October 28, 2020

Volume X, Number 302

Advertisement

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

October 26, 2020

Subscribe to Latest Legal News and Analysis

The End of Privacy Shield: European Data Protection Authorities React

The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. However, how the decision will be enforced remains uncertain.

Despite the invalidation of Privacy Shield, the U.S. Department of Commerce issued a statement that it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” And although the CJEU’s decision in principle upheld the validity of Standard Contractual Clauses (SCCs), the judgment drew reactions from various EU data protection supervisory authorities (DPAs), some calling into question the use of SCCs for EU to U.S. transfers.

EDPB Seeks New Agreement With U.S.; Promises Clarification on SCC ‘Additional Measures’

On 17 July, the day after the CJEU’s ruling, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, published a statement welcoming the ruling and calling it “of great importance.” In its statement, the EDPB points out that consistent with the judgment, the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU.

The EDPB also promises to further assess additional measures that parties to the transfer could consider undertaking, if after undertaking a “SCC-assessment,” the U.S. (or other destination country) does not provide an essentially equivalent level of protection.

EDPS Notes Data Protection Is a Global Fundamental Right

In its statement following the Schrems II decision, the European Data Protection Supervisor (EDPS) points to the growing number of data protection laws adopted worldwide, including the new Convention 108+ adopted by the Council of Europe, as evidence that data protection is not only a “European” fundamental right, but a fundamental right widely recognised around the globe. Against this background, the EDPS notes that it believes the U.S. will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the CJEU. The EDPS also reiterates the DPAs’ duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country.

UK’s ICO Advises Companies to Continue Using Privacy Shield

The day after the decision, the UK’s Information Commissioner’s Office (ICO) stated that it was considering the decision and that it “stand[s] ready to support UK organizations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” The ICO later released the following statement: “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”

Irish DPC Notes That Use of SCCs for US Transfers Is Questionable

The Irish Data Protection Commission (DPC), which was a party to the proceedings leading to the CJEU judgment, issued a statement welcoming the CJEU’s endorsement of its position. However, the DPC notes that the application of the SCCs to transfers of personal data to the U.S. is now questionable and will require further and careful examination on a case-by-case basis. The DPC acknowledges that going forward the “central role” that it, together with its fellow supervisory authorities across the EU, must play will be developing a position to give meaningful and practical effect to the judgment.

German DPAs Issue Various Opinions 

In Germany, where there are several DPAs with differing geographical and material competences, several DPAs shared their opinions on how they believe the Schrems II decision impacts the use of SCCs for transfers to the U.S. and other third countries.

  • BfDI Looks to Revised SCCs as a Possible Solution. In response to the decision, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), responsible for the supervision of telecommunication providers and federal authorities, promises further guidance and mentions the European Commission’s revised SCC as a possible solution.

  • DPA Hamburg Asserts SCCs Likely Inadequate for Transfer to U.S. Arguing that the current SCCs are unsuitable for protecting data subjects from the access of intelligence services, the Hamburg Data Protection Commissioner (DPA Hamburg) calls the CJEU’s decision to maintain SCCs inconsistent with its Privacy Shield conclusion (cf. statement, in German). DPA Hamburg notes that at least in this specific case, the court should have come to the same conclusion for Privacy Shield and SCC – that neither is an adequate transfer mechanism. The Hamburg DPA notes that EU DPAs will now have to critically question whether transfers based on SCCs to the United States, China, and in light of Brexit perhaps even the United Kingdom are permissible. Declaring that since data transmissions to countries without adequate protection will no longer be allowed, DPA Hamburg stresses that the DPAs in Germany and in Europe must now reach a rapid agreement on how to deal with the situation.

  • DPA Rhineland-Palatinate Notes No Grace Period and Potential Impact on Binding Corporate Rules. The Data Protection Commissioner for Rhineland-Palatinate (DPA RP) issued guidance in the form of FAQs (in German), wherein it recognizes that the GDPR does not permit a grace period in such situations as those resulting from the Schrems IIdecision. The DPA RP also gives examples in which the SCC may not serve as basis for U.S. transfers, e.g., telecommunication companies, and companies using the services of such companies. The DPA RP notes that absent a legitimate basis for the transfer, the data transfer must be suspended; otherwise, there is a violation of Art. 44 GDPR. While the decision does not touch on Binding Corporate Rules (BCRs), the DPA RP notes the question whether the ruling affects BCRs is also currently being examined by the DPAs.

  • DPA Berlin Increases the Pressure. In its press statement (in German) of 17 July 2020, the Berlin Commissioner for Data Protection and Freedom of Information (DPA Berlin) welcomes the clarity of the ruling and goes one step further, directing Berlin companies that are using U.S.-based companies to process EU personal data to retrieve the data and have it processed in Europe. According to the DPA Berlin, those controllers who transfer personal data to the U.S. – especially when using cloud services – are now required to switch immediately to service providers in the EU or in a country with an appropriate level of data protection.

    The DPA Berlin stresses that the CJEU has clarified that data transfers cannot be about economy; rather, the fundamental rights of individuals must be paramount. “The times when personal data could be transferred to the USA for convenience or cost savings are over after this verdict. It is now the hour of Europe’s digital independence.” The DPA further notes that:

We accept the challenge that the CJEU explicitly obliges supervisory authorities to prohibit inadmissible data transfers. Of course, this does not only apply to USA transfers, which the CJEU has already itself ruled illegal. It will be necessary as well to check whether similar or even greater problems exist when data are transferred to other countries such as China, Russia or India.

Forecast Uncertain

It is uncertain what steps the EU DPAs will take in relation to the use of SCCs for transfer to the U.S., and other countries, and when the EDPB will provide further guidance. However, since the ball is now with the individual DPAs to decide on a case-by-case basis whether the SCCs may still be used, what is certain is that U.S. organizations will again struggle with yet another data protection “grey-area” despite the GDPR’s promise of one law. Even a unified position of the EDPB will clarify individual cases only and, although indicating a certain direction, it will not be generally binding in subsequent cases.

For further information on the CJEU ruling please read our comment in English and German

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 203
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Viola Bensinger, Greenberg Traurig Law Firm, Germany, Cybersecurity Litigation Attorney
Partner

Viola Bensinger chairs the Technology Practice as well as the Litigation Practice in Germany. She advises clients from the technology, media and healthcare industries.

Within the technology sector, Viola advises international internet, technology and healthcare companies in the areas of digital products, e-commerce, electronic payment, data protection, software licensing, (IT-) outsourcing as well as digital media.

49 -030700-171-150
Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

415.655.1319
Carsten Kociok, Greenberg Traurig Law Firm, Germany, Cybersecurity and Technology, Finance Litigation Attorney
Counsel

Carsten Kociok focuses his practice on the technology, media and telecommunications industries. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution,...

490-30700-171119
Dr. Johanna Hofmann Data Security Lawyer Greenberg Traurig Law Firm Germany
Associate

Johanna Hofmann advises German and international companies and groupt of companies on all questions of data protection and IT security law. The focus of her work is on the data protection-compliant structuring of existing and future business relationships, both on a national and international level. Her field of interest lays in particular in the field of cloud computing, data protection certification and data security management. Through long-term secondments at a German group of companies and at the German subsidiary of a US-American technology group, Johanna has gained deep insights...

49 30.700.171.291
Advertisement
Advertisement