Following the Schrems II judgment, the use of standard contractual clauses is subject to stricter rules and conditions: EU companies must take additional measures and, in principle, carry out a case-by-case assessment of each data transfer. However, because the EU courts have deemed US data protection to be limited, EU data is considered unsafe to be transferred over to the United States.
Furthermore, standard contractual clauses are subject to review by European supervisory and data protection authorities. So if the legal situation in a third country prevents a data recipient from complying with the obligations under the standard contractual clauses, data transfers may be suspended or even prohibited. In other words, the whole process must be taken into account when examining the level of data protection. Throughout, it must, therefore, be guaranteed that national security and investigative authorities in the recipient country have no access to personal data.
In the current situation, case-by-case assessment is particularly difficult for small and medium-sized enterprises, as they don’t normally have the know-how and the means to verify whether there’s an adequate level of data protection in a third country. Moreover, the ECJ’s ruling doesn’t specify exactly what concrete standards are to be applied to individual case assessments or to possible extensions of standard contractual clauses.
Nevertheless, SMEs should actively get to grips with the topic. Legal experts advise small and medium-sized enterprises to take the highest precautions and to create solid documentation on their own data protection efforts. In doing so, companies will be better prepared for a possible legal dispute and will be better able to defend their actions in court once the Privacy Shield ends.
So, with a restricted data flow, how should US businesses who collect data on EU citizens move forward from and what measures should they take to make sure they’re complying with all the formal aspects of standard data protection clauses? First and foremost, companies previously certified under the Privacy Shield should examine all data flows, contracts, and relationships that involve the transfer of personal data from the EU to the US. Since the legal situation in the US will now be more closely analyzed by EU companies and the probability of inappropriate data access more carefully assessed, it’s important that you review all agreements and determine whether you want to continue receiving that data. Once you’ve done that, you need to determine how the SCCs can be implemented to maintain that data flow. While some partners will be more willing to accept this new agreement to keep the business running as usual, others will certainly see it as a chance to renegotiate agreements in their favor.
In the process, it should be clarified whether your business will assume special contractual obligations in view of the current situation (e.g. increased monitoring and notification obligations). In the current situation, EU companies could also call on American business partners and service providers to use all available technical means to optimize data protection, for example the use of end-to-end encryption in video conferencing software.
EU companies who can do without data transfers, cloud services, and servers in third countries outside the EU will look for GDPR-compliant alternatives in Europe. In addition, developments in data protection law should be closely followed. In an FAQ document on the ECJ’s Privacy Shield judgment, European Data Protection Supervisor (EDSA) provides information on the current status to interested and affected parties.