datenrecht.ch

com­mon search words

Topics

no results

show more

Reac­tion of the super­vi­so­ry aut­ho­ri­ties to Schrems II

Some aut­ho­ri­ties have alre­a­dy joi­n­ed the Schrems II ruling of the ECJ expres­sed. The pic­tu­re is mixed. While one aut­ho­ri­ty demands imme­dia­te repa­tria­ti­on of data (Ber­lin), others sug­gest that acti­vism is not neces­sa­ry except in spe­cial cases. A selection:

  • The FDPIC, as repor­ted, exami­nes the impact on Switzerland;
  • the EDSA, the Euro­pean Data Pro­tec­tion Board, wel­co­mes the ruling and empha­si­zes the respon­si­bi­li­ty of the export­er in par­ti­cu­lar if the stan­dard clau­ses are to be used:

    The EDPB wel­co­mes the CJEU’s judgment […]. The CJEU’s decis­i­on is one of gre­at importance. […]. With regard to the Pri­va­cy Shield, the EDPB points out that the EU and the U.S. should achie­ve a com­ple­te and effec­ti­ve frame­work gua­ran­te­e­ing that the level of pro­tec­tion gran­ted to per­so­nal data in the U.S. is essen­ti­al­ly equi­va­lent to that gua­ran­teed within the EU, in line with the judgment. […] While the SCCs remain valid, the CJEU under­lines the need to ensu­re that the­se main­tain, in prac­ti­ce, a level of pro­tec­tion that is essen­ti­al­ly equi­va­lent to to the one gua­ran­teed by the GDPR in light of the EU Char­ter. The assess­ment of whe­ther the count­ries to which data are sent offer ade­qua­te pro­tec­tion is pri­ma­ri­ly the respon­si­bi­li­ty of the export­er and the importer, when con­side­ring whe­ther to enter into SCCs. When per­forming such pri­or assess­ment, the export­er (if neces­sa­ry, with the assi­stance of the importer) shall take into con­side­ra­ti­on the con­tent of the SCCs, the spe­ci­fic cir­cum­stances of the trans­fer, as well as the legal regime appli­ca­ble in the importer’s coun­try. […] . If the result of this assess­ment is that the coun­try of the importer does not pro­vi­de an essen­ti­al­ly equi­va­lent level of pro­tec­tion, the export­er may have to con­sider put­ting in place addi­tio­nal mea­su­res to tho­se inclu­ded in the SCCs. The EDPB is loo­king fur­ther into what the­se addi­tio­nal mea­su­res could con­sist of. […] The EDPB will assess the judgment in more detail and pro­vi­de fur­ther cla­ri­fi­ca­ti­on for stake­hol­ders and gui­dance on the use of instru­ments for the trans­fer of per­so­nal data to third count­ries pur­su­ant to the judgment.

  • The Ber­lin Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on Plea­sed but imprac­ti­cal, direct­ly asks data-pro­ce­s­sing agen­ci­es in Ber­lin to move per­so­nal data stored in the U.S. to Europe:

    In its “Schrems II” decis­i­on (C‑311/18), the ECJ held on Thurs­day, July 16, 2020, that U.S. aut­ho­ri­ties are entit­led to exten­si­ve access pos­si­bi­li­ties have access to data of Euro­pean citi­zens. It fol­lows that per­so­nal data may, as a rule, no lon­ger be trans­fer­red to the USA as befo­re until the legal situa­ti­on chan­ges. Excep­ti­ons exist abo­ve all in the spe­cial cases pro­vi­ded for by law, for exam­p­le in the case of a hotel boo­king in the USA. […] The ECJ […] decla­res the so-cal­led stan­dard con­trac­tu­al clau­ses […] to be per­mis­si­ble in prin­ci­ple under cer­tain con­di­ti­ons. Howe­ver, it empha­si­zes in this con­text that both Euro­pean data export­ers and data importers in third count­ries are obli­ged to check befo­re the first data trans­fer whe­ther the­re are govern­men­tal access pos­si­bi­li­ties to the data in the third coun­try that go bey­ond what is per­mis­si­ble under Euro­pean law (para. 134 f., 142 of the judgment). If such access rights exist, even the stan­dard con­trac­tu­al clau­ses can­not justi­fy the export of data. Data that has alre­a­dy been trans­fer­red to a third coun­try must be retrie­ved. Con­tra­ry to what has been wide­ly repre­sen­ted so far, The mere con­clu­si­on of stan­dard con­trac­tu­al clau­ses is not suf­fi­ci­ent to allow data exports […]. The Ber­lin Com­mis­sio­ner […] the­r­e­fo­re calls upon all data con­trol­lers sub­ject to her super­vi­si­on to obser­ve the decis­i­on of the ECJ. Per­sons in char­ge who – espe­ci­al­ly when using cloud ser­vices – trans­fer per­so­nal data to the U.S. are now encou­ra­ged to imme­dia­te­ly Switch ser­vice pro­vi­ders in the Euro­pean Uni­on or in a coun­try with an ade­qua­te level of data pro­tec­tion.

