The Schrems II decision by the European Court of Justice (Case C-311/18) from July 16, 2020 poses serious problems with the transfer of personal data to the US.
Transfer of personal data
The transfer of personal data to countries outside the EEA (27 EU member states, Norway, Iceland and Liechtenstein) is only permitted if special conditions are met. This is to ensure that the European data protection level is not undermined by the transfer to third countries.
For a few countries, e.g. Canada or Switzerland, there is a so-called adequacy decision by the Commission. This is a binding statement that an adequate level of protection exists in the country concerned. In the absence of such a decision, the level of protection can be established by agreements between the parties involved in the data transfer. For this purpose, there are standard contractual clauses published by the EU Commission or the parties agree on binding corporate rules.
For the transfer to the US, there was the so-called Privacy Shield in place. This agreement between the US and the EU provided that companies could commit themselves to comply with data protection standards. Once a company was listed, data transfers to the US were no longer subject to additional requirements. The European Court of Justice declared the Privacy Shield invalid on 16 July 2020. This means that an important basis for data transfer to the US is missing.
The so-called standard contract clauses, on the other hand, were expressly declared to be still valid by the European Court of Justice. However, it is not sufficient to merely sign them; what is agreed in them must actually be implemented.
Need for Action
The transfer of personal data to the US plays an important role in economic life. Therefore, the implications of the European Court of Justice decision are far-reaching.
If a company has up till now transferred data under the privacy shield, there is an urgent need for action. The Privacy Shield is no longer a basis for the transfer to the US. At the moment, any transfer of personal data to the US would be illegal. In view of the immense amount of fines, this is an incalculable risk for any company.
The use of standard contractual clauses is still possible after the decision of the European Court of Justice. However, these must first be agreed on and, most importantly, observed. After the European Court of Justice decision, it can be assumed that the supervisory authorities will increasingly deal with the question of the permissibility of the transfer to the US. It will certainly no longer be sufficient to merely submit signed standard contract clauses. Compliance with them will be increasingly questioned. It remains to be seen whether the supervisory authorities will also question the overall security of personal data in the US with the arguments of the European Court of Justice. It is recommended that those responsible for transferring personal data to the US check whether the transfer meets the special requirements of Art. 44 DSGVO. Although this applies to transfers to any third country, the European Court of Justice’s decision certainly places data transfers to the US at the centre of the supervisory authorities’ interest. To avoid the threat of fines, compliance with the requirements should be carefully examined and implemented.
By Dr. Michael Witteler