The European Data Protection Board (EDPB) published frequently asked questions at the end of last week about the Schrems II ruling, with which the Court of Justice of the European Union recently overturned the Privacy Shield agreement. The EU data protection officers draw particular attention to the fact that the judgment does not contain any grace periods. Instead, it must be implemented immediately: Data exchange with third countries outside the European Economic Area is now illegal under Privacy Shield.
The data protection officers therefore answer the question of whether Privacy Shield can at least temporarily still be used as a legal basis for data transfers with a clear: “No, the Court has declared the decision to protect privacy to be invalid without it Maintain effects because the US law assessed by the Court does not offer an essentially equivalent level of protection as the EU. This assessment must be taken into account with every transfer to the USA. “
“Transfers on the basis of this legal agreement are illegal”, is the response to another question, with which the EDPB also refers directly to the possible alternative “standard contractual clauses”. However, you are responsible for the legal transmission of data into the hands of the company wishing to transfer data to the USA or another country outside the EU economic area.
Among other things, the data protection officers note that the court has also found in relation to the standard contractual clauses that US law does not offer the same level of protection as the EU. “Whether you can submit personal data based on standard contractual clauses depends on the outcome of your assessment, taking into account the circumstances of the transfer and any additional measures you could take. The additional measures together with the standard contractual clauses should, after a case-by-case analysis of the circumstances of the transmission, ensure that US law does not impair the appropriate level of protection that they guarantee. ”If protection is not guaranteed, the transfer of personal data based on the standard contractual clauses must be suspended or be ended.
Another option for data transfer may be an exception rule in Article 49 of the General Data Protection Regulation. Accordingly, data can also be transferred to the USA or another third country if the user has given explicit consent. However, it must relate to certain data or transmissions. The consent must be obtained before the transfer, even if this only takes place after the data has been collected. The consent of the data holder must also be specifically informed about possible risks that could arise from the transfer to a specific country.
The Data Protection Committee concluded by stressing that the judgment applies not only to the United States, but to all third countries. Standard contractual clauses must therefore be checked, among other things, to ensure that the laws in the recipient country of the data offer a level of protection corresponding to the EU.
Immediately after the decision became known, data protection activist Max Schrems had his complaint againstnot only has the Privacy Shield Agreement overturned, but also its predecessor, pointing out that the standard contractual clauses cannot be used for data exchange with the USA. He urged the responsible data protection authorities to act on their own initiative against companies “if US surveillance laws violate the principles of EU data protection law but the companies have not acted”.