Data transfer to the USA: New standard contractual clauses of the EU Commission do not provide comprehensive security

We had already addressed the issue of “international data transfer” from the perspective of the GDPR in a first blog article. Since then, the EU Commission has issued new standard contractual clauses for data transfers between the EU and third countries. These therefore also apply to data transfers with the USA.

By 27 December 2021, at the latest, all companies using the previous standard contractual clauses must have switched to the new regulations.

With the use of the new standard contractual clauses, is data transfer to the USA automatically secure?

Unfortunately, this is not the case. US security and intelligence agencies still have the right to access such data, circumventing the data protection rules set out in the GDPR.

What can a sender of commercial e-mails do additionally to handle the data transfer to the USA in a legally correct way?

Additional measures must be taken to restore a level of data protection equivalent to that guaranteed in the European Union. Anything else would violate applicable law. For this purpose, transmitted data can be encrypted, for example. In principle, the recommendation is to coordinate the planned measures with the responsible data protection authority in one’s own country in order to be on the safe side.

Do national data protection authorities check whether companies are taking additional protective measures?

In Germany, this is the case. In a joint effort, the supervisory authorities of various German federal states have begun to conduct random checks on how companies are implementing these requirements by publishing questionnaires that they send to selected companies, see https://datenschutz-hamburg.de/pages/fragebogenaktion/ (in German). Supervisors in other federal states are expected to follow suit.

In addition, there is already a specific case in which a supervisory authority has taken action as a result of a customer complaint and has notified a company based in Germany that had commissioned a U.S. email service provider to send its newsletters that the use of the standard contractual clauses is not sufficient to ensure the level of protection of the GDPR.

A fine was once again waived in this case.

The company has since terminated its contract with the American mailbox provider and is now sending email through another provider.