In the month since the European Court of Justice (“ECJ”) issued its judgment on Schrems II, which invalidated the EU-U.S. Privacy Shield Framework as an adequate mechanism to export personal data from the EU to the USA, privacy experts and data protection authorities (“DPAs”) have weighed in on what this judgment means practically for the over 5,000 U.S. organizations and countless EU businesses formerly reliant on Privacy Shield. Some of this guidance has been more restrictive in its interpretation of the judgment than others.
In order to more closely examine this range of responses from DPAs, VeraSafe has translated one of the most strict edicts on the matter — from the Berlin Commissioner for Data Protection and Freedom of Information (henceforth, the “Berlin DPA”) — and is comparing this interpretation and guidance against the judgment itself and other DPA guidance.
Translation of Press Release from the Berlin DPA
The Berlin DPA issued a Press Release on July 17, 2020, in response to the Schrems II judgment from the ECJ. VeraSafe has translated that Press Release below.
In accordance with the judgment of Schrems II, Europe needs digital self-reliance
In light of the European Court of Justice (ECJ) decision to declare the EU-U.S. Privacy Shield invalid, the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, requests that data controllers and processors in Berlin transfer all personal data currently stored in the United States to Europe.
In its decision for “Schrems II” (C-311/18) on Thursday, July 16, 2020, the ECJ determined that U.S. authorities have overly extensive access to the personal data of European citizens. As a result, personal data may, in general, no longer be transmitted to the United States, barring a change in the legal situation. Exceptions exist in special cases provided for by law, for example, when booking a hotel in the United States.
The ECJ states, among other things, that there are government surveillance measures in place in the United States involving a massive collection of personal data without clear restrictions. This contradicts the EU Charter of Fundamental Rights (paragraph 180 et seq. of the judgment). It also states that European citizens have no ability to petition for review of surveillance measures by U.S. authorities. This violates the essence of the fundamental European right to effective legal protection.
Transfers of personal data to third countries are only permissible if the third country exhibits a level of data protection equivalent to European fundamental rights. Since this is largely not the case in the United States, according to the findings of the highest European court, the ECJ declared the EU-U.S. Privacy Shield to be invalid for data transfers. The Privacy Shield had formerly been a frequently-used basis for transmitting personal data to the United States.
However, the ECJ declared that the so-called standard contractual clauses (SCCs) that European companies can implement with their service providers in third countries are still permissible under certain conditions that maintain the European level of data protection in third countries.
When using the SCCs, however, the ECJ emphasizes that both European data exporters and data importers in third countries are obliged to check, prior to the first data transfer, whether there is government access to the personal data in the third country that goes beyond what is permitted under European law (para. 134 f., 142 of the judgment). If excessive public sector access to private sector data exists, even the SCCs cannot legitimize the data export and, in that case, data that has already been transmitted to a third country must be retrieved. In contrast to what has been widely held up to now, the mere existence of SCCs is not sufficient to enable data exports (Rn. 126 ff. of the judgment).
The ECJ emphasizes that the EU data protection supervisory authorities are obliged to prohibit unlawful data exports according to the standards mentioned in the judgment (marginal nos. 135, 146 of the judgment) and that affected data subjects can claim compensation for unlawful data exports (marginal no. 143 of the judgment). This compensation should include non-material damage (“compensation for pain and suffering”) and must be an amount high enough to be an effective deterrent, according to European law.
The Berlin Commissioner for Data Protection and Freedom of Information therefore calls on all those under its supervision to observe the decision of the ECJ. Entities responsible for transmitting personal data to the United States – especially when using cloud services – are now required to immediately switch to service providers in the European Union or in a country with an adequate level of data protection.
“The ECJ has made it very clear that data exportation is not only an economic matter, but that the fundamental rights of the people must be a primary consideration. The time when personal data could be transferred to the United States for the sake of convenience or cost savings is a thing of the past after this ruling. Now the hour of Europe’s digital independence is upon us.
We accept the challenge that the ECJ obligates supervisory authorities to enforce the restrictions on data transfers. Of course, this does not only apply to data transfers to the United States, which the ECJ has already banned. The transfer of data to other countries such as China, Russia, or India, will also have to be reviewed to make sure there are not similar or even larger problems.”
Maja Smoltczyk
Analysis
Though it is certainly true that the Schrems II judgment prompts serious evaluations of and changes to data transfers from the EU to the United States, the statement from the Berlin DPA goes much further than the bulk of guidance from privacy experts and DPAs. First, the Berlin DPA’s statement mandates that personal data of EU residents stored within the United States now be transferred to the EU. Other DPAs and experts have merely recommended evaluating safeguards applied to personal data in the U.S. and considering alternative transfer mechanisms. However, the Berlin DPA’s position is unique as the sole regulatory guidance thus far stating that personal data which has already been transferred can no longer be kept within the United States. Indeed, the Schrems II judgment made no mention of what must be done with personal data previously transferred under the Privacy Shield.
In addition, while transfers to a third country may be based on an adequacy decision issued by the European Commission in light of that country’s legal protections for personal data, transfers are also permissible where appropriate safeguards and legal remedies are put in place. The Schrems II judgment specifically did not declare the SCCs invalid as a data transfer mechanism because of the possibility that appropriate safeguards in conjunction with adherence to the obligations enshrined in the SCCs may provide an adequate level of protection for personal data. Since the EU-U.S. Privacy Shield Framework has been invalidated, many experts and DPAs have emphasized that organizations operating as data exporters should conduct specific analyses of implemented security measures and the extent and nature of government surveillance in the third country in order to establish that appropriate safeguards are in place prior to initiating the transfer. In addition, organizations must identify possible alternate mechanisms under the GDPR that may be used for compliant data transfer, such as the SCCs or specific derogations listed in Article 49 GDPR.
Finally, while the statement of the Berlin DPA (and similar statements from the Hamburg DPA and the Dutch DPA, Autoriteit Persoonsgegevens) implies that the government surveillance and lack of recourse for data subjects may bring into question use of SCCs as well, most legal experts have concluded that the SCCs are currently able to facilitate lawful data transfers if accompanied by supplemental measures confirming that all parties can meet all obligations set forth in the SCCs regarding data protection and security.
Conclusion
Businesses regulated by the GDPR are advised to maintain awareness of new guidance and interpretations of the Schrems II judgment and monitor their compliance with the emerging best standards and practices. If you would like to discuss your organization’s strategy for international data flows, please reach out to VeraSafe for a free consultation.
