Germany Update: The new standard contractual clauses – free data transfer to the USA possible again?

Background:

In July 2020, the so-called “Schrems II judgment” of the European Court of Justice (ECJ, judgment of 16.07.2020 – C-311/18) caused great uncertainty and legal uncertainty regarding the transfer of personal data outside the European Economic Area (“EEA”), in particular to the USA. In its decision, the ECJ declared the so-called “EU-US Privacy Shield” agreement invalid, which served as the legal basis for the transfer of personal data from the EEA to the USA. The ECJ based its decision on the legal powers of US authorities to have extensive access to personal data transferred to the US.

At the same time, the ECJ continued to consider the so-called standard contractual clause (SCC) to be valid. However, the ECJ stressed that when using the SCC, it may be necessary to take additional protective measures, in particular, to prevent access to personal data by authorities. What these measures may be, the ECJ left open.

The European Data Protection Committee took this as an opportunity to publish its “Recommendations 01/2020 on measures to complement transfer tools to ensure the level of protection of personal dataunder Union law” (https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_de.pdf) at the beginning of November 2020. This recommendation contained a 6-stage examination of how SCC can be used after completion of the examination using appropriate technical and organizational measures.

The SCC, which were also the subject of the “Schrems II judgment”, date from 2001 and 2010. After years of negotiations, the European Commission has now published new two sets of “standard contractual clauses” on 4 June 2021. According to the European Commission, these take into account the “Schrems II judgment” of the ECJ.

Standard data protection clauses

The new standard data protection clauses, as this contract should be called in accordance with the diction of the GDPR, differs considerably from the SCC.

Due to their modular structure, the standard data protection clauses can be concluded variably between the actors involved. The standard data protection clauses now contain 4 different modules that depict different processing scenarios: a transfer from the controller to a controller, a transmission from the controller to a processor, a transmission from the processor to another processor, and transmission from the processor to a controller. The obligations of the data exporter and importer associated with the standard data protection clauses vary according to the processing scenario. Here, the standard data protection clauses have a considerably wider scope than the SCC, as they can now also be concluded between two processors in particular.

It is also possible that third parties can join existing standard data protection clauses if the other parties involved in the processing agree to this. The standard data protection clauses, if they are used in the context of order processing, also meet the requirements of Article 28 (2) and (3) GDPR, so that no additional contract is required for order processing.

The standard data protection clauses also grant the persons concerned by the processing extensive rights vis-à-vis both the data importer and the data exporter, such as a free copy of the completed annexes to the standard data protection clauses. This allows the data subject to check which data is being exported. In addition, there is a direct claim for damages against such data importers who act as processors.

Standard data protection clauses and technical organisational measures

The standard data protection clauses, on the other hand, do not contain a blueprint or a “free ticket” for the transfer of personal data outside the EEA. Rather, they refer in substance to the recommendation of the European Data Protection Board regarding the necessary technical organisational measures to be taken in order to ensure an adequate level of protection of the data. The standard data protection clauses contain exemplary technical organizational measures to be taken, such as encryption or pseudonymization, if necessary also during the data transmission. The European Data Protection Board has already listed the technical organisational measures as examples in its recommendation from November 2020. Which measures are actually to be taken or can be taken at all still depends on the respective data processing. Pseudonymization, for example, does not make sense for many data transfers. These technical organisational measures must also, as is apparent from Annex II of the standard data protection clauses, be “described concretely (not in general)”.

It can therefore be assumed that the technical organizational measures will become the focus of data transfers outside the EEA. However, it remains the case for the time being that every data transfer outside the EEA must be carefully examined unless an adequate decision has been issued for the respective third country.

Result:

The new SCC represents a significant step forward. However, they alone do not enable GDPR-compliant data transfer outside the EEA. Additional measures are still needed for this.

By Johannes Fischer, MELCHERS, Germany, a Transatlantic Law International Affiliated Firm. 

For further information or for any assistance please contact germanylabor@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.