What to do after the toppling of the EU-US Privacy Shield?
In line with the General Data Protection Regulation (GDPR), personal data may only be transferred to a third country if an adequate level of protection is guaranteed in that country for the processing of the data. For transfers to the US, this was regulated until this summer by the “EU-US Privacy Shield”. In order to prevent the US security authorities from continuing to have unrestricted access to personal data, the ECJ has now revoked the Shield without any substitute.
Is it still possible for a Sender to transfer personal data to the US?
The answer is: This has become tricky.
Art. 49 GDPR outlines exceptional circumstances in which the transfer of data is still legal, even without the Privacy Shield. These circumstances include, for example, cases where the consent of the data subject is obtained or for the purpose of fulfilling a contract. However, it is not advisable to invoke such exceptional circumstances when transferring data, as the hurdles for this are very high and the Sender runs the risk of not meeting these strict requirements in the event of an assessment by the authorities.
The Privacy Shield can be replaced by standard data protection clauses or Binding Corporate Rules (BCR) as a legal basis for data transfers to the USA (see Art. 46 f. GDPR). However, additional measures must then be taken in specific individual cases to adequately protect the transmitted data from access by the US security authorities, for example by means of appropriate encryption.
At all events, before any further transfer of data to the US takes place, the Sender should reach an agreement with the data protection authorities on an appropriate concept.
What happens if the data transfer to the US simply goes ahead without appropriate measures?
The data transfer is then illegal. The European Data Protection Board (EDPB), which is the consortium of the national data protection authorities, has made it clear that there is no “period of grace”, so the ECJ ruling must be immediately implemented. In Germany, the national data protection authority has already announced corresponding proactive and case-related assessments. The result can be severe fines for any company which continues to send personal data on an unmodified basis.
Can a company now simply switch to other countries for data transfers?
In accordance with the ECJ ruling, this is also no longer so easy. When it comes to data transfer data to other countries, for example in the case of processing orders, it must first be assessed as to whether a corresponding ruling by the European Commission has been made. If this is not the case, the company will face the same risks as it currently faces when transferring data to the US. In other words, a data transfer will only be possible if it occurs in close consultation with the authorities on the basis of an appropriate concept.