Some authorities have already joined the Schrems II ruling of the ECJ expressed. The picture is mixed. While one authority demands immediate repatriation of data (Berlin), others suggest that activism is not necessary except in special cases. A selection:
- The FDPIC, as reported, examines the impact on Switzerland;
- the EDSA, the European Data Protection Board, welcomes the ruling and emphasizes the responsibility of the exporter in particular if the standard clauses are to be used:
The EDPB welcomes the CJEU’s judgment […]. The CJEU’s decision is one of great importance. […]. With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment. […] While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. […] . If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of. […] The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.
- The Berlin Commissioner for Data Protection and Freedom of Information Pleased but impractical, directly asks data-processing agencies in Berlin to move personal data stored in the U.S. to Europe:
In its “Schrems II” decision (C‑311/18), the ECJ held on Thursday, July 16, 2020, that U.S. authorities are entitled to extensive access possibilities have access to data of European citizens. It follows that personal data may, as a rule, no longer be transferred to the USA as before until the legal situation changes. Exceptions exist above all in the special cases provided for by law, for example in the case of a hotel booking in the USA. […] The ECJ […] declares the so-called standard contractual clauses […] to be permissible in principle under certain conditions. However, it emphasizes in this context that both European data exporters and data importers in third countries are obliged to check before the first data transfer whether there are governmental access possibilities to the data in the third country that go beyond what is permissible under European law (para. 134 f., 142 of the judgment). If such access rights exist, even the standard contractual clauses cannot justify the export of data. Data that has already been transferred to a third country must be retrieved. Contrary to what has been widely represented so far, The mere conclusion of standard contractual clauses is not sufficient to allow data exports […]. The Berlin Commissioner […] therefore calls upon all data controllers subject to her supervision to observe the decision of the ECJ. Persons in charge who – especially when using cloud services – transfer personal data to the U.S. are now encouraged to immediately Switch service providers in the European Union or in a country with an adequate level of data protection.
- The Hamburg Commissioner for Data Protection and Freedom of Information also appears to take a rather strict stance:
[…] The fact that, in the view of the highest Union court, there can be no “business as usual” with the Privacy Shield is welcome. The relabeling of the predecessor instrument Safe Harbor, which was declared invalid in 2015, with only marginal improvements has not led to a rethink in the US government. […] Against this background, the ECJ decision to retain standard contractual clauses (SCCs) as an appropriate instrument inconsistent. If the invalidity of the Privacy Shield is primarily justified by the escalating intelligence activities in the U.S., it must be the same also apply to the standard contractual clauses. Contractual agreements between data exporter and importer are equally unsuitable to protect data subjects from state access. […] The options for data exporters are now the same as they were five years ago when the Safe Harbor mechanism was declared invalid. In addition to Binding Corporate Rules and individual agreements, it is primarily the SCCs that can be used as a basis for transfers to third countries. At the same time, however, uncertainty has increased this time: The ECJ passes the ball to the European supervisory authorities. It emphasizes their respective task of suspending or prohibiting data transfers on the basis of the standard contractual clauses. […] Both the The exporter must prove the proportionality of official access options and the guarantee of functioning legal protection to its locally competent data protection authority upon request.. […]
- The Federal Commissioner for Data Protection and Freedom of Information (BfDI) expresses sober opinion and indicates that there is no threat of swift action in regular cases:
[…] The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Special protective measures must now be taken for data exchange with the USA. Companies and public authorities can use data no longer on the basis of the Privacy Shield which the ECJ has declared invalid. During the changeover, we will of course intensively advised. […] The ECJ has confirmed and strengthened the role of data protection supervisory authorities. They must check and be able to check whether the high requirements of the ECJ are met for each individual data processing operation. This also means, that they prohibit the exchange of data if the conditions are not met. Both companies and authorities, as well as regulators, now have the complex task of applying the ruling in practice. We will be working on a Fast implementation in particularly relevant cases urge. […]
- The Bavarian State Office for Data Protection and the Hessian Commissioner for Data Protection and Freedom of Information has so far refrained from commenting on the matter.
- The UK Information Commissioner’s Office (ICO) has noted the decision only brieflybut seems much more practical:
We stand ready to support UK organizations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.
- The French supervisory authority, CNIL, is also still holding back:
Beyond the summary shared by the CJEU in its press release, the CNIL is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States.
- The Irish Data Protection Commission praises itself and welcomes the ruling:
The Data Protection Commission (DPC) strongly welcomes today’s judgment from the Court of Justice of the European Union (CJEU). […] Thus, while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. […]
- The Italian guarantor and the Spanish AEPD have not published any statement as far as can be seen.