Brussels, Berlin The European Union wants to increase legal certainty for European companies sending data to the United States. On Friday, the Commission will introduce the new “Standard Contractual Clauses”, which currently provide the only basis for legally compliant data sharing. “We guarantee the highest possible level of legal security,” EU Justice Commissioner Didier Reynders said in an interview with Handelsblatt and other European media.
But at the same time, Reynders admitted that adapting the standard contractual clauses “wasn’t an ideal solution”. Therefore, the European Union is aiming for a new data protection agreement with the United States of America. Reynders is currently in talks with the US Secretary of Commerce, Gina Raimondo. However, “in the short and medium term” it is not expected that an agreement that meets European requirements will be found.
“We want to block the Schrems 3 decision,” Reynders said. He was hinting at her The lawsuits sought by Austrian Max Schrems Against previous data agreements with the USA, Safe Harbor Principles and Privacy Shield. In both cases, the European Court of Justice followed the plaintiff’s reasoning and struck down the rules.
The Luxembourg court ruled last summer that personal data may only be transferred to non-European countries if they enjoy an equivalent level of protection there. According to EU judges in the US, this is not the case because US security authorities have extensive access to data stored by US companies.
Today’s Top Jobs
Find the best jobs now and
You are notified by e-mail.
The consequences of the ruling are dire. As a result, many US cloud services are in violation of the European General Data Protection Regulation (GDPR). Fines of up to 20 million euros can be imposed on companies that use the services anyway.
Companies can still make do with the standard contractual clauses
Since then, companies wanting to send data across the Atlantic have had to settle for standard contractual clauses. The court upheld this possibility. However, their use is associated with a high level of bureaucratic efforts for companies, since they have to check in individual cases whether the level of protection is sufficient.
The new standard contractual clauses should be easier for companies to use, Reynders promised: “They fully meet the requirements of the European General Data Protection Regulation and the requirements of Schrems rule 2.” Europe “cannot make concessions with the basic principles of,” the Commissioner for Justice clearly said.
Companies can also provide standard contractual clauses with additional security measures, for example by encrypting and sending data anonymously. According to Reynders, companies will have to make the decision on a case-by-case basis.
This already shows that the new clauses also require some effort. So it should be a temporary solution, and negotiations with the United States continue. Reynders praised the new government as “more open” than the previous one.
However, the main problem remains: in the United States there is no data protection law at the federal level that can be compared to the European General Data Protection Regulation. Reynders noted legislative initiatives in Congress, but it is unclear whether they will gain a majority. It would also be possible for the US to give EU citizens the right to defend themselves lawfully against security authorities’ access to their data. This does not exist yet.
However, it is unclear whether the Biden government will accept the claim of the Europeans’ right to take action. Because what the US allows for EU citizens, citizens of other countries can also claim. Comprehensive Internet surveillance, such as that run by the National Security Agency, which in Washington is still considered an important tool in the fight against terrorism, will be more difficult.
The ruling forces the data protection authorities to act
The European Court of Justice ruling also forces data protection authorities to act. In Germany, authorities verify data transfers by European companies to countries outside the European Union or the European Economic Area. This is done on the basis of several catalogs of questions that have been developed by a Task Force from the Data Protection Conference (DSK) of the federal states and the federal government.
The task force’s co-chair, Hamburg data protection officer Johannes Caspar, emphasized that Luxembourg judges’ rulings in many cases required “a fundamental change in established business models and processes”. The use of standard data protection conditions for the transfer of data to other countries is sufficient only with the use of additional effective measures, “if the examination of the responsible person shows that an equivalent level of protection for personal data in the recipient country cannot be guaranteed.”
The European Court of Justice has made clear that authorities can “suspend or prohibit” illegal transfers. Caspar believes that “the suspension of transmission may succeed in many cases in a cooperative dialogue with the company.” But when this is not possible, the ‘control measures available’ are responded to, in other words, with fines.
Caspar admitted that the European Court of Justice’s decision meant obstacles for many companies for reasons they were not ultimately responsible for. “It must therefore be recalled again and again that the key to the fundamental right of informational self-determination lies in the recipient countries,” the data protection official said. “US politicians in particular should be aware: Appropriate safeguards against access by US security authorities to protect transmitted data as well as effective legal protection for persons from the European Union are essential requirements for free data transmission.” The solution is in the interests of both parties.
The fact that supervisory authorities are now active also concerns data protection activist Schrems. Through his organization “Noyb” (an acronym that means none of your business), Schrems has filed more than 100 complaints in all EU countries against companies that continue to use US data analytics services such as The Google Develop analytics.