
5 minute read
EU US Privacy Shield
certain conditions (Articles 44 to 50 DSGVO). In particular, appropriate guarantees under Article 46 DSGVO, such as EU standard contractual clauses, the consent of the data subject (Article 49(1) a DSGVO), Binding Corporate Rules (Article 46(2) b, Article 47 DSGVO), Code of Conducts (Article 40 DSGVO), recognised certification mechanisms (Article 42 DSGVO) or the existence of a public interest (Article 49 DSGVO) should be mentioned.
As Japan is now not subject to additional restrictions on data flow, other third countries have an incentive to improve their data protection standards in order to benefit from the advantages of an EU adequacy decision in the future. Canada, Israel, Japan, New Zealand, Switzerland and Uruguay are some of the twelve countries that have been certified by the European Commission to have a comparable level of data protection.
The EU's basic data protection regulation has already inspired some countries in key third markets to adopt comparable laws. Argentina already has a similar approach to international data transfers, and the new Data Protection Act that the government presented to Congress in October 2018 would bring the country even closer to the EU's basic data protection regulation in Europe.12
This is also the case in Brazil, where the new General Data Protection Law was adopted in August 2018 and came into force in February 2020. International data transfers are only allowed in certain situations, such as when an adequate level of data protection is ensured in the recipient countries, when approved legal mechanisms (e.g. model contract clauses) are used, or when the data subjects have given their consent.
BDI’s position
BDI expressly welcomes the EU adequacy decision on Japan. The EU data protection basic regulation thus sets international standards. In dialogue with other key markets, the EU should also work towards harmonising data protection standards there. Ideally, this could lead to an extension of the EU's Adequacy Decisions. This could de facto transfer the high EU standards to key markets ("protection travels with the data").
EU-US Privacy Shield
The EU-US Privacy Shield Agreement had been in force since 2016 and was overturned by the European Court of Justice (ECJ) in its judgment of 16 July 2020 (C-3111/18 - "Schrems II"). The ruling was triggered by a complaint lodged by a citizen with the Irish data protection authority, in which he repeatedly objected to the transfer of his data by Facebook to the US. This is the second time that the ECJ has overturned the essential legal basis for the transfer of personal data of European citizens to the US after the decision on the Safe Harbour Agreement in 2015 (C 362/14 - "Schrems I").
Until the ruling, the Privacy Shield Agreement negotiated on 12 July 2016 was, in addition to the standard data protection clauses, the essential basis for the transfer of personal data from the EU to the USA on the possibilities of transfer to third countries under Art. 44 et seq. DSGVO. The agreement facilitated the EU-US data flow for companies. At the same time, the Privacy Shield required stricter obligations on US companies to protect personal data when they receive data from the EU, compared to US data protection. In order to fall within the scope of the agreement and the facilitated data flow, US companies had to self-certify against certain data protection standards. By means of annual
12 https://iapp.org/news/a/argentinas-new-bill-on-personal-data-protection/
registration, they were then included by the US authorities in the Privacy Shield List of the US Department of Commerce. When personal data was transferred to a certified US company on the basis of the Privacy Shield, the EU citizens concerned had the right to be informed by the US company, to object to data processing, to obtain information and to determine the purpose of data storage. An annual review mechanism was also agreed between the US administration, the EU Commission and representatives of the European Data Protection Authorities.
The ECJ ruling deprived European companies of the possibility of legally secure data transfers without a transitional period. Following the ECJ ruling, the transatlantic data flow can no longer be based on the so-called standard data protection clauses. In principle, these are still applicable to data transfers to third countries. However, it must be examined on a case-by-case basis whether the contractual agreements from the standard data protection clauses can also be complied within the third country in order to safeguard the level of protection required under Union law. If necessary, further data protection measures would also have to be taken by those responsible. If an adequate level of data protection could not be ensured, even by additional measures, the transfer of data to the country concerned would have to be suspended. If the transfer had already begun, it would have to be stopped immediately. Data already transferred must be returned, the ECJ said. However, since the ECJ negates the adequacy of the level of data protection in the U.S., due to the extensive powers of intervention of the intelligence services there and the lack of legal remedies, and since it requires an extensive case-bycase assessment from the data exporter based in the EU, the transfer of data to the US, even on the basis of the EU standard data protection clauses, is made considerably more difficult in practice, leading to great legal uncertainty overall. In this respect, it should be noted in particular that the standard data protection clauses are - as the Court of Justice states - only applicable between the contracting parties and are not binding on third country authorities.
BDI’s position
Transatlantic data traffic is of enormous importance to German industry. Especially against the background of the importance of the USA as an investment location and export market, and as a provider of innovative and efficient global IT services, simple and secure transatlantic data transfer is essential. What form and content additional agreements or measures would have to take, in order to overcome the deficits in the level of data protection in the USA, as pointed out by the ECJ, remains unclear. In view of these risks, it is now the urgent task of the EU Commission to negotiate with the US authorities as quickly as possible, an effective and sustainable successor regulation and to improve the EU standard data protection clauses. At the same time, the European Data Protection Board is invited to publish practical, uniform and binding guidelines for complementary safeguards to the standard privacy clauses throughout Europe. European companies need legal certainty in the global data and business environment. The confidence of EU citizens, and not least businesses, in transatlantic data traffic must be restored. This is a task for politicians on both sides of the Atlantic.
In the meantime, the supervisory authorities in the EU and Germany should grant an appropriate moratorium to companies that have organised their data processes in confidence that the Privacy Shield and the standard data protection clauses are valid.