Travel ban for European data?

As a result of the corona pandemic, only few EU citizens can now still enter the US. For our data, the EU-US Privacy Shield has so far guaranteed almost unlimited freedom of travel. However, the European Court of Justice has now ruled that the EU-US Privacy Shield does not offer sufficient protection against the US authorities' hunger for data - and has declared the shield invalid with immediate effect.

What’s this about?

Within the scope of application of the General Data Protection Regulation, personal data may only be transferred to countries outside the European Union if they provide an adequate level of data protection. The EU Commission may explicitly stipulate in a so-called adequacy decision that a certain country provides an adequate level of data protection. To date, the EU Commission has adopted such an adequacy decisions for 13 countries, e.g. Canada, Israel, Japan and Switzerland.

One of the 13 adequacy decisions stood out: the EU Commission’s Adequacy Decision for the US did not stipulate that there is an adequate level of data protection in the US as a whole. Rather, an adequate level of protection should only exist in the case of data processing by US companies that had submitted to the rules of the EU-US Privacy Shield. The list of certified US companies is publicly available at https://www.privacyshield.gov/.

The EU-US Privacy Shield made it much easier for European companies to cooperate with certified US companies. That is because without an adequacy decision by the EU Commission, companies must themselves ensure an adequate level of protection when transferring personal data outside the EU by using and enforcing so-called Standard Contractual Clauses, which are still provided by the EU Commission under the EU Data Protection Directive.

And what does the ECJ say?

In its ruling of 16 July 2020 in case C-311/18 (the referring Irish court has to decide on the processing of personal data by the Irish Facebook subsidiary in the US), the European Court of Justice declares the EU Commission’s adequacy decision on the EU-US Privacy Shield invalid—and it expressly pointed out the immediate effectiveness of its ruling. The main reason given was that the EU-US Privacy Shield does not sufficiently protect EU citizens from surveillance by US authorities.

However, the ECJ expressly has no objection to the Standard Contractual Clauses of the EU Commission. However, these can only legitimate the transfer of personal data to a third-country, if the company receiving the data can actually comply with the requirements of such Standard Contractual Clauses.

Everything easy thanks to Standard Contractual Clauses?

Unfortunately, not. The same legal situation in the US, against which the EU-US Privacy Shield cannot provide sufficient protection according to the European Court of Justice, raise doubts as to whether US companies can effectively meet the obligations of the Standard Contractual Clauses. Organisational and/or technical solutions—e.g. a strong pseudonymisation prior to the transfer of personal data, which cannot be resolved by the US company—are conceivable, but their implementation can be complicated depending on the business model.

So, no more data to the US?

Rather not. What would certainly be the simplest solution from a legal point of view, seems to be impossible in practice. Even though in times of the corona pandemic hardly any Europeans (can) enter the US, our data cross the Atlantic Ocean daily with ease. Most of us use not only Facebook, but also Twitter, iPhones, Google and so on. Even if we stay, our data usually travel to the US.

And European companies processing large amounts of data can hardly do without US companies—be it the IBM Cloud, the Amazon Web Services servers, or the Microsoft Cloud.

In some cases, US companies offer to ensure that personal data are processed only on servers located within the EU. Whether or not this will satisfy the European Court of Justice or the data protection authorities of the European Member States in the long term is questionable at least. This is because the potential hunger of US authorities for personal data processed by US companies is no longer restricted to US territory since the CLOUD Act (Clarifying Lawful Overseas Use of Data Act).

What do the data protection authorities say about this?

The first press releases of German data protection authorities (e.g. Hamburg, Rhineland-Palatinate, Thuringia and the Federal Commissioner for Data Protection and Information Security) indicate that they are initially seeking coordination at national and European level to ensure a uniform approach. The Berlin data protection commissioner is particularly relentless and states that companies that have so far been processing data of EU citizens in the US on the basis of the EU-US Privacy Shield must immediately switch to service providers in the EU or a country with an adequate level of data protection.

On the European level, the ruling has been discussed by the European Data Protection Board (EDPB) in its 34th plenary session. The EDPB seeks for a “complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU.” While the EDPB is analysing the judgment and its consequences, European companies may need to consider to undertake “additional measures to those included in the [Standard Contractual Clauses]”. In line with the EDPB, the Data Protection Commission Ireland highlights that the “assessments will need to be made on a case by case basis”. So far, most European data protection authorities have only referred to the statement of the EDPB and its central role in providing further guidance and clarification (cf. the data protections authorities of Latvia, Denmark, Sweden, Finland, Iceland, Czechia, Slovakia, Netherlands, Romania, Cyprus). Similarly, also the French as well as the Lithuanian data protection authorities adopted a rather wait-and-see attitude by referring to the expected analysing at a European level.

Apart from that, Estonian and the Bulgarian take a proactive stance and say that any transfer of data to US companies must immediately be examined to see whether the existing mechanisms, such as the Standard Contractual Clauses, suffice.

The Information Commissioner’s Office of the UK sees the situation somewhat more relaxed and recommends companies currently using the Privacy Shield to “continue to do so until new guidance becomes available.”

What now?

