• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

EU DPAs Announce Post-Schrems Enforcement Plans

July 16, 2020 By Daniel Felz

Today, the European Court of Justice (ECJ) issued its much-anticipated decision in the Schrems II case.  As we analyze in detail in an earlier blog post, the ECJ’s decision invalidates Privacy Shield while leaving Standard Contractual Clauses (SCCs) formally intact – although relying on SCCs may become more complicated than in the past.

A number of European data protection authorities (DPAs) have issued statements indicating how they may enforce on the basis of the ECJ’s judgment.  Aspects of these statements that are of potentially significant interest to US companies.  This blog post briefly summarizes these aspects of DPA statements to date.

At present, the Irish Data Protection Commissioner (DPC) and three German DPAs have issued statements on the Schrems II decision.  The full statements can be accessed at these links:

  • Irish DPC: statement available here.
  • Germany – Federal DPA: statement (in German) available here.
  • Germany – DPA of Hamburg: statement (in German) available here.
  • Germany – DPA of Rheinland-Pfalz: statement (in German) available here.

As brief summaries of potentially key points in these statements:

1.  The Irish DPC states that the ECJ’s ruling means that “in principle,” SCCs remain valid “to transfer data to countries worldwide.”  But the DPC also states that “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”  Going forward, “careful examination” and “assessments on a case by case basis” will need to be made.  Nonetheless, the Irish DPC states it will be “developing a common position” with other EU DPAs, presumably prior to enforcing.

2.  Germany’s Federal DPA states that although transfers on the basis of Privacy Shield are no longer permitted, “the ECJ made clear that international data transfers are still possible” – and promises to “advise intensively on the transition” from Privacy Shield to other mechanisms.  It also indicates that, as soon as tomorrow, EU DPAs will meet to coordinate a common European approach to post-Schrems enforcement.  The Federal DPA states that DPAs may “insist on a transition in particularly relevant cases,” indicating that initial enforcement may be risk-prioritized.

3.  The DPA of the German State of Rheinland-Pfalz has issued a full set of post-Schrems FAQs for companies (available in German here).  These FAQs are detailed, and we are happy to provide further detail or translations upon request.  As a brief summary of potentially relevant points:

    • There is no grace period for transitioning to new transfer mechanisms from Privacy Shield.
    • To use SCCs, data exporters need to look at the specific US company that will receive EU data and determine whether that company can protect the data as required by the clauses.
      • Thus, the DPA states that “as a rule,” SCCs cannot be used to transfer EU data to US telecommunications companies.
      • The DPA also indicates data that SCCs may not be able to be used if data will ultimately be stored by US cloud providers.
    • The DPA also suggests transfer-by-transfer assessment documentation should be maintained.

4.  The DPA of the German State of Hamburg expressed concern that the ECJ is “kicking the ball back to the DPAs” to determine when to suspend transfers.  It states that DPAs “now stand before the decision of whether transfers on the basis of SCCs should be questioned overall.”  But the Hamburg DPA closes by stating that European DPAs should develop a “common strategy” for these issues.

————————————————————————————–

Alston & Bird is assisting clients of all sizes in addressing data transfer issues.  For more information, contact Jim Harvey, David Keating, Wim Nauwelaerts, or Daniel Felz.

Filed Under: Data Protection, Enforcement, GDPR, Privacy, Privacy Shield, Regulation Tagged With: Data Transfers, European Court of Justice, European Union (EU), GDPR, Germany, Max Schrems decision, Privacy Shield, Regulatory Enforcement

About Daniel Felz

Daniel Felz is a senior associate with Alston & Bird’s Privacy & Data Security Group. Dan leverages his extensive international experience to advise clients on global privacy, cybersecurity, technology, and adversarial matters.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy