German Data Protection Authority. No Grace Period on EEA Data Transfers to the US
On July 28, 2020, German supervisory authorities (Datenschutzkonferenz, the “DSK”) issued a statement emphasizing that organizations that rely on Standard Contractual Clauses (“SCCs”) or Binding Corporate Rules (BCRs”) must implement additional safeguards to lawfully transfer personal data to third countries.
In keeping with the Court of Justice of the European Union CJEU’s judgment of 7/16, and the European Data Protection Board EDPB FAQ Memo of 7/20, the German DSK statement affirmed it’s intent of enforcing GDPR under the framework of the Court’s ruling, and with no grace period to comply.
The highlights of the German DSK statement are:
- Organizations receiving transfers of EU Personal Data outside of the European Economic Area (EEA) are required to review the mechanisms and provide additional protections to safeguard the privacy rights of EU citizens, particularly organizations in the U.S.
- Organizations receiving transfers on the basis of Standard Contractual Clauses (SCCs) are to:
- Demonstrate they are able to protect data at a level “essentially equivalent” to that of the EU and
- Demonstrate they are able to prevent the law of the recipient country from interfering with any additional protective measures put in place.
The DSK specifically stated that use of SCCs without additional protection measures generally are not sufficient to lawfully transfer data to the U.S. DSK noted the same standard with respect to BCRs, a transfer mechanism provided in Article 47 of EU General Data Protection Regulation (“GDPR).
DSK did not issue guidance concerning what additional measures organizations might implement to enhance protections for personal data when using SCCs or BCRs. The DSK noted that the Privacy Shield invalidation was immediate and that the CJEU did not provide for any transition or grace period. It suggested that data controllers review the conditions to determine whether they can continue transferring personal data to the U.S.
Further challenges to Facebook’s data transfers – the basis for the suit resulted in the Privacy Shield’s invalidation – are expected. Max Schrems—the privacy activist responsible for the repeated challenges to EU-U.S. transfer mechanisms—has indicated his intent to raise further challenges in the wake of the CJEU’s judgment.
Achieved Compliance has +40 years’ experience in international data protection across 50 Countries. Our deep understanding of data flows between the EU and the US provides you with a customized assessment of how to comply with GDPR post the Schrems II ruling. For a complimentary consultation to discuss your challenges in managing data transfers between the EU and the US, click here Schedule Consultation .
Achieved Compliance – We take the complexity out of data privacy compliance.