The GDPR has now been in force for three years. Its main purpose is to bring about legal certainty in data protection. This has not yet been achieved for data transfers to the USA. This is a major challenge for the future.

Hardly anything works without transfers to the USA

Most companies have no choice but to transfer personal data to the USA. Some belong to a group with a parent company in the USA and therefore have to report there. Almost all companies use Internet services that store data in the USA. Current examples include systems for video conferencing, HR systems, user software, newsletter service providers, mail programs, etc. In most cases, they run via server locations within the EU, but still „radio home“ (to the USA).

The USA – a third country

A company that transfers data to the USA must comply with the requirements of the GDPR. As is well known, the USA is not a member of the EU, but a so-called third country. US law is not oriented to the requirements of the GDPR. Therefore, measures are necessary to ensure that „the level of protection for natural persons ensured by this Regulation is not undermined.“ (literally Art. 44 sentence 2 GDPR).

The golden path: general regulations

It would be ideal for companies if there were general EU requirements that ensured this. The European Commission could then determine that these requirements ensure an adequate level of protection for data transfers to the USA („adequacy decision“ pursuant to Art. 45 GDPR). The EU has tried to follow this path twice in close cooperation with the U.S. side.

„Safe Harbour“ and „Privacy Shield“ are history

Initially, the „Safe Harbour“ regulations were intended to literally create a safe harbor for data transfers to the US. Later, the „Privacy Shield“ was intended to provide a shield for GDPR-compliant data transfers to the US. Both were comprehensive sets of regulations. Both found no mercy at the European Court of Justice. Its decisions are known by the shorthand terms „Schrems I“ and „Schrems II.“ In each case, Mr. Schrems, an Austrian lawyer, had initiated the proceedings that led to the decisions.

The current status: Adoption of new standard contractual clauses by the EU Commission

On Friday, 4th June 2021, the EU Commission endorsed and adopted new standard contractual clauses (SCC). The Commission therefore considered it appropriate to adapt the SCC as the remaining alternative instrument for data transfers to European Court of Justice case law. It also wanted to take into account requirements of the General Data Protection Regulation (GDPR) in the clauses.
Thus, for the first time, the revised SCCs prescribe safeguards „to address any impact of the laws of the third country of destination“ on the data importer’s compliance with the clauses. In particular, it is important to clarify in advance „how to deal with binding requests from authorities in the third country for onward transfer of the personal data transferred.“ The rules are supported by the understanding that laws that respect the essence of fundamental rights and freedoms and are necessary and proportionate in a democratic society do not conflict with the clauses.
The data importer is to agree, with an addendum to the SCC, to notify data subjects without delay when it receives a legally binding request from a public authority for the release of personal information. Details of the personal information requested, the requesting agency, the legal basis for the request, and the response given must be provided. If he or she is prohibited from doing so, he or she must make „best efforts to have the prohibition lifted.“ In addition, the office obtaining the data should exhaust „all available legal remedies to challenge the request“ if necessary.
Also to be disclosed, according to the SCC appendix, are measures taken to minimize the amount of personal data prior to transfer, pseudonymization and encryption. If processing is done via an external service provider, suppliers must ensure that they also take the necessary additional precautions.
Companies will soon have to conclude new standard contractual clauses and replace their existing clauses with the new ones. This applies not only in relation to external third parties, e.g. service providers or
customers, but also to intra-group contracts.