In early October, US president Joe Biden signed an executive order to facilitate the transfer of personal data between the EU and the USA. This is the first step aimed at restoring cooperation in this area after the original mechanisms were abolished by decisions of the European Court of Justice (the “ECJ”). How will this change affect the operations of European companies doing business with their counterparts in the USA?
The original “Safe Harbour” data transfer regimes and their successor “Privacy Shield”, approved by the European Commission, have gradually been declared invalid by ECJ rulings. In the “Schrems I” and “Schrems II” cases a Facebook user objected to the unauthorised sending of personal data to servers in the United States. The ECJ ruled in his favour, pointing out in particular the lack of data security, which does not reach the standards provided by EU regulations, such as the GDPR and the EU Charter of Fundamental Rights. The access that US intelligence services have to this information was considered problematic.
These shortcomings ultimately resulted in additional obligations for EU companies working with US companies. But the issue also affects those using cloud corporations such as Microsoft or Google to store their customers’ data.
At this point, it should be mentioned that in order for data to be transferred outside the EU, this third country must be designated safe by the European Commission. Following the aforementioned ECJ rulings, this does not apply to the USA.
Currently, if European citizens’ personal data needs to be provided to an American company, a written contract is required. The Standard Contractual Clauses (“SCCs“) issued by the European Commission, which provide a model contract for data controllers and recipients in a third country (in their current wording), can be used.
In the “Schrems II” decision the ECJ imposed additional obligations on companies: If the target country – for example the USA – operates surveillance programmes that are questionable from a rule of law perspective, model clauses alone are not sufficient.
EU data providers must adopt additional measures to protect personal data. For example, that could mean effective data encryption. Such encryption is incompatible with many cloud applications. In order to process data in cloud software the data must be decrypted, which in turn exposes it to technical access by the NSA and other intelligence services.
The executive order approved by the American president is therefore a response to the problems outlined above and a number of elements contained in it are identical to the legal principles in the GDPR. It is now up to the EU Commission to examine whether the American standard is sufficient.
Until that time, EU data controllers and processors should not use the cloud services of American companies without further consideration, otherwise they run the risk of heavy fines imposed by data protection supervisory authorities. Even if the USA is designated a safe country under the GDPR by the EU Commission, another decision by the ECJ, which again takes an opposite view to the Commission, can be expected sooner or later. So, maybe we can expect a Schrems III.