What are the next steps after Schrems II? – An initial assessment of the DSK press release

The Conference of Independent German Federal and State Data Protection Supervisory Authorities (Datenschutzkonferenz (DSK)) outlined its positions on the Schrems II ruling in a recent press release. We give an overview of and assess the additional statements contained in the press release.

The background to the Schrems II CJEU ruling on the EU-US Privacy Shield

After the CJEU declared the EU-US Privacy Shield invalid in its July 16, 2020 ruling (Case C-311/18), the Conference of Independent German Federal and State Data Protection Supervisory Authorities (DSK) now issued a press release on that ruling at the end of July. In the view of DSK, the ruling in principle strengthens the fundamental rights of citizens in the European Union. We give an overview of and assess the additional statements contained in the press release. This article complements our initial assessment of the judgement for the use of standard data protection clauses and its significance in practice.
 

What is DSK’s position on the Schrems II ruling?

According to DSK’s initial assessment, the ruling entails the following implications for the transfer of personal data to the USA:

1. Data transfers to the USA on the basis of the Privacy Shield need to be stopped with immediate effect. In particular, U.S. law does not provide sufficient legal protection for EU citizens.

2. DSK holds that the standard data protection clauses may continue to be used but highlights the responsibility of data controllers and data recipients to examine whether these clauses ensure that the third country in question affords a level of protection essentially equivalent to that guaranteed in the European Union.

3. The assessments of the ruling are also transferable to other safeguards under Article 46 GDPR. This expanded duty to check will, in particular, extend to the binding corporate rules (BCRs).

4. It is still possible to use the derogations under Article 49 GDPR as long as their specific situations are considered.

5. Data controllers have an immediate duty to check whether the conditions for data transfer to the USA are still given.
 

Duty to check also for other safeguards

Apart from a minor surprise, DSK’s position essentially illustrates how serious the situation has become in that it demands the immediate cessation of any transfer of personal data carried out on the basis of the annulled Privacy Shield. To avoid misunderstandings, however, it must be pointed out that only those data transfers that are based solely on the Privacy Shield must be stopped. Additional safeguards in Articles 46 et seq. GDPR or derogations under Article 49 GDPR continue to apply, allowing it to legitimize the transfer at the second level equivalent to adequacy decisions. It is important to note that the DSK statements should not be misconstrued to mean that all data transfers should be stopped right away. Rather, companies are held to examine whether and to what extent additional safeguards and derogations may be used.

Nonetheless, DSK emphasizes the responsibility of data controllers and recipients to assess the adequacy of the level of data protection in the third country when standard data protection clauses are used. DSK wants to extend this duty to check particularly to BCRs, although they are only listed as an example, since DSK explicitly mentions all safeguards in this respect. BCRs probably only owe their specific mention to the fact that, after adequacy decisions and standard data protection clauses, they most likely have the highest relevance in practice, especially for large corporations.
 

More specific consideration parameters are needed

At first glance, while the duty to check all safeguards in accordance with Articles 46 et seq. GDPR appears to be highly onerous and not covered by the wording of the ruling, it shows consistency though. According to the CJEU, the reasons for the invalidity of the adequacy decision are almost exclusively found in U.S. law, specifically the lack of suitable constitutional mechanisms to grant individual recourse to EU citizens against interference with personal data. By attaching such great importance to this circumstance, the Court views it as negating the adequacy of the level of data protection in the USA. Given that all other safeguards of the GDPR also have the purpose of establishing such a level of protection, they are therefore inevitably equally affected by the Court’s findings.

This raises the general question, however, as to where data controllers are supposed to have a remaining scope for assessment, if the lack of data protection is based on missing provisions in U.S. law. In this area, DSK as the coordinating body of the national data protection authorities, fails to identify more specific parameters according to which the safeguards should be examined as required. In fact, in view of the Court’s findings, only technical and organizational instruments such as end-to-end encryption or pseudonymization and anonymization appear to be suitable to maintain an adequate level of data protection.
 

Our summary of the DSK press release on Schrems II

The DSK positions also hold a minor surprise in store, since DSK now extends the duty to examine the adequacy of the level of data protection in the USA, as requested by the CJEU, to all safeguards under Articles 46 et seq. GDPR. As this exacerbates the situation, it would have been welcome if DSK had identified more specific parameters to consider the factors on the basis of which such an examination is to be carried out, and which above all are supposed to be suitable to compensate for such far-reaching deficiencies in U.S. law. The reference to data controllers’ independent responsibility to ensure lawfulness of the processing is certainly not sufficient. In view of the content and significance of the ruling, more specific guidance would be necessary to ensure uniform application of GDPR provisions. Particularly SMEs should be offered at least sufficient information in this special legal case to enable them to comply with their duties under data protection law.

Companies that have questions about this topic or need support in drafting immediate solutions are welcome to reach out to the experts at SKW Schwarz at any time. Feel free to contact us at kommunikation@skwschwarz.de.