Update Data Protection No. 84
Following the European Court of Justice judgement regarding the Privacy Shield – data protection authority publishes recommended actions for practice
In July 2020, the European Court of Justice (C-311/18, "Schrems II") declared the EU-US Privacy Shield as invalid as the legal basis for the transfer of personal data to the USA and increased the requirements on the EU standard contractual clauses. This article provides an overview of the reaction of the supervisory authorities since then based on an orientation guide published on August 24, 2020 by the data protection authority in Baden-Württemberg 'Handlungsempfehlungen für Unternehmen' [recommended actions for companies].
Facts of the case
Since 2016, the EU-US Privacy Shield (an adequacy decision of the EU Commission based on contractual agreements between the EU and the USA) has, inter alia, been a mechanism for the transfer of personal data when using cloud services from US providers such as Amazon, Microsoft, Google or Salesforce. Like its predecessor, the Safe Harbor Agreement, which was already declared invalid in 2015, EU-US Privacy Shield was declared invalid by the European Court of Justice on July 16, 2020. Consequently, EU companies have no longer been able to base their use of US cloud services on the Privacy Shield since July 16, 2020. In the meantime, the EU Commission has initiated talks with the US Department of Commerce to find a new agreement. Pursuant to Art. 46 GDPR, the EU standard contract clauses in particular initially remain in place as an alternative. However, the ECJ also qualified these as insufficient if it is established in individual cases that an adequate level of protection does not exist due to the monitoring practices of government authorities in the respective country. Thus, if it is established that US government authorities have, for example, uncontrolled access to the data of EU citizens at any time in violation of their rights, the EU standard contractual clauses can only serve as a suitable legal basis for the use of US cloud services if additional guarantees are met.
In the past weeks, it was uncertain within the EU under which conditions companies can continue to use services such as Microsoft Office 365, Amazon Web Services or Salesforce, or transfer data to non-EU countries as part of supply relationships or as a result of corporate guidelines. Since the validity of the EU standard contract clauses continues, it was in particular questioned which appropriate, supplementary guarantees the ECJ requires.
Reactions of the supervisory authorities
So far, the supervisory authorities of the federal states have only made rather general statements and clear, unambiguous recommended actions, such as the state authorities in Thuringia, Hamburg, Rhineland-Palatinate, the German data protection conference, or the EU data protection committee have been lacking. Only the state authority in Berlin expressed quite clearly that, according to the findings of the ECJ, EU companies would now have to switch from US providers to providers in the EU or in third countries with an adequate level of data protection. A few days ago, the plaintiff in the above-mentioned ECJ proceedings (Max Schrems) also submitted a three-digit number of complaints to supervisory authorities in the EU in order to accelerate the enforcement of the new, stricter requirements for US data transfer.
On August 24, 2020, the state authority in Baden-Württemberg went public with proposed actions. In its Orientation guide the authority provides specific instructions for implementing the new ECJ requirements. The most important statements are:
- Data transfer to the USA based solely on the (now invalid) Privacy Shield can result in fines. This applies in particular if the target company is subject to the FISA Act, the Cloud Act or Presidential Policy Directive 28.
- If the US data transfer is based on EU standard contractual clauses (which obviously must be signed by the respective US provider), this is only sufficient if additional guarantees are provided, such as a) use of encryption technology, b) anonymization or pseudonymization (if only the EU company can attribute the data) or c) an agreement with the US providers that the data will be stored and processed exclusively on EU territory ("EU option"). Processing on EU territory means that remote access from third countries (such as the USA) also has to be restricted accordingly.
- The exception provision of Art. 49 GDPR may only be applied very restrictively; insofar, consent or contractual requirement, for example, can only be used with restrictions as a legal basis for US data transfer on a permanent basis.
- In order to demonstrate a willingness to act in compliance with the law to the supervisory authorities, individual contact with the respective US providers has to be documented; this should in particular relate to an amicable amendment of the EU standard contractual clauses (which is described in detail in the orientation guide).
- Upon request, it also has to be demonstrated to the supervisory authorities whether reasonable alternative offers without transfer problems exist (e.g., from German providers) and it has to be substantiated why these offers were not used, if applicable.
Thus, the proposals of the state authority in Baden-Württemberg are already much more specific than those previously provided by the other public authorities. Consequently, companies should prepare evidence based on the new orientation guidelines that can be presented in the case of an official audit. With regard to the invalid EU-US Privacy Shield, the data protection declaration of a company's website should also be reviewed to verify whether certain types of processing (e.g. Google Analytics) are still using this legal basis; if applicable, the processing operations have to be adjusted accordingly and all references to the EU-US Privacy Shield are to be erased.