Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 71 | 2020-01-13


Opinion in the ECJ Proceedings on Data Transmission to Facebook, Amazon, Microsoft, Google & Co.
Dr. Hans Markus Wulf


The opinion of the EU Advocate General in ECJ proceedings C-311/18 (“Schrems II”) was published on December 19, 2019. It deals with the transfer of personal data to countries outside the EU, at the center of which is the question whether EU companies may make use of the cloud services of US companies such as Microsoft, Amazon, Facebook, Google or Salesforce when this means that the data will be saved on US servers.

What has happened?

The case in question was brought before the European Court of Justice in mid-2018. The Irish High Court, the highest civil and criminal court in Ireland, asked the ECJ for clarification whether a data transfer from Facebook Ireland to the server of Facebook Inc. in the USA was permitted on the basis of the existing EU standard contractual clauses (Art. 46 GDPR), or, rather, whether the Decision of the EU Commission pertaining to this (No. 2010/87) was invalid due to, inter alia, the rampant monitoring of US government agencies such as the NSA, FBI and CIA. It had been expected that the ECJ would decide against the EU standard contractual clauses, as these date in part from 2001 and hence are nearly as old as the Safe Harbor Decision that the ECJ declared invalid in 2015 and which had similarly been used as a legal basis for US data transfer. If the ECJ did declare the EU standard contractual clauses invalid, this would mean that the transmission of personal data to servers in third countries (i.e. outside of the EU) on this basis would be impermissible and would therefore constitute a data protection infringement punishable by a fine. Companies in the EU that use US providers (e.g. cloud services from Amazon AWS or Microsoft Azure) therefore have significant interest in the validity of the EU standard contractual clauses, on which such use is based. The ECJ ruling is therefore urgently awaited by all those companies who want to obtain legal security for the use of US cloud services.

The opinion of EU Advocate General Henrik Saugmandsgaard Øe is seen as a preliminary decision for the ECJ judgment, which is expected in spring 2020. In the majority of cases, ECJ judges align themselves with the proposals of the EU Advocate General, so these are certainly directional. Surprisingly, however, in this case, the EU Advocate General concluded in his opinion that he saw no reason for concern about the validity of EU standard contractual clauses. Even in the knowledge of comprehensive US monitoring, he argued that they were still compliant with applicable EU constitutional requirements. Although, he did have doubts about the effective implementation of the EU-US Privacy Shield as a legal basis for data transmission. In this regard, however, the relevant supervisory authorities themselves are able to impose a ban in individual cases where there is specific reason to believe an infringement of the GDPR has occurred.

What should be done now?

The prospects for companies that use cloud services from US providers such as Amazon, Microsoft, Google or Facebook, or want to use such in future, are considerably brighter thanks to this opinion. If the ECJ judgment in spring 2020 follows the recommendation of the EU Advocate General, data transfer to the US, and thus the continued use of US providers, will continue to be permissible on the basis of the Privacy Shield and/or EU standard contractual clauses.

At the same time, the reaction of the Irish supervisory authority to the opinion must be very closely observed, as the latter was indirectly requested to carry out a closer examination of individual cases of data transfer to US servers. In addition, it is possible that the German supervisory authorities also change their practice and no longer accept the blanket use of standard contractual clauses, but rather examine the appropriateness of each individual case. Companies are therefore advised to test their own use of standard contractual clauses in order to solve this problem sooner rather than later.



Author


Dr. Hans Markus Wulf is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.

Contact

T +49 40 35 52 80-0
F +49 40 35 52 80-80
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke, LL.M.
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf





I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2020 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de