Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 61 | 16.07.2019


Risk for international data transfers
Dr. Philip Kempermann, LL.M.


The international transfer of personal data is part of daily business for many companies. They work with international service providers, have affiliates abroad or cooperate with foreign customers and suppliers. The General Data Protection Regulation (“GDPR”) provides a narrow scope for transferring personal data to non-EU countries. According to art. 44-49 GDPR, personal data may only be transferred if this is essential in the individual case for carrying out a contract, the data subject has given consent, the supervisory authorities have given their approval or there are suitable safeguards for the level of data protection in the recipient country.

So far, the European Commission has only recognized 13 countries with an adequate level of data protection (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States within the Privacy Shield framework). If this level or the other requirements above are not met, companies must use other methods to ensure an adequate level of protection. One option within company groups is the use of so-called Binding Corporate Rules but these are difficult to implement and do not cover transfers to companies outside the group. Otherwise, companies generally use the so-called EU standard contractual clauses. These are contractual clauses issued by the European Commission and have been considered by the European Commission and the supervisory authorities as an adequate level of data protection when used.

EU standard contractual clauses hanging in the balance

While this option is easy to use and accepted all over the world, it is at a tipping point. A case currently before the ECJ in which the first hearing took place on 9 July 2019 (case C-311/18, Facebook vs. Schrems) raises the question of whether the EU standard contractual clauses can actually ensure an adequate level of data protection.

The complaint filed by data protection activist Max Schrems focuses on whether Facebook can use the standard contractual clauses as a basis to transfer data of European users to the USA. Schrems already fought against the Privacy Shield’s predecessor Safe Harbor, and as a result the ECJ ruled Safe Harbor to be invalid in its verdict dated 6 October 2015 (case C-362/14).

The current case raises the same fundamental questions, specifically how can EU citizens be protected from State access to their personal data outside the EU. The ECJ is expected to apply a similar standard of review as in 2015 for Safe Harbor. It is therefore likely that the EU standard contractual clauses will also be declared invalid as contractual agreements between two companies in the private sector can never be protected from State access and as a result, the adequate level of data protection is called into question.

The ECJ gave no indication in the verbal hearing on 9 July 2019 as to which way it will rule. Schrems’s lawyers did not argue to invalidate the EU standard contractual clauses but wanted the supervisory authorities to consider more carefully each individual case of personal data transfer based on the EU standard contractual clauses.

The advocate general is expected to issue an opinion on the matter on 12 December 2019. This will give an initial indication on how the court will rule. A final ruling is not expected until next year.

Importance for companies

Unlike the Safe Harbor case, the EU standard contractual clauses case does not just affect the transfer of personal data to the USA but rather to all countries outside the EU and the EEA that are not expressly recognized as a country with an adequate level of data protection. This means that even transfers to countries that are of great economic importance, such as China, India, Brazil, Russia, South Africa, Australia but also the UK in the event of a no-deal Brexit are at risk. Invalidating the EU standard contractual clauses would mean that they could not be used for transferring data at all, not just to the USA. This would also affect digital services, and the exchange of customer and supplier or employee data in the company group would also be brought into question.

What do companies have to do now?

Currently, the EU standard contractual clauses are still a legitimate way to meet the requirements of art. 44-49 GDPR. However, the relevant agreements on data transfer should already include scenarios about what is to happen in the event that the EU standard contractual clauses are declared invalid. There are also other options available for data transfer that have to be carefully examined in individual cases. Obtaining consent from data subjects is undoubtedly the least practical option as such consent is not always given and can be withdrawn at any time. It can also be reviewed in individual cases as to whether the transfer is actually necessary to carry out a contract with the data subject so that no further measures would be required. It is also important to consider whether it is necessary to transfer data at all or whether e.g. service providers in other EU Member States can be used.

Companies must closely monitor the progress of the case and prepare for the possible outcome.

Author


Dr. Philip Kempermann, LL.M., is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2018 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de