With the ruling of the ECJ of 16 July, new rules apply to data transfer to the USA. The EU-US Privacy Shield Agreement, which has been considered an appropriate basis for legally secure data transfer to the USA since 2016, is no longer valid.
The Austrian Maximilian Schrems, who saw his rights violated by the American authorities' access rights to data in the USA, had filed a complaint. The European Court of Justice essentially followed the complaint. International data transfer is only possible if data protection comparable to the DSGVO exists in the recipient country. The monitoring programmes of the US authorities, which are based on Section 702 FISA and Executive Order 12333, mean that these rights are not given. The principle of necessity is not complied with, and EU citizens have hardly any legal protection against such surveillance. Therefore, data transmission to the USA is no longer permitted under the Privacy Shield Agreement. The ruling is effective immediately, which means that there is no transitional period.
Data transmission with standard contractual clauses still possible!
Data transfers that refer to the so-called EU standard contractual clauses are still possible. These are firmly defined additions to contract processing contracts that contain data protection regulations. They may only be used unchanged in order to be legally secure. These Clauses are still valid in principle. A general effectiveness does not exist, however. This is because it must be examined in each individual case whether the legal framework in the third country is such that the standard contractual clauses provide sufficient legal certainty. Which brings us back to the question of whether this certainty is at all possible through the US monitoring programmes. In purely pragmatic terms, however, it can be assumed that data transfer to the USA is possible with these clauses as long as the data in question is not particularly sensitive. Since the surveillance of telecommunications providers is quite strong, data transfers to US telecom companies not possible.
What do SMEs need to consider now?
In order to avoid any problems in cooperation with US companies even after the ECJ ruling SMEs should take the following steps:
- Create a list of US data processors: First create a list, with which US companies you exchange data with. This is often Microsoft through Office 365, Amazon via AWS and a variety of other cloud based tools. This is not about Software installed on the company's own internal servers Important are software- as-a-Service applications that run in the cloud, i.e. on the servers of software providers.
- Check contract processing agreements: For these US vendors, check the Data Processing Agreements. Typically the point "Data Transfer" states on what legal basis data is being transmitted. Does the provider only refer to the Privacy Shield Agreement data transmission is no longer possible. Almost all major US companies use but already from the beginning, in addition to the Privacy Shield Agreement, the Standard contractual clauses.
- Check data categories: Check within your company which data is transferred to the USA or which data is processed in the SaaS applications. The supervisory authorities have not yet recommended which data is rather uncritical and which should not be transferred under any circumstances. Until then, the following applies: The more sensitive the data, the higher the risk that it cannot be transferred to the USA.
- Conclude standard contractual clauses: If you use smaller providers in the USA as contract processors, check your AV contracts and update them with the EU standard contract clauses if necessary. You can download them at the end of this article.
- Look for alternatives: There is no alternative to many of the large US tech companies. However, they work with standard contract clauses anyway and mostly strive for high transparency. Microsoft, for example, publishes a list of requests by the US authorities. But many small US companies cannot afford to do that. Look for providers from Europe in time to be able to react if your current US provider does not offer an alternative to the Privacy Shield.
Even if the ruling has immediate effect and all data transfers to the USA based on the Privacy Shield are illegal, the supervisory authorities will not initially monitor companies for this point on their own initiative. SMEs should therefore use this "unofficial" transitional period to gain an overview and take the necessary measures in order to be able to transfer data to the USA in a legally secure manner in the future.