The Schrems II ruling has thrown transatlantic data traffic into a state of existential crisis. In mid-2020, the European Court of Justice (ECJ) ruled that the central legal basis for the flow of data between the EU and the US (known as the Privacy Shield framework) was not compatible with European law. But it didn’t end there. German supervisory authorities have now begun large-scale checks to find any companies that nevertheless continued sending data to the US. Now, all of a sudden, we can see a (deceptive) light at the end of the tunnel – the European Commission has now presented a possible solution for EU companies as a starting point. But before we get into the details, there are a few things businesses should keep in mind…
The EU General Data Protection Regulation (GDPR) stipulates that any processing of data (and therefore any transmission) is in principle unlawful unless the data subject consents to the processing or there is a legal provision in place that allows the data to be processed, even without consent. However, anyone who wishes to transfer personal data to a country outside the European Union needs more than “just” consent or a legal provision that does not require consent. This is because the GDPR assumes that the same level of data protection does not generally exist outside the European Union. Because of this, an additional basis for authorization is needed to send data to a third country.
Until mid-2020, data transfers to the US were commonly based on the Privacy Shield framework, or on what are known as EU standard contractual clauses. By way of brief explanation:
The Privacy Shield framework was an agreement between the EU and the US to allow data to be transferred to those US companies that have registered in the US as compliant with data protection law.
EU standard contractual clauses, however, are contractual templates issued by the EU Commission which companies outside the EU (e.g. in the US) could use to contractually comply with EU data protection standards.
However, the ECJ ruled that the Privacy Shield framework was not compatible with EU law, casting a bit of quiet doubt on US companies’ ability to even comply with the obligations stipulated in the EU standard contractual clauses in the first place. In numerous cases, both legal bases for sending data to the US then ceased to apply.
The EU Commission’s proposed solution
The EU Commission has now drafted new contractual templates for third country data transfers (known as standard contractual clauses). However, the EU Commission has left one key question unanswered: Are US companies even capable of fulfilling these new contracts?
The 19th recital of the draft ruling states:
The transfer and processing of personal data under standard contractual clauses should not take place if the laws and practices of the third country of destination prevent the data importer from complying with the clauses.
In other words, anyone who wants to send personal data to the US on the basis of these new standard contractual clauses is required to research US law to check whether the data recipients in the US are capable of complying with their obligations in the first place.
Where do we go from here?
The next steps are as follows:
First: Every company takes its list of processing activities into its own hands and examines which processing operations involve transferring data to the US.
Second: Where a company finds that a US data transfer is based on the data subject’s consent, granted separately, this should remain so for the time being. However, if a company finds that a data transfer to the US is based on the old standard contractual clauses, a further verification step should be added (see the third step).
Third: Any processes based on standard contractual clauses should first be examined to determine whether, in that specific case, the applicable US law affords compliance with the new standard contractual clauses. The new standard contractual clauses should only be used if compliance is indeed possible. Otherwise, an alternative will have to be sought.
Anyone intending to propose the use of standard contractual clauses to US (or other non-EU) companies should note that the contractual templates are modular. This means companies must first analyze the data transfer process before choosing the correct modules.
Furthermore, this is the first time the EU Commission has also issued standard data processing agreements. These should not be confused with or substituted for standard contractual clauses. It is conceivable the two could be combined.
Dr. Stephan Gärtner, Stanhope SG Datenschutz