Data-driven technologies ensure that governments work, companies can act, and families stay connected. But all these services are based on the fact that data can flow freely, often across national borders.
But what protection does this “traveling” data have? The answer is of the utmost importance, especially when it comes to personal information. In the various data protection laws around the world, there are different interpretations of what personal data is and what exactly its protection means. That is why we base our data traffic on various legal bases today.
One of the world’s most important mechanisms for international data transfer was put to the test by the European Court of Justice (ECJ) in July last year. The case of “data protection officer against Facebook Ireland and Maximilian Schrems” or “Schrems II” is currently celebrating its one year anniversary. There it was about the validity of standard contractual clauses, a legal instrument that is used for data transfer from Europe to over 180 countries.
According to EU law it is imperative that the rights, obligations and the protection of personal data is preservedif these are transferred to other countries and are therefore subject to different jurisdictions. In addition, the EU stipulates that personal data may not leave the European Economic Area (EEA). Exceptions apply if the organization sending the data uses a valid transfer mechanism.
This means that either the European Commission determines – for example in a bilateral agreement such as the Privacy Shield – that data protection in the third country is “appropriate”, or there are so-called “binding internal data protection rules” (Binding Corporate Rules, BCR) . The third and most common option is to include approved commitments in contracts, such as standard contractual clauses. In its decision on Schrems II, the ECJ confirmed standard contractual clauses as a valid data transfer mechanism. Then what’s the problem?
According to the ECJ, companies that use standard contractual clauses have to check on a case-by-case basis whether the personal data enjoys the necessary protection in the country to which the data is transferred. A hardly affordable task. Standard contractual clauses can only be used practically if the protection of the data transfer is ensured by an international agreement with the third country.
However, a year ago the ECJ overturned the EU-US Privacy Shield, the instrument for data transfer across the Atlantic, due to concerns about US surveillance practices. For the same reason, the Safe Harbor Agreement (the predecessor of the Privacy Shield) was repealed in 2015. It becomes clear: the real problem is not the alleged misuse or mismanagement of personal data by companies, but rather the extent of government access to this data.
As a result, companies cannot currently rely on any additional transatlantic data transfer mechanism if they use standard contractual clauses. All that remains is the tedious – and long-term unrealistic – way of perpetual individual examination.
The longstanding political dilemma is now having a direct impact on more than 5,000 European and American companies – more than 70 percent of them are SMEs. However, this only includes companies whose data transfers are based on the Privacy Shield. The number of unreported companies that have been operating under unclear legal relationships since the judgment was made is much higher. The only legal basis that remains is the standard contractual clauses, which, however, usually have to be supplemented by additional measures.
The discussion came to a head after the data protection officers from Hamburg and Baden-Württemberg announced that they would initiate appropriate proceedings against companies that use the services of US companies. The trigger was concerns that the data of German companies in the cloud was not sufficiently protected. At its core, the debate revolves around the question of the extent to which German data is stored by US cloud providers, whether US authorities have access to this data and to what extent the standard contractual clauses are sufficient to protect data. The supervisory authorities have followed the ECJ’s request from the Schrems II decision to monitor compliance with the GDPR and, in a joint action, have started to randomly check how companies have implemented the requirements from the decision. The supervisory authorities recently published questionnaires that they send to selected companies.
Many companies in Germany benefit from the services of American tech companies. And without the use of cloud-based business software during the corona crisis, the economic losses in Europe would certainly have been greater. All of these companies could now face a significant risk of fines. It would be desirable – especially in the year of the Bundestag election – if not only the supervisory authorities but also politicians devoted themselves to the challenge of creating legal certainty.
The Schrems II case clearly demonstrated the need for a global convergence of data protection regulations – and even a year after the ECJ’s decision, the issue is more important than ever. The legal uncertainty of German companies shows that action is urgently required. In this crisis, thousands of companies are waiting for a political solution that will stand up to the ECJ.
The decisive factor is the agreement on a balance between the protection of personal data and state security interests as well as national security practices. An international frame of reference would also be advantageous for the German domestic political discussion. A discourse of democratically elected governments, including civil society, is needed as to whether and under what conditions state access to personal data should be enabled in order to achieve the legitimate goal of maintaining public order.
A starting point could be for like-minded governments to agree and commit to a set of principles for access to digital evidence and an adequate level of independent judicial oversight in bilateral or multilateral discussions. Much is at stake and policy makers will have to solve the difficult equation of how to properly balance three fundamental elements: privacy, national security and economic growth.
You might be interested in that too