Today, the European Court of Justice (ECJ) issued its much-anticipated decision in the Schrems II case. As we analyze in detail in an earlier blog post, the ECJ’s decision invalidates Privacy Shield while leaving Standard Contractual Clauses (SCCs) formally intact – although relying on SCCs may become more complicated than in the past.
A number of European data protection authorities (DPAs) have issued statements indicating how they may enforce on the basis of the ECJ’s judgment. Aspects of these statements that are of potentially significant interest to US companies. This blog post briefly summarizes these aspects of DPA statements to date.
At present, the Irish Data Protection Commissioner (DPC) and three German DPAs have issued statements on the Schrems II decision. The full statements can be accessed at these links:
- Irish DPC: statement available here.
- Germany – Federal DPA: statement (in German) available here.
- Germany – DPA of Hamburg: statement (in German) available here.
- Germany – DPA of Rheinland-Pfalz: statement (in German) available here.
As brief summaries of potentially key points in these statements:
1. The Irish DPC states that the ECJ’s ruling means that “in principle,” SCCs remain valid “to transfer data to countries worldwide.” But the DPC also states that “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” Going forward, “careful examination” and “assessments on a case by case basis” will need to be made. Nonetheless, the Irish DPC states it will be “developing a common position” with other EU DPAs, presumably prior to enforcing.
2. Germany’s Federal DPA states that although transfers on the basis of Privacy Shield are no longer permitted, “the ECJ made clear that international data transfers are still possible” – and promises to “advise intensively on the transition” from Privacy Shield to other mechanisms. It also indicates that, as soon as tomorrow, EU DPAs will meet to coordinate a common European approach to post-Schrems enforcement. The Federal DPA states that DPAs may “insist on a transition in particularly relevant cases,” indicating that initial enforcement may be risk-prioritized.
3. The DPA of the German State of Rheinland-Pfalz has issued a full set of post-Schrems FAQs for companies (available in German here). These FAQs are detailed, and we are happy to provide further detail or translations upon request. As a brief summary of potentially relevant points:
- There is no grace period for transitioning to new transfer mechanisms from Privacy Shield.
- To use SCCs, data exporters need to look at the specific US company that will receive EU data and determine whether that company can protect the data as required by the clauses.
- Thus, the DPA states that “as a rule,” SCCs cannot be used to transfer EU data to US telecommunications companies.
- The DPA also indicates data that SCCs may not be able to be used if data will ultimately be stored by US cloud providers.
- The DPA also suggests transfer-by-transfer assessment documentation should be maintained.
4. The DPA of the German State of Hamburg expressed concern that the ECJ is “kicking the ball back to the DPAs” to determine when to suspend transfers. It states that DPAs “now stand before the decision of whether transfers on the basis of SCCs should be questioned overall.” But the Hamburg DPA closes by stating that European DPAs should develop a “common strategy” for these issues.
Alston & Bird is assisting clients of all sizes in addressing data transfer issues. For more information, contact Jim Harvey, David Keating, Wim Nauwelaerts, or Daniel Felz.