Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 84 | 2020-09-02

Following the European Court of Justice judgement regarding the Privacy Shield – data protection authority publishes recommended actions for practice
Dr. Hans Markus Wulf

In July 2020, the European Court of Justice (C-311/18, "Schrems II") declared the EU-US Privacy Shield as invalid as the legal basis for the transfer of personal data to the USA and increased the requirements on the EU standard contractual clauses. This article provides an overview of the reaction of the supervisory authorities since then based on an orientation guide published on August 24, 2020 by the data protection authority in Baden-Württemberg 'Handlungsempfehlungen für Unternehmen' [recommended actions for companies].

Facts of the case

Since 2016, the EU-US Privacy Shield (an adequacy decision of the EU Commission based on contractual agreements between the EU and the USA) has, inter alia, been a mechanism for the transfer of personal data when using cloud services from US providers such as Amazon, Microsoft, Google or Salesforce. Like its predecessor, the Safe Harbor Agreement, which was already declared invalid in 2015, EU-US Privacy Shield was declared invalid by the European Court of Justice on July 16, 2020. Consequently, EU companies have no longer been able to base their use of US cloud services on the Privacy Shield since July 16, 2020. In the meantime, the EU Commission has initiated talks with the US Department of Commerce to find a new agreement. Pursuant to Art. 46 GDPR, the EU standard contract clauses in particular initially remain in place as an alternative. However, the ECJ also qualified these as insufficient if it is established in individual cases that an adequate level of protection does not exist due to the monitoring practices of government authorities in the respective country. Thus, if it is established that US government authorities have, for example, uncontrolled access to the data of EU citizens at any time in violation of their rights, the EU standard contractual clauses can only serve as a suitable legal basis for the use of US cloud services if additional guarantees are met.

In the past weeks, it was uncertain within the EU under which conditions companies can continue to use services such as Microsoft Office 365, Amazon Web Services or Salesforce, or transfer data to non-EU countries as part of supply relationships or as a result of corporate guidelines. Since the validity of the EU standard contract clauses continues, it was in particular questioned which appropriate, supplementary guarantees the ECJ requires.

Reactions of the supervisory authorities

So far, the supervisory authorities of the federal states have only made rather general statements and clear, unambiguous recommended actions, such as the state authorities in Thuringia, Hamburg, Rhineland-Palatinate, the German data protection conference, or the EU data protection committee have been lacking. Only the state authority in Berlin expressed quite clearly that, according to the findings of the ECJ, EU companies would now have to switch from US providers to providers in the EU or in third countries with an adequate level of data protection. A few days ago, the plaintiff in the above-mentioned ECJ proceedings (Max Schrems) also submitted a three-digit number of complaints to supervisory authorities in the EU in order to accelerate the enforcement of the new, stricter requirements for US data transfer.

On August 24, 2020, the state authority in Baden-Württemberg went public with proposed actions. In its Orientation guide the authority provides specific instructions for implementing the new ECJ requirements. The most important statements are:

  • Data transfer to the USA based solely on the (now invalid) Privacy Shield can result in fines. This applies in particular if the target company is subject to the FISA Act, the Cloud Act or Presidential Policy Directive 28.
  • If the US data transfer is based on EU standard contractual clauses (which obviously must be signed by the respective US provider), this is only sufficient if additional guarantees are provided, such as a) use of encryption technology, b) anonymization or pseudonymization (if only the EU company can attribute the data) or c) an agreement with the US providers that the data will be stored and processed exclusively on EU territory ("EU option"). Processing on EU territory means that remote access from third countries (such as the USA) also has to be restricted accordingly.
  • The exception provision of Art. 49 GDPR may only be applied very restrictively; insofar, consent or contractual requirement, for example, can only be used with restrictions as a legal basis for US data transfer on a permanent basis.
  • In order to demonstrate a willingness to act in compliance with the law to the supervisory authorities, individual contact with the respective US providers has to be documented; this should in particular relate to an amicable amendment of the EU standard contractual clauses (which is described in detail in the orientation guide).
  • Upon request, it also has to be demonstrated to the supervisory authorities whether reasonable alternative offers without transfer problems exist (e.g., from German providers) and it has to be substantiated why these offers were not used, if applicable.
Recommended actions

Thus, the proposals of the state authority in Baden-Württemberg are already much more specific than those previously provided by the other public authorities. Consequently, companies should prepare evidence based on the new orientation guidelines that can be presented in the case of an official audit. With regard to the invalid EU-US Privacy Shield, the data protection declaration of a company's website should also be reviewed to verify whether certain types of processing (e.g. Google Analytics) are still using this legal basis; if applicable, the processing operations have to be adjusted accordingly and all references to the EU-US Privacy Shield are to be erased.

On September 23, 2020 at 4:00 p.m. we are hosting a webinar in our office on the topic "Data transfer to third countries following Schrems II - what has to be considered in the future". The webinar is free of charge. You can register under this link.


Dr. Hans Markus Wulf is a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.


T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Dr. Felix Drefs
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf

I want to


Heuking Kühn Lüer Wojtek
© 2020 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.