In July 2020, the European Court of Justice (C-311/18, "Schrems II") declared the EU-US Privacy Shield as invalid as the legal basis for the transfer of personal data to the USA and increased the requirements on the EU standard contractual clauses. This article provides an overview of the reaction of the supervisory authorities since then based on an orientation guide published on August 24, 2020 by the data protection authority in Baden-Württemberg 'Handlungsempfehlungen für Unternehmen' [recommended actions for companies].
Since 2016, the EU-US Privacy Shield (an adequacy decision of the EU Commission based on contractual agreements between the EU and the USA) has, inter alia, been a mechanism for the transfer of personal data when using cloud services from US providers such as Amazon, Microsoft, Google or Salesforce. Like its predecessor, the Safe Harbor Agreement, which was already declared invalid in 2015, EU-US Privacy Shield was declared invalid by the European Court of Justice on July 16, 2020. Consequently, EU companies have no longer been able to base their use of US cloud services on the Privacy Shield since July 16, 2020. In the meantime, the EU Commission has initiated talks with the US Department of Commerce to find a new agreement. Pursuant to Art. 46 GDPR, the EU standard contract clauses in particular initially remain in place as an alternative. However, the ECJ also qualified these as insufficient if it is established in individual cases that an adequate level of protection does not exist due to the monitoring practices of government authorities in the respective country. Thus, if it is established that US government authorities have, for example, uncontrolled access to the data of EU citizens at any time in violation of their rights, the EU standard contractual clauses can only serve as a suitable legal basis for the use of US cloud services if additional guarantees are met.
In the past weeks, it was uncertain within the EU under which conditions companies can continue to use services such as Microsoft Office 365, Amazon Web Services or Salesforce, or transfer data to non-EU countries as part of supply relationships or as a result of corporate guidelines. Since the validity of the EU standard contract clauses continues, it was in particular questioned which appropriate, supplementary guarantees the ECJ requires.
So far, the supervisory authorities of the federal states have only made rather general statements and clear, unambiguous recommended actions, such as the state authorities in Thuringia, Hamburg, Rhineland-Palatinate, the German data protection conference, or the EU data protection committee have been lacking. Only the state authority in Berlin expressed quite clearly that, according to the findings of the ECJ, EU companies would now have to switch from US providers to providers in the EU or in third countries with an adequate level of data protection. A few days ago, the plaintiff in the above-mentioned ECJ proceedings (Max Schrems) also submitted a three-digit number of complaints to supervisory authorities in the EU in order to accelerate the enforcement of the new, stricter requirements for US data transfer.
On August 24, 2020, the state authority in Baden-Württemberg went public with proposed actions. In its Orientation guide the authority provides specific instructions for implementing the new ECJ requirements. The most important statements are:
Thus, the proposals of the state authority in Baden-Württemberg are already much more specific than those previously provided by the other public authorities. Consequently, companies should prepare evidence based on the new orientation guidelines that can be presented in the case of an official audit. With regard to the invalid EU-US Privacy Shield, the data protection declaration of a company's website should also be reviewed to verify whether certain types of processing (e.g. Google Analytics) are still using this legal basis; if applicable, the processing operations have to be adjusted accordingly and all references to the EU-US Privacy Shield are to be erased.