27.08.2020 | KPMG Law Insights

Ade Privacy Shield – Guidance on international data transfer

In its ruling of July 16, 2020, the European Court of Justice declared the EU-US Privacy Shield to be invalid and thus removed the legal basis for many data transfers to the USA. The State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg provides guidance on legally compliant handling of international data transfers in its orientation guide.

Whether due to trade relationships, storing data with U.S. cloud providers, or using video conferencing systems, transferring data to the U.S. is an everyday necessity for many responsible parties. The ECJ’s “Schrems II” ruling therefore poses enormous challenges for both companies and public bodies. A specific basis under data protection law is required for the lawfulness of data transfers to countries outside the EU. The legal basis predominantly used in the past years, the so-called EU-US Privacy Shield, was declared invalid with the ECJ ruling “Schrems II”. In addition, the ECJ placed high requirements on the alternative legal basis of standard contractual clauses, which is also frequently used. The State Commissioner for Data Protection and Freedom of Information of the State of Baden-Württemberg has now published an orientation guide in which he points out risks of violations, gives recommendations for action to responsible parties on legally compliant data transfer, and provides an outlook on further action in his function as supervisory authority.


The ECJ had declared the so-called Privacy Shield invalid with immediate effect in its “Schrems II” ruling. The Privacy Shield refers to the adequacy decision by which the European Commission decided in 2016 that the U.S. provides an adequate level of protection under certain circumstances, so that data could be transferred to certified U.S. companies without further authorization. However, in this ruling, the highest European court decided that due to the far-reaching powers of the U.S. intelligence agencies, which allow interference with the rights of EU citizens, and the lack of legal protection, an adequate level of data protection cannot be ensured.

Another finding of the ECJ relates to the standard contractual clauses adopted by the Commission in 2010, which, if effectively agreed prior to the ruling, also provided a legal basis for the transfer of data to the USA. These would continue to be valid, but only under the condition that an appropriate level of protection for personal data can be ensured. According to the ECJ, standard contractual clauses alone cannot ensure adequate protection in the case of transfers to the USA, as these only bind the contracting parties – but not the US authorities. Under U.S. law, these are allowed to interfere with the rights of data subjects, such as for law enforcement purposes. Therefore, additional measures, such as encryption or anonymization, must be taken to ensure lawful transfers in order to protect the rights of EU citizens concerned.

The judgment applies not only to transfers of data to the U.S. based on the Privacy Shield, but also to all transfers based on standard contractual clauses, both to the U.S. and to other third countries.

Possible legal bases

The Baden-Württemberg State Commissioner for Data Protection and Freedom of Information expressly points out that the Privacy Shield no longer represents a valid legal situation for the transfer of personal data to the U.S. and that violations could result in severe fines and claims for damages. Such data transfers should therefore be avoided.

A transfer on the basis of standard contractual clauses, on the other hand, is possible in principle. However, an appropriate level of protection would have to be ensured. What is required is that the controller provide additional safeguards that effectively prevent access by U.S. intelligence agencies and thus protect the rights of data subjects. This could be achieved, for example, either through encryption, where only the data exporter has the key and which cannot be broken by U.S. services, or anonymization or pseudonymization, where only the data exporter can make the attribution. If such an adequate level of protection cannot be ensured, data controllers should urgently refrain from transfers on this basis.

Furthermore, an exceptional transfer pursuant to Art. 49 GDPR is conceivable. However, the restrictive nature of the entire provision must be taken into account here, so that this could only represent an effective legal basis in the case of data transfers within corporate groups or in the case of individual contractual relationships.

Recommended procedure

The State Representative recommends that both companies and public authorities immediately check in which cases they export personal data to third countries. The respective contractual partners in the third countries should then be informed of the content of the ECJ ruling. Subsequently, data controllers should inquire about the legal situation in the respective country and check whether there is a valid Commission adequacy decision for the respective third country on which they could legally base their data transfer. If such a clause is not available, it should be checked whether the standard contractual clauses adopted by the Commission can be used for the respective country. If, as in the case of the U.S., for example, this is only possible on the basis of additional guarantees, it should be assessed whether an appropriate level of protection can be achieved through corresponding measures in the individual case. Should this also fail, the last, limited option would be the transfer of data under the exception provision of Art. 49 GDPR.


The commissioner calls on companies and public authorities to obtain reasonable alternative offers without transfer problems and points out that non-essential, problematic data transfers will be prohibited in the future. However, he also shows understanding for individual companies, for which the ECJ ruling is extremely burdensome and announces: “The ECJ ruling applies, we must implement it immediately – and we will do so. However, we will do this with a sense of proportion in accordance with the principle of proportionality and always ask the question of whether or not there is no alternative to data transfers to the USA.”

Explore #more

13.06.2024 | Press releases

Handelsblatt and Best Lawyers honor KPMG Law Experts

Best Lawyers has once again identified the best commercial lawyers in Germany for 2024 exclusively for Handelsblatt. A total of 28 lawyers were honored by…

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

Maik Ringel

Senior Manager

Münzgasse 2
04107 Leipzig

tel: +49 341 22572563

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.