If the companies gain some time, due to the partly hesitant attitude of data protection authorities, this time should be put to good use! After all, the answer as to whether and how an adequate level of data protection can also be guaranteed in the US must ultimately be provided by the companies that process (or getting processed) data of EU citizens in the US.

Artikel teilen
Schreibe den ersten Kommentar

Spannende Zeiten im Gesellschaftsrecht. Europäisierung, Internationalisierung, Digitalisierung, Blockchain. Wir diskutieren mit.

Die gewachsene Bedeutung der Fintechs hat Berlin in den vergangenen Jahren zu einem Finanzplatz mit deutschlandweiter Bedeutung gemacht. Als Standort der weltweit wichtigsten Player der Crypto-Szene ist Berlin die neue „Hauptstadt des Geldes“. Bank- und Kapitalmarktrecht gehört zu unseren Schwerpunkten. Gepaart mit unserer Verwurzelung im Berliner Start-up-Ökosystem macht uns das zu einem der gefragtesten Ansprechpartner zu rechtlichen Themen rund um Fintechs und Crypto.

Neuigkeiten

Auch das noch.

  1. Fällt der Sommerurlaub aus? Ferienhausvermietung in der Krise

    Schon die durch aktuelle Rückforderungsansprüche von Kunden...

    5 Aufrufe
  2. „Mrs. Schwesig: Tear Down this Wall“ – Nieder mit innerdeutschen Grenzen

    In der Corona-Krise sind auch harte Einschränkungen der indi...

    1 Aufrufe

Berlin

  1. DIY – gute Idee für die Regulierung?

    Zur Taktik der Selbstregulierung des Kunstmarkts

    1 Aufrufe
  2. Von der Kunst der Unterscheidung – zur Ausstellung „Marken:Zeichen“ der Kunstbibliothek Berlin

    Die aktuelle Ausstellung „Marken:Zeichen“ der Kunstbibliothe...

    1 Aufrufe

Litigation

  1. Wahrheit oder Pflicht? Über Lügen im Gerichtssaal.

    Nach der Jagd, dem beliebtesten Freizeitvergnügen menschlich...

    1 Aufrufe
  2. Email-Ausdrucker setzen sich bei Gerichten durch

    Digitalisierung setzt technische Kompetenz und den Einsatz o...

    1 Aufrufe
  3. VW/Diesel-Muster­fest­stellungs­klage

    Wer hätte das gedacht? Nur etwa eineinhalb Jahre hat das VW/...

    1 Aufrufe

Miete / Immobilien

  1. Auswirkungen der Umsatzsteuersenkung auf Gewerbemietverhältnisse

    19 Aufrufe
  2. Gewerbemietverträge in der Corona-Krise

    Die Corona-Krise stellt zunehmend auch Mieter und Vermieter...

    2 Aufrufe

Mitarbeiter / Kurzarbeit

  1. Einführung von Kurzarbeit in der Corona-Krise – vom Umgang mit „Problemfällen“

    Viele Unternehmen sind durch die Corona-Krise mit der Einfüh...

    1 Aufrufe

Steuern / Bilanz

  1. Die Eigenkapital-Triage steht an – Wer erhält Eigenkapital vom Bund?

    Auf die Liquiditätskrise folgt die Eigenkapitalkrise. Denn w...

    1 Aufrufe

Sustainable Finance

  1. Das „Art. 8*-Produkt“ – eine neue Kategorie in der ESG-Anlageberatung und -Vermögensverwaltung?

    Am 9. Juni hat die Kommission eine Reihe von Entwürfen zur Ä...

    8 Aufrufe
  2. EBA fordert “sustainable lending”

    Am 29. Mai hat die Europäische Bankenaufsichtsbehörde (EBA)...

    3 Aufrufe
  3. Nachhaltigkeit in der Bankenaufsicht – EBA-Aktionsplan und BaFin-Merkblatt veröffentlicht

    Die Einbeziehung von Nachhaltigkeitserwägungen nimmt auch im...

    2 Aufrufe

Unternehmen

  1. Die Reform des Personengesellschaftsrechts schreitet voran: Ein Überblick zum „Mauracher Entwurf“

    Die dringend nötige Reform des Personengesellschaftsrechts s...

    3 Aufrufe
  2. Das Damoklesschwert der Ausgangssperre

    Seit Tagen wird über die Notwendigkeit eines flächendeckende...

    1 Aufrufe
  3. Die Aktiengesellschaft in Quarantäne? Diese Entscheidungen müssen Vorstände und Aufsichtsräte jetzt zu Jahresabschluss, Hauptversammlung und Dividende treffen.

    In den ersten Monaten des Jahres beschäftigen sich die meist...

    1 Aufrufe

Vertragsrecht / Force Majeure

  1. Fällt der Sommerurlaub aus? Ferienhausvermietung in der Krise

    Schon die durch aktuelle Rückforderungsansprüche von Kunden...

    5 Aufrufe
  2. „Hat mein Vertrag Corona?“: Ein Schnelltest für Verträge

    Die Corona-Krise hat offensichtliche Auswirkungen auf die Du...

    1 Aufrufe