Following the Schrems II decision of the European Court of Justice (ECJ) on 16.07.2020, the Privacy Shield no longer provides a valid legal basis to authorize transatlantic data transfers with the US. This implies huge problems especially for companies with a US parent company. Likewise, companies working with major US companies for data processing or data storage were affected.
Switching to EU standard contractual clauses
The vast majority of companies have therefore turned to the EU standard contractual clauses (SCC) to bridge such gap - according to an IAPP survey, this refers to a number of more than 88 percent. The ECJ had not in general objected to these standard contractual clauses in the Schrems II decision. However, it had clearly pointed out that supervisory authorities must suspend or prohibit a data transfer on this basis if there is no sufficient guarantee for compliance in the respective third-country. Particularly with regard to the US this could hardly be justified because of the possible intelligence service’s queries on personal data.
New proposals for data transfer
On 11/11/2020, the European Data Protection Committee (EDPC) published a draft of new standard data protection clauses, which were open to public consultation until 10/12/2020. The real surprise here was that in addition to the drafts, a 29-page annex was published with supplementary measures for international data transfers (transfer tools). Its centrepiece is a 6-point plan of technical, organizational and contractual tools that the data exporter should use in addition to the standard contractual clauses:
- Analysis of data transfers to third-countries ("Know Your Transfers").
- Identification of the transfer tools used
- Assessment of the effectiveness of the transfer tools
- Identification of appropriate complementary measures
- Implementation of complementary measures
- Regular evaluation
With these transfer tools in place, at least some of the legal uncertainty surrounding the transfer of personal data of EU citizens to the United States has been resolved.
A plus in legal certainty
From the joint opinion of the EDPC and the European Data Protection Supervisor (EDPS) adopted on 16/01/2021, it is obvious that there are still going to be clarifying adjustments to the standard data protection clauses as a result of the opinions, e.g. regarding the scope of application, the obligations for data transfers, the evaluation of third-country laws for official data accesses and the notifications to supervisory authorities. Nevertheless, the new standards as well as the 6-point plan offer a plus in legal certainty even before the final adoption by the EU Commission.
The outcome of the US presidential election is also likely to bring a bilateral agreement between the US and Europe back into focus. The new US Vice President Kamala Harris, as former Attorney General of California, had initiated specific measures for companies and organizations on federal requirements for an appropriate level of data protection. The designated State Secretary for Health and Human Services, Xavier Becerra, is also regarded as a proven data protection expert and has played a key role in shaping the most recent data protection laws in California. Therefore, progress in negotiations with the new Biden/Harris administration can be certainly expected.
Finally, there are strong efforts by individual US states to ensure an appropriate level of data protection and to get closer to the regulations of the GDPR. California enacted the California Consumer Privacy Act (CCPA) on 01/01/2020, the first comprehensive data protection law in the United States. The requirements for companies to protect consumer rights were significantly increased and are similar to the data subject rights of the GDPR. In addition, the Consumer Privacy Rights Act (CPRA), another data protection law for California, was launched at the end of 2020, in particular severely restricting the disclosure of personal data for advertising purposes. Thus, it is not unlikely that an adequate level of data protection will be established in the near future, at least in some individual US states, legitimizing transatlantic data transfers.
We advise companies on how to organize their performance data protection-compliant, taking particular account of current developments regarding data transfer to the US. Thanks to strong professional interlocking between IT law, data protection law and intellectual property law, we are able to offer well-versed solutions in all sub-areas. I will be happy to answer any questions you may have.