With the decision (Case C-311/18), the European Court of Justice (ECJ) has declared the so-called “Privacy Shield” for data transfers to the USA to be invalid. The use of so-called standard contractual clauses must also be viewed critically in light of US surveillance laws. Possible courses of action for data-exporting companies have therefore been restricted. This article on international data traffic shows what companies must now do.
What does the Schrems II ruling mean?
With the ruling C-311/18 of the ECJ on data transfer between the EU and the USA (so-called “Schrems II ruling”), some important questions on data transfer to third countries (such as USA, China, India, etc.) have been raised.
It is now necessary for companies to analyze their data flows to third countries and to assess on which legal basis this data transfer is based.
The following legal bases come into question:
- Adequacy decision (as for data transfer to Switzerland)
- Consent of the data subject to the data transfer
- Occasional (!) data transfer in connection with performance of a contract
- Use of standard contractual clauses (SSCs) or binding internal data protection rules (Business Corporate Rules – BCRs)
- Agreements between the European Union and third countries (such as the invalid Privacy Shield)
What is the problem with data transfer to the USA?
With the Schrems II decision, the EU-US Privacy Shield was declared invalid because it had fueled concerns by the ECJ that the necessary level of data protection could not be achieved due to US laws. This is especially not the case because US laws such as the Foreign Intelligence Surveillance Act (FISA) enable mass surveillance and Europeans would have no or limited rights to sue.
It is nevertheless possible to continue to transfer data on the basis of SCCs. However, when using SCCs, care must be taken to ensure that an adequate level of data protection can be guaranteed with respect to U.S. surveillance laws. Controllers are therefore required to check whether this is the case or the data transfer would have to be stopped. Accordingly, the processor or data recipient in the U.S. would have to be asked whether it is subject to a surveillance law or not (Section 702 FISA and EO 12333; “electronic communication service provider”). Then again, an adequate level of data protection would not be ensured with the SCCs.
Case-by-case assessment for standard contractual clauses and business corporate rules
If it is determined that data is being transferred to a third country and which relevant legal basis is being used, the next step should be to contact the data importer. Together, a case-by-case review should be conducted to determine the extent to which an adequate level of data protection can be ensured (e.g., no access by security authorities on the basis of national legal foundations).
If an adequate level of data protection cannot be ensured, but the SCCs are still to be used, the data protection authority must be informed. Since “electronic communication service providers” are particularly affected by this, data transfers to companies such as AWS, AT&T, Apple, Facebook, Google, Microsoft, Verizon, and many more should be closely examined. These providers should also have informed the responsible parties that US laws (such as FISA 702 and EO 12.333) prevent a data transfer. The extent to which liability for costs of retransferring the data can be enforced here remains to be seen in the future.
The European Data Protection Board will develop further details and assistance under which circumstances a data transfer – despite SCCs / BCRs – cannot take place. It will also be defined in more detail which measures (organizational, technical) can be taken so that an adequate level of data protection can be guaranteed when using SCCs.
Data processing by processors
Data processing by processors is also affected. Now, solid regulations in contracts are worth their weight in gold. Those who have precisely defined whether their processor may transfer data to third countries or allow access to data are now at an advantage. Furthermore, regulations on the commissioning of sub-processors based in third countries are more than sensible in situations like these.
If it is clear that the processor will transfer data to third countries or transfer data to the U.S., it is now up to the controller to determine whether an adequate level of data protection can be guaranteed. If this were not the case, the question is to what extent an alternative (such as consent) can be used or a contract amendment must be negotiated that prohibits the transfer of data to the USA. Thus, the processor and the controller would have to look for an alternative to process the data in the EU/EEA.