In a world where data is transmitted around the globe in a matter of seconds, personal data protection is an important area of concern for most consumers. Legislators are also aware of the need for data security and have introduced increasingly stricter rules targeting trans-national data traffic as a result. The introduction of GDPR, for example, has raised personal security data questions to a new level, posing greater challenges for companies and institutions in striking a balance between their own economic interests and legitimate data protection. This is also far from a new problem as data traffic has not stopped at European external borders for a long time. Here we are taking a look at data protection and the new Schrems II ruling.
Roughly 30% of world trade takes place between Europe and the USA. Annual trade in goods alone has a total value of more than 550 billion euros per year, all of which naturally involves enormous amounts of data. Then there are also internet services such as cloud services (currently dominated by US companies) to consider. With this type of global data volume at play, it is only logical that the subject of data traffic in so-called third countries was also firmly in mind when designing the GDPR and considering which countries outside the EU which would fall within the scope of the regulation.
Article 44 of the GDPR restricts legitimate data traffic to third countries which “offer an appropriate level of protection” (Art. 45, Paragraph 1, GDPR), i.e. those with requirements which are mandatory for the member states.
This list of third countries which are allowed to exchange data with EU countries without hindrance is straightforward. The so-called “adequacy decision” is currently (as of June 2021) applicable for the following countries:
Note that the USA does not meet the required conditions. It is, however, possible to establish and prove the required level of data protection via separate contracts.
Just one year after completing his law studies at the University of Vienna, the then 25-year-old Maximilian Schrems drew attention to himself with a complaint about handling of personal data by the US company Facebook. Schrems was later to become founder and CEO of NOYB (European Center for Digital Rights), an NGO with the goal of enforcing data protection within the European Union. The data activist’s initial complaint ultimately led to a preliminary ruling by the Irish High Court and the first “Schrems” judgment of the European Court of Justice. With this judgement, the Safe Harbor Agreement was declared ineffective on October 6, 2015.
The Safe Harbor Agreement had initially been issued at the end of July 2000 after consultation between the US Department of Commerce and the European Commission. By 2015, around 5,500 American companies had joined up to the agreement in order to document compliance with the data protection provisions of the Data Protection Directive 95/46/EC (the forerunner of the GDPR). In practice, its continued existence would have legitimized data traffic between the EU and the USA at the level of an adequacy decision.
After Safe Harbor failed, informal agreements between the EU and the United States resulted in a new agreement in July 2016. The resulting EU-US Privacy Shield was meant to lay the foundations for the continued exchange of data between the EU and the USA in accordance with data protection regulations. The new package of regulations, however, was criticized from the start. One of the most prominent critics was Maximilian Schrems (name giver of Schrems I and Schrems II) who emphasized, even before it came into force, that the EU-US Privacy Shield provided essentially no significant improvement over the Safe Harbor Agreement.
The European Parliament also identified considerable deficits in the agreement which ultimately led to the “Schrems II judgment” on July 16, 2020 in which the ECJ, as it had previously done with Safe Harbor, declared the agreement to be invalid.
The Safe Harbor and the EU-US Privacy Shield agreements offered US companies the opportunity to be certified in accordance with agreed rules in order to be approved for unhindered data exchange with GDPR member states. Following Schrems I and II, this possibility no longer existed.
However, the GDPR did still provide for “standard contractual clauses” (SCC). These sample formulations could be incorporated into individual agreements and provide companies from third countries without an adequacy decision the opportunity to provide the necessary guarantees. It also enabled them to grant their customers enforceable rights and effective legal remedies that enabled the exchange of personal data in accordance with the ordinance.
Standard contractual clauses were first adopted by the European Commission in 2001 and last revised in 2010. Their basic purpose was to:
“Provide for those technical and organizational measures in the contract that are necessary, taking into account the applicable data protection law and the state of the art and the costs incurred in its implementation, in order to protect personal data against accidental or unlawful destruction or accidental loss and to protect against changes, unauthorized disclosure or unauthorized access and against any other form of unlawful processing.”
-Decision of the Commission of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors in third countries according to Directive 95/46 / EC of the European Parliament and of the Council
Bearing in mind the increase in digital data traffic and other fundamental changes since the last revision of the standard contractual clauses (not least the Schrems I and Schrems II rulings and introduction of GDPR), new requirements had clearly emerged. The”old” SCC no longer represented all types of data traffic as a closed contract and the EU Commission proposed reforms via a new set of standard contractual clauses in 2020.
On June 4, 2021, the officially renamed Standard Data Protection Clauses (SDPC) were published by the EU Commission. Their most obvious innovation is that they are modular. Each of the four modules now covers a distinct option for the transfer of personal data:
On closer inspection, however, the primary change consists in the fact that the contractual regulation is no longer valid simply because of its existence. In the form of the new data transfer impact assessment, there is now an obligation to assure yourself that a contractual partner from a third country is actually able to meet the agreed obligations. This includes, among other things, the assurance that national laws of the third country of destination do not conflict with compliance with the SDPC.
Another central aspect of the new standard data protection clauses is defence against government inquiries. Criticism has grown louder in recent years, particularly in relation to data traffic with the USA, that authorities have potentially more or less unhindered access to personal data. Counter-terrorism data queries by law enforcement agencies in the USA, for example, are continuously increasing and this also affects data from abroad. With the new SDPC there is an obligation to defend against such data queries as well as an obligation to document all inquiries for submission to the supervisory authorities.
Standard data protection clauses pose a fundamental problem for globally operating companies: agreement must be made separately for each internal data transfer with multinational corporations, thus incurring considerable extra overhead.
Binding Corporate Rules (BCR) offer a convenient alternative or supplement to SDPC where the European Commission offers a framework in which companies can establish binding guidelines in order to structure internal data traffic to and from third countries in accordance with European law.
The idea of individual company guidelines arose in 1995 parallel to the introduction of the European Directive 95/46/EC. They owe their popularity at least partially to the individual design freedom they offer. In addition to their legal significance, BCRs also perform an important symbolic role. By using them, companies can demonstrate that they are committed to data protection above and beyond what is strictly necessary. It should be noted, however, that their introduction involves considerable additional organizational effort and resulting costs.
Despite all efforts, for example in the form of the new SDPC, data transfer to third countries still involves large additional overhead for companies. A combination of contractual, organizational and technical measures is required to guarantee that personal data can be exchanged in a legally compliant manner.
In this context, SDCP and/or BCRs are individual elements that should be supplemented by, for example, pseudonymization or anonymization of data. Alternatively, of course, there is always the option of simply doing without US service providers. Whether this is sensible or even possible in practice can only be assessed on a case-by-case basis and will ultimately boil down to a question of cost.
In summary, companies are likely to incur considerable auditing, implementation and documentation costs in relation to global data transfer. It is also imperative that companies affected by the introduction of the new SDPC should recognize an urgent need for action, deal in detail with their own requirements, and develop customized solutions to suit their needs.