“Return EU data currently stored in the U.S. back to the EU”. The data protection commissioner in Berlin reacts to the “Schrems II” decision.

Home / Uncategorized / “Return EU data currently stored in the U.S. back to the EU”. The data protection commissioner in Berlin reacts to the “Schrems II” decision.
Uncategorized
0
0

In Berlin, the data protection commissioner takes a very stringent approach to “Schrems II”

 

 

BY:

Alexis de Hahn
Avocat Reporteur
PROJECT COUNSEL MEDIA

27 July 2020 (Paris, France) – Last week the Court of Justice of the European Union (the “CJEU”) invalidated the EU-U.S. Privacy Shield Framework as part of its judgment in the Schrems II case. In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the Privacy Shield framework on the basis that the limitations on U.S. public authorities’ access to EU personal data were not sufficient for the level of protection in the U.S. to be considered equivalent to that ensured in the EU, and that the framework does not grant EU individuals actionable rights before a body offering guarantees that are substantially equivalent to those required under EU law.

And if you want a deep analysis of this case … in fact a deep analysis of any EU law case or issue … the only person to read is Lorna Woods, Professor of Internet Law at the University of Essex. Everything else you read about “Schrems II” is pure fluff or a paid announcement. You can read her trenchant analysis of “Schrems II” by clicking here. She provides scores of links, too.

Although in fairness, Daniel Solove has a pretty good piece, too.  

As expected, EU and U.S. regulators have yet to adopt any kind of consistent approach to these questions. It’s been a hodgepodge of responses that can be pretty much summarised as :

This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.

Well, except in Germany, where a very stringent approach has been adopted. In Berlin, the data protection commissioner Maja Smoltczyk has called on Berlin-based companies to return EU data currently stored in the U.S. back to the EU, stating:

“[t]he times when personal data is transferred to the US for convenience or cost savings are over after this judgment. Now is the time for Europe’s digital independence.”

Smoltczyk issued a formal statement which is in German and you can read by clicking here. Our translation team has provided an English text which you can read as follows:

 * * * * * * *

17 July 2020

After “Schrems II”: Europe needs digital autonomy

Following the decision of the European Court of Justice (ECJ) to declare the “EU-US Privacy Shield” invalid, the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, calls on data processing agencies in Berlin to transfer personal data stored in the USA to Europe.

In its decision “Schrems II” (C-311/18) on Thursday, 16 July 2020, the European Court of Justice stated that US authorities have too extensive access to data of European citizens. As a result, personal data may generally no longer be transferred to the USA until the legal situation changes. There are exceptions, especially in the special cases provided for by law, for example when booking a hotel in the USA.

The ECJ notes, among other things, that there are governmental surveillance measures in the USA which are accompanied by mass collection of personal data without clear restrictions. This is contrary to the EU Charter of Fundamental Rights (recital 180 et seq. of the judgment). Furthermore, he notes that European citizens have no possibility to have surveillance measures reviewed by US authorities in court. This violates the essence of the European fundamental right to effective legal protection.

Transfers of personal data to third countries are only permitted if they provide a level of data protection that is equivalent in substance to European fundamental rights. Since this is largely not the case in the USA according to the findings of the highest European court, the ECJ in its decision declares the “EU-US Privacy Shield” invalid, on the basis of which personal data have been transferred to the USA in many cases to date. On the other hand, the ECJ declares the so-called standard contractual clauses which European companies can conclude with providers in third countries in order to maintain the European level of data protection in the third countries as well to be fundamentally permissible under certain conditions. However, it emphasises in this context that both European data exporters and data importers in third countries are obliged to check, before the first data transfer, whether there are state access possibilities to the data in the third country which go beyond what is permissible under European law (para. 134 et seq., 142 of the ruling). If such access rights exist, even the standard contractual clauses cannot justify the export of data. Data already transferred to the third country must be retrieved. Contrary to what has been widely held up to now, the mere conclusion of standard contractual clauses is not sufficient to enable data exports (margin 126 et seq. of the judgment).

* * * * * * *

 

NOTE TO OUR READERS

 

Enforcement of the General Data Protection Regulation (GDPR) and other EU data protection statutes are prerogatives of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the ICO in the UK).

For instance, the GDPR creates the concept of “lead supervisory authority”. Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called “lead supervisory authority”.

However,  Germany does not have one central Data Protection Authority (“DPA”) but a number of different Authorities for each of the 16 German states (Länder) that are responsible for making sure that data protection laws and regulations are complied with. In addition the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Datenschutz und Informationsfreiheit – ‘BfDI’) is the Data Protection Authority for telecommunication service providers and represents Germany in the European Data Protection Board. To ensure that all the Authorities have the same approach a committee consisting of members of all Authorities has been established – the ‘Data Protection Conference’ (Datenschutzkonferenz ‘DSK’). The coordination mechanism between the German Authorities mirrors the consistency mechanism under the GDPR.

It is expected that the DSK will publish a coordinated response to Schrems II and specifically address the processing of Standard Contractual Clauses in Germany. Last year it published a common model for all German data authorities to follow in calculating fines pursuant to Article 83 of the GDPR.

Related Posts
Siemens permanently adjusts its working model : embracing a hybrid of remote and in-office work
UK law firms are weathering the storm – for now