  • The Ham­burg Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on also appears to take a rather strict stance:
    […] The fact that, in the view of the hig­hest Uni­on court, the­re can be no “busi­ness as usu­al” with the Pri­va­cy Shield is wel­co­me. The rela­be­l­ing of the pre­de­ces­sor instru­ment Safe Har­bor, which was declared inva­lid in 2015, with only mar­gi­nal impro­ve­ments has not led to a rethink in the US govern­ment. […] Against this back­ground, the ECJ decis­i­on to retain stan­dard con­trac­tu­al clau­ses (SCCs) as an appro­pria­te instru­ment incon­si­stent. If the inva­li­di­ty of the Pri­va­cy Shield is pri­ma­ri­ly justi­fi­ed by the escala­ting intel­li­gence acti­vi­ties in the U.S., it must be the same also app­ly to the stan­dard con­trac­tu­al clau­ses. Con­trac­tu­al agree­ments bet­ween data export­er and importer are equal­ly unsui­ta­ble to pro­tect data sub­jects from sta­te access. […] The opti­ons for data export­ers are now the same as they were five years ago when the Safe Har­bor mecha­nism was declared inva­lid. In addi­ti­on to Bin­ding Cor­po­ra­te Rules and indi­vi­du­al agree­ments, it is pri­ma­ri­ly the SCCs that can be used as a basis for trans­fers to third count­ries. At the same time, howe­ver, uncer­tain­ty has increa­sed this time: The ECJ pas­ses the ball to the Euro­pean super­vi­so­ry aut­ho­ri­ties. It empha­si­zes their respec­ti­ve task of sus­pen­ding or pro­hi­bi­ting data trans­fers on the basis of the stan­dard con­trac­tu­al clau­ses. […] Both the The export­er must pro­ve the pro­por­tio­na­li­ty of offi­ci­al access opti­ons and the gua­ran­tee of func­tio­ning legal pro­tec­tion to its local­ly com­pe­tent data pro­tec­tion aut­ho­ri­ty upon request.. […]
  • The Fede­ral Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI) expres­ses sober opi­ni­on and indi­ca­tes that the­re is no thre­at of swift action in regu­lar cases:
    […] The ECJ makes it clear that inter­na­tio­nal data traf­fic is still pos­si­ble. Howe­ver, the fun­da­men­tal rights of Euro­pean citi­zens must be respec­ted. Spe­cial pro­tec­ti­ve mea­su­res must now be taken for data exch­an­ge with the USA. Com­pa­nies and public aut­ho­ri­ties can use data no lon­ger on the basis of the Pri­va­cy Shield which the ECJ has declared inva­lid. During the chan­geo­ver, we will of cour­se inten­si­ve­ly advi­sed. […] The ECJ has con­firm­ed and streng­the­ned the role of data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. They must check and be able to check whe­ther the high requi­re­ments of the ECJ are met for each indi­vi­du­al data pro­ce­s­sing ope­ra­ti­on. This also means, that they pro­hi­bit the exch­an­ge of data if the con­di­ti­ons are not met. Both com­pa­nies and aut­ho­ri­ties, as well as regu­la­tors, now have the com­plex task of app­ly­ing the ruling in prac­ti­ce. We will be working on a Fast imple­men­ta­ti­on in par­ti­cu­lar­ly rele­vant cases urge. […]
  • The Bava­ri­an Sta­te Office for Data Pro­tec­tion and the Hes­si­an Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on has so far refrai­ned from com­men­ting on the matter.
  • The UK Infor­ma­ti­on Commissioner’s Office (ICO) has noted the decis­i­on only brief­lybut seems much more practical:

    We stand rea­dy to sup­port UK orga­nizati­ons and will be working with UK Govern­ment and inter­na­tio­nal agen­ci­es to ensu­re that glo­bal data flows may con­ti­n­ue and that people’s per­so­nal data is protected.

  • The French super­vi­so­ry aut­ho­ri­ty, CNIL, is also still hol­ding back:

    Bey­ond the sum­ma­ry shared by the CJEU in its press release, the CNIL is curr­ent­ly con­duc­ting a pre­cise ana­ly­sis of the judgment, tog­e­ther with its Euro­pean coun­ter­parts assem­bled within the Euro­pean Data Pro­tec­tion Board. This joint work aims at dra­wing con­clu­si­ons as soon as pos­si­ble on the con­se­quen­ces of the ruling for data trans­fers from the Euro­pean Uni­on to the United States.

  • The Irish Data Pro­tec­tion Com­mis­si­on prai­ses its­elf and wel­co­mes the ruling:

    The Data Pro­tec­tion Com­mis­si­on (DPC) stron­gly wel­co­mes today’s judgment from the Court of Justi­ce of the Euro­pean Uni­on (CJEU). […] Thus, while in terms of the points of prin­ci­ple in play, the Court has endor­sed the DPC’s posi­ti­on, it has also ruled that the SCCs trans­fer mecha­nism used to trans­fer data to count­ries world­wi­de is, in prin­ci­ple, valid, alt­hough it is clear that, in prac­ti­ce, the appli­ca­ti­on of the SCCs trans­fer mecha­nism to trans­fers of per­so­nal data to the United Sta­tes is now que­stionable. This is an issue that will requi­re fur­ther and careful exami­na­ti­on, not least becau­se assess­ments will need to be made on a case by case basis. […]

  • The Ita­li­an gua­ran­tor and the Spa­nish AEPD have not published any state­ment as far as can be seen.
Deutsch 
Deutsch 

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be

Sub­scri­be to news →

© datenrecht.ch – Wal­der Wyss Ltd.

🔑

Acts

FDPA imple­men­ta­ti­on

Links

Down­loads

About us

Sub­scri­be

Pri­va­cy Notice