What is meant by FISA

Privacy Shield invalid - EDSA publishes FAQ on the ECJ ruling

The European Data Protection Board (EDPB) has published an FAQ document on the urgent questions regarding data transfer to third countries. In this article you will find the most important statements of the EDSA paper summarized.

Overview of the status quo

The decision of the ECJ C-311/18, Data Protection Commissioner against Facebook Ireland Limited and Maximillian Schrems, continues to make waves. From the immediate cessation of all transfers of personal data to the USA through to "For the time being, continue to rely on the Privacy Shield", the most varied of recommendations for action are buzzing through the data protection world.

The EDSA describes the current status very clearly:

Is there a waiting period or transition period to implement the judgment?

No. The ECJ has come to the conclusion that US law (in particular Section 702 FISA and EO 12333) does not provide protection for those affected that is essentially equivalent to EU law. This assessment must be taken into account immediately and every time data is transferred to the USA. Companies are requested to check their third country transfers against this background.

Are the standard data protection clauses still valid and sufficient basis for the data transfer to the USA?

In principle, the standard data protection clauses (SCC) continue to apply. Whether they are suitable as a basis for the transfer of personal data to the USA depends on the individual case. The circumstances of the transfer and, if necessary, other possible protective measures are to be included in the assessment. The additional protective measures must guarantee a level of protection appropriate to the circumstances and must not be undermined by US law.

For the USA this should look difficult in practice, since the US law considered by the ECJ (i.e. section 702 FISA and EO 12333) cannot be excluded by contractual agreement. A lawful transfer of data to those US companies that are subject to the scope of Section 702 FISA and EO 1233 is therefore only permitted in exceptional cases due to the SCC.

What applies when using Binding Corporate Rules?

The transfer of personal data on the basis of Binding Corporate Rules (BCR) to third countries is also possible in principle. However, the same applies here as with SCC: If an appropriate level of protection cannot be guaranteed (e.g. because protective measures are undermined by the law applicable in a third country), the transfer must be discontinued.

What do companies have to do now?

The EDPS also finds clear words with regard to the necessary measures should a level of protection comparable to that of the EU not be possible:

What if it is determined that adequate protection cannot be guaranteed for data transfers?

If additional protective measures are not possible or if an adequate level of protection cannot be guaranteed, the transfer must be discontinued.

Here the EDSA explains:

"If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA. "

In the opinion of the EDPB, companies must notify the competent supervisory authority if they intend to maintain data transfers to the USA (or another insecure third country), although appropriate protection cannot be guaranteed.

Is there now a "reporting obligation" for data transfers to the USA?

Companies that have found that, despite standard data protection clauses or binding corporate rules and possibly other protective measures, an adequate level of data protection cannot be guaranteed, but still want to transfer personal data to the USA, are obliged to inform the responsible supervisory authority of this.

In its testimony, the EDSA refers to para. 145 of the ECJ ruling. There it says:

"Lastly, under Clause 4 (g) in that annex, the controller established in the European Union is required, when the recipient of personal data notifies him or her, pursuant to Clause 5 (b), in the event of a change in the relevant legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses, to forward any notification to the competent supervisory authority if the controller established in the European Union decides, notwithstanding that notification, to continue the transfer or to lift the suspension. The forwarding of such a notification to that supervisory authority and its right to conduct an audit of the recipient of personal data pursuant to Clause 8 (2) in that annex enable that supervisory authority to ascertain whether the proposed transfer should be suspended or prohibited in order to ensure an adequate level of protection. "

What the obligation to inform the responsible supervisory authority specifically means has not been conclusively clarified.

Does this only apply to data transfers to the USA?

No. The minimum level of protection described by the ECJ must be guaranteed in every third country to which you want to transfer personal data.

Does the judgment of the ECJ also have an impact on transmission instruments other than the Privacy Shield?

The statements of the ECJ regarding ensuring an adequate level of data protection in third countries apply to all suitable protective measures according to Article 46 GDPR that are used for the transfer of data from the EEA to a third country. The EDSA expressly points out that the US law considered by the ECJ (i.e. section 702 FISA and EO 12333) applies to any transfer to the USA by electronic means within the scope of these laws, regardless of the transmission instrument used for the transfer.

What options do companies have?

As far as concrete recommendations for action are concerned, the EDSA is rather reluctant to make statements and refers to tests that are currently taking place.

What about the exceptions of Art. 49 GDPR? Are you an alternative?

It is possible to transfer personal data to the USA on the basis of the exceptional circumstances of Art. 49 GDPR, provided that the prerequisites for the respective facts are met. Here, too, an individual consideration is required.

What do you mean by additional protective measures and do they always help?

For the time being, the EDSA does not give specific recommendations on additional protective measures. However, it becomes clear that additional protective measures are not likely to help for data transfers to the USA. In the case of transfers to other third countries, it depends on whether the law there allows a level of protection comparable to that of the EU or - as in the case of the USA - not.

In theory, both legal and technical or organizational measures are possible. Changes or additions to the contract, additional encryption, and possibly changes in key management are conceivable.

What about processors in third countries?

The EDSA advises that you review the data processing agreements to determine whether your contractual partner or his subcontractors are allowed to process data in the USA (or other third countries) or whether service providers from the USA (or other third countries) are granted access to personal data in the EU.

If this is the case, the contractual partner should be contacted in order to negotiate an amendment or addition to your contract.

What does all of this mean for companies in practice?

Companies have to everyone Check the transfer of personal data to a third country, especially the USA.

  1. Identify all your data transfers to third countries.
  2. Determine the legal basis on which the data is being transferred.
  3. If the transfer takes place on the basis of the Privacy Shield, it must be checked whether the transfer can now be based on standard data protection clauses, binding corporate rules or another transfer instrument from Art. 46 GDPR or whether an exception under Art. 49 GDPR applies.
  4. If the transfer takes place on the basis of the standard data protection clauses or by BCR, it must be checked whether this ensures protection of personal data that essentially corresponds to that of EU law.
  5. If this is not the case, it must be checked whether an appropriate level of protection can possibly be achieved through additional protective measures. The circumstances of the transmission must be taken into account. Additional protective measures can be additional encryption or a contract amendment, if necessary.
  6. If an adequate level of protection cannot be guaranteed because the data importer is unable to comply with the SCC and comply with the additional protective measures due to the legal provisions of the third country, it must be checked whether one of the exceptions in Art. 49 GDPR applies. If this is not the case either, the data transfer must be suspended.
  7. If the data transfer is to be continued despite the determination that an appropriate level of protection cannot be guaranteed, the company exporting the data must inform the competent supervisory authority.

Here you can find the complete FAQ document of the EDSA.

Do you like the post? Then we look forward to a recommendation:

About the author

Dr. privacy

The contribution was made by Dr. Data protection written. Our employees, who are usually lawyers with IT skills, publish articles under this pseudonym. more →

intersoft consulting services AG

As experts in data protection, IT security and IT forensics, we advise companies across Germany. Find out more about our range of services here:

External data protection officer

More on the topic: appropriate level of data protection, binding corporate rules, data transfer, data transfer, ECJ, Privacy Shield, standard contractual clauses, unsafe third country, judgment, USA
Do you have any suggestions for topics or improvements? Contact us anonymously here.