The "Schrems II" judgment of the European Court of Justice (ECJ, decision dated July 16, 2020, C-311/18) has significantly changed the legal situation for international data transfers (see Data Protection Update No. 82). The Privacy Shield Agreement between the USA and the EU is invalid further the Standard Contractual Clauses (SCCs) can also no longer be used as a simple tool for legally safeguarding the transfer of personal data abroad. Although the EU Commission has developed new SCCs, they have not yet been finally adopted. In addition, criticism of the Draft of the EU Commission has already been expressed (see Data Protection Update No. 87). The new SCCs are expected to be passed at the end of the 1st and the beginning of the 2nd quarter of 2021.
The German data protection authorities have now announced that they will monitor compliance with the Schrems II requirements. According to the minutes of the last Datenschutzkonferenz meeting and current press reports a questionnaire was drawn up by a task force led by the supervisory authorities from Hamburg and Berlin, which is to be sent to selected companies throughout Germany. This specifically asks what additional measures have been taken by those companies to secure international data transfers in accordance with the new ECJ requirements. In addition to this questionnaire, it is always possible for an authority to act on the basis of a specific complaint made by a data subject against a company. In other words, the risk that a supervisory authority will scrutinize a company and its international data transfers and possibly penalize any violations has increased significantly.
Companies must check their data transfers abroad and adapt them to the new requirements accordingly (see also Data Protection Update No. 89). This applies to intra-group transfers as well as transfers to service providers outside the EU.
Data transfers to the US can no longer take place on the basis of the Privacy Shield. Data transfers based on the previous SCCs must also be critically checked. The legal situation in the US must be checked with regard to specific risks for the data transmitted (e.g. due to access rights of US authorities). This test and evaluation must be documented. It is also necessary to regularly conclude supplementary agreements with data recipients. Additional technical and organizational measures may also have to be taken.
The examination and assessment of the risks as well as, if necessary, the implementation of additional measures do not only affect data transfers to the US, but also every other data transfer to countries outside the EU. The requirements established by the ECJ apply to all international data transfers.
Under no circumstances should a company wait until a supervisory authority approaches it with a specific request. This may result in severe fines. Proactive action must now be taken if not yet put in place.
Companies that used the Privacy Shield for transfers to the US and have not yet applied the principles used here, must act now. The announcement of the Datenschutzkonferenz has increased the risk of fines considerably. Waiting for the new SCCs is not a valid alternative.
A glimpse of hope: It is expected that the European Commission will soon declare the United Kingdom a country with an adequate level of data protection. Then, at least, no additional effort will be required there.