLIGED TO SUSPEND AND/OR TERMINATE THE TRANSFER. Otherwise, the supervisory authority may prohibit the transfer.
The above also applies to data transfers to all other third countries, unless the EU Commission has already adopted an adequacy decision (like for Canada and Switzerland). Please also take this into account in particular if an unregulated brexit is involved. The EU and Great Britain are still negotiating on this issue and the outcome is unclear at present.
If you have any questions or need assistance, please do not hesitate to contact us.
© Dr. Carmen Fritz, LL.M.
Lawyer for copyright and media law
Lawyer for industrial property rights
Certified data protection officer (TÜV)ä
Getting in touch:
Dr. Fritz & Gern Rechtsanwälte Partnerschaft mbB
T 0049 831/930 65 64-0
F 0049 831/930 65 64-9