In its ruling of July 16, 2020, the European Court of Justice declared the EU-US Privacy Shield to be invalid and thus removed the legal basis for many data transfers to the USA. The State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg provides guidance on legally compliant handling of international data transfers in its orientation guide.

Whether due to trade relationships, storing data with U.S. cloud providers, or using video conferencing systems, transferring data to the U.S. is an everyday necessity for many responsible parties. The ECJ’s “Schrems II” ruling therefore poses enormous challenges for both companies and public bodies. A specific basis under data protection law is required for the lawfulness of data transfers to countries outside the EU. The legal basis predominantly used in the past years, the so-called EU-US Privacy Shield, was declared invalid with the ECJ ruling “Schrems II”. In addition, the ECJ placed high requirements on the alternative legal basis of standard contractual clauses, which is also frequently used. The State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg has now published an orientation guide in which he points out risks of violations, gives recommendations for action to responsible parties on legally compliant data transfer, and provides an outlook on further action in his function as supervisory authority.

Background

The ECJ had declared the so-called Privacy Shield invalid with immediate effect in its “Schrems II” ruling. The Privacy Shield refers to the adequacy decision by which the European Commission decided in 2016 that the U.S. provides an adequate level of protection under certain circumstances, so that data could be transferred to certified U.S. companies without further authorization. However, in this ruling, the highest European court decided that due to the far-reaching powers of the U.S. intelligence agencies, which allow interference with the rights of EU citizens, and the lack of legal protection, an adequate level of data protection cannot be ensured.

Another finding of the ECJ relates to the standard contractual clauses adopted by the Commission in 2010, which, if effectively agreed prior to the ruling, also provided a legal basis for the transfer of data to the USA. These would continue to be valid, but only under the condition that an appropriate level of protection for personal data can be ensured. According to the ECJ, standard contractual clauses alone cannot ensure adequate protection in the case of transfers to the USA, as these only bind the contracting parties – but not the US authorities. Under U.S. law, these are allowed to interfere with the rights of data subjects, such as for law enforcement purposes. Therefore, additional measures, such as encryption or anonymization, must be taken to ensure lawful transfers in order to protect the rights of EU citizens concerned.

The judgment applies not only to transfers of data to the U.S. based on the Privacy Shield, but also to all transfers based on standard contractual clauses, both to the U.S. and to other third countries.

Possible legal bases

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information expressly points out that the Privacy Shield no longer represents a valid legal situation for the transfer of personal data to the U.S. and that violations could result in severe fines and claims for damages. Such data transfers should therefore be avoided.

A transfer on the basis of standard contractual clauses, on the other hand, is possible in principle. However, an appropriate level of protection would have to be ensured. What is required is that the controller provide additional safeguards that effectively prevent access by U.S. intelligence agencies and thus protect the rights of data subjects. This could be achieved, for example, either through encryption, where only the data exporter has the key and which cannot be broken by U.S. services, or anonymization or pseudonymization, where only the data exporter can make the attribution. If such an adequate level of protection cannot be ensured, data controllers should urgently refrain from transfers on this basis.

Furthermore, an exceptional transfer pursuant to Art. 49 GDPR is conceivable. However, the restrictive nature of the entire provision must be taken into account here, so that this could only represent an effective legal basis in the case of data transfers within corporate groups or in the case of individual contractual relationships.

Recommended procedure

The State Representative recommends that both companies and public authorities immediately check in which cases they export personal data to third countries. The respective contractual partners in the third countries should then be informed of the content of the ECJ ruling. Subsequently, data controllers should inquire about the legal situation in the respective country and check whether there is a valid Commission adequacy decision for the respective third country on which they could legally base their data transfer. If such a clause is not available, it should be checked whether the standard contractual clauses adopted by the Commission can be used for the respective country. If, as in the case of the U.S., for example, this is only possible on the basis of additional guarantees, it should be assessed whether an appropriate level of protection can be achieved through corresponding measures in the individual case. Should this also fail, the last, limited option would be the transfer of data under the exception provision of Art. 49 GDPR.

Outlook

The commissioner calls on companies and public authorities to obtain reasonable alternative offers without transfer problems and points out that non-essential, problematic data transfers will be prohibited in the future. However, he also shows understanding for individual companies, for which the ECJ ruling is extremely burdensome and announces: “The ECJ ruling applies, we must implement it immediately – and we will do so. However, we will do this with a sense of proportion in accordance with the principle of proportionality and always ask the question of whether or not there is no alternative to data transfers to the USA.”