“Schrems II”- court decision: – Recommendations for dealing with standard contractual clauses

Now that the Privacy Shield is no longer an effective security mechanism, the question arises as to how a data transfer to the USA can be secured instead.

Standard contractual clauses remain valid

Having a first look, the most important tool for international data transfer, the standard data protection clauses (SCC, also known as “model clauses”) under Art. 46 para. 2 lit. c GDPR need to be analysed for it current use. 

In its ruling, the European Court of Justice (ECJ) also addressed the SCC and (fortunately) found that they are compatible with the Charter of Fundamental Rights of the EU and remain valid. However, the ECJ has also made it clear that SCC cannot be used to secure every transfer to any third country. Rather, SCC can only be used if the data exporter and the recipient in the third country guarantee that the rules of SCC in that third country can be complied with.

If, on the other hand, the SCC cannot be complied with, the parties involved must terminate the data transfer. Ultimately, it comes down to the question of whether there are legal possibilities in the third country for (state) institutions to obtain extensive access to the data, which undermines the EU’s data protection principles, and whether data importers and exporters can do anything about it.

No compliance possible in the USA

For the USA, the ECJ has basically already stipulated in this decision that the legal framework conditions there actually make compliance with SCC impossible due to the monitoring laws. In connection with this, the supervisory authorities are instructed to stop the transfer of data due to SCC if it turns out that the clauses cannot be complied with in the recipient country.

Our recommendations for further action

Data controllers must now work with the ECJ decision and find a way to ensure that data processing is legally secure. In the following, we will show the steps that must be taken in order to identify and evaluate international data transfer within the company and to bring it to a secure legal and actual situation.

1.     Stock taking

You must determine for your company whether a data transfer to the USA (or other unsafe third countries) is taking place.

2.     Clarification whether data transfer abroad is really unavoidable

Next, it should be clarified whether data transfer abroad is really absolutely necessary or whether it can be changed. Several solutions are conceivable here: 

  • Do you have the option of choosing a purely European service provider?
  • Is it possible to keep the data on European servers?

It is important to note that it must be contractually agreed that data transfer to non-European countries will not take place. Neither an active transfer of data (e.g. saving data on a server) nor the opening of an access possibility (e.g. programmer).

3.     Clarification whether the safety laws of the USA apply to the importer

When transferring data to the USA, it is generally necessary to clarify whether the security laws there, on the basis of which the European Court of Justice has declared the Privacy Shield to be ineffective, apply to the data importer at all. There is a questionnaire available at noyb.eu/en/next-steps-eu-companies-faqswhich can be sent to your importer [Attention: The template contains a threat of termination; you should remove this if necessary if you want to use the form].

However, this step is basically superfluous for most of the services used, because

Providers of electronic communications, such as Amazon (AWS), Apple, Cloudflare, Dropbox, Facebook, Google or Microsoft, always fall within the scope of these laws and must allow secret services to access user data.

4.     Set security mechanism

So let us come to the decisive step. Once it has been established that the data must be transferred to the United States in order to use an essential service, it will be necessary to clarify the mechanisms by which this data transfer is legally secured.

The Privacy Shield is no longer an option here. What remains in practice are the standard contractual clauses (or binding corporate rules within the group) or exceptions under Art. 49 GDPR.

The SCC can be concluded quite easily as part of a contract and can therefore be used quickly and flexibly. However, the ECJ has already made it clear with its decision that the SCC alone cannot be sufficient for a data transfer to the USA, as they are ultimately only contracts. However, since the ECJ has come to the conclusion that the legal situation in the USA does not make it possible to comply with the European level of data protection without further ado, contracts alone will not help. After all, such agreements do not prevent the American secret services from accessing data that is legally permissible in the USA. American laws “beat” the treaties in this respect.

The SCC may only be used for data transfer if the person responsible and the recipient are satisfied that the European data protection level can also be complied with in the third country. On the basis of the ECJ’s statements, it can be assumed that the level of data protection in the USA cannot be complied with in principle. The ECJ as well as the supervisory authorities point out that, in addition to the mere contracts, additional organizational or technical measures may be necessary to ensure the level of data protection. The authorities have not yet specified what these measures are to be.

In our opinion, these can only be technical measures, such as extensive encryption, as these guarantee, at least to a certain extent, that the data on the server cannot be accessed by the American authorities, even if they have access to the server.

The obligation for effective encryption must be contractually fixed and the encryption performed must be documented.

However, it is not yet clear whether these measures alone will suffice. Legal certainty cannot be gained at this stage on this issue.

5.     Adapt consent texts and data protection declarations

If you switch from the Privacy Shield to SCC, this change must first be reflected in your data protection declaration. There, the corresponding references to the privacy shield must be removed and modified accordingly with regard to SCC. Furthermore, if you transfer the transferred data on the basis of consent, you should also refer to SCC in the information on consent. In general, you should mention that you have implemented the SCC and “additional security measures”.

6.     Residual risk assessment

As a final step, you should consider the residual risk that the data transfer may be prohibited or that further measures by affected parties or supervisory authorities may be necessary.

If you use SCC alone without taking any further measures, your transmission is subject to a significantly higher risk than if you can demonstrate that you have at least effective content encryption of the data. But even then you have no absolute certainty that this will satisfy the authorities. It is important that you ensure that you are prepared for future developments (e.g. publications by the supervisory authorities on the subject of “additional measures” (as announced by the EDSA) and that you can react quickly.

Bottom line:

If it is not possible to outsource data processing to European service providers, we recommend that standard contractual clauses be concluded first. This should be implemented as soon as possible. In addition, further measures should be taken to protect the transferred data from access by American authorities. In our view, the most important thing to consider here is an effective encryption of the data. Depending on the service used, this can be carried out by the data importer or data exporter. Furthermore, the data protection declaration and any existing consent texts must be adapted. Finally, a residual risk assessment must be carried out.

Do you have further questions on this topic? Then get in touch with our data protection experts! We will be glad to help you.