For the processing of personal data in the United States, the self-certification of providers under the EU-US Privacy Shield has so far been a sufficient guarantee for comparable data protection requirements in the EU. This has now been overturned by the European Court of Justice (ECJ). As a result, with immediate effect, other suitable guarantees must be created and proven by the person responsible for processing personal data in the USA who passes on the data there.
For processing in the United States, self-certification of providers under the Privacy Shield has so far been a sufficient guarantee of comparable data pAlthough the ECJ emphasises in its ruling that so-called Standard Contractual Clauses (SCC) remain valid in principle, both European data exporters and data importers in third countries are obliged to check before the first data transfer whether the third country has state access to the data that goes beyond what is permitted under European law (para. 134 et seq., 142 of the ruling). The mere conclusion of standard contractual clauses is not sufficient here (marginal 126 et seq. of the judgment). This is also emphasised by the supervisory authorities.
In addition, Article 49 of the GDPR requires that website visitors are explicitly informed of the risks of the data transfer and the guidelines of the European Data Protection Board (EDPB) also take this up in Article 64. However, making warnings in cookie banners legally enforceable in accordance with these guidelines is not only difficult, but experience shows that it leads to a further reduction in consent rates, so that data can hardly be collected if the guidelines are legally compliant.
Today, a legal integration of analysis tools such as Google Analytics, Adobe Analytics or mapp is not possible and thus carries the risk of high fines. Violations of the duty to provide information in the case of consent can, for example, lead to warnings from competitors and consumer associations. The ECJ also emphasises that affected persons can claim damages (in particular so-called compensation for pain and suffering) for unauthorised data exports.
Users of solutions from US providers such as Google Analytics, Adobe Analytics, Mapp, Onesignal or Airship should act immediately, because according to a DSK press release dated 28 July 2020, the ECJ “does not grant any transitional or grace period” (translated by the author). This means that considerable fines are threatened with immediate effect!
Those responsible should now analyse very carefully their processing operations, if they take place in the United States, and service providers with In her press release of 17.07.2020, the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, calls on companies that “transfer personal data to the USA for the sake of convenience or cost savings […] to switch immediately to service providers in the European Union or in a country with an adequate level of data protection” (translated by the author).
On August 25, 2020, the State Commissioner for Data Protection and Freedom of Information (LfDI) of Baden-Württemberg, Dr. Stefan Brink, was the first data protection supervisory authority in Europe to publish concrete guidelines for interpreting the Schrems II ruling. And he also clearly positions himself and says:
“The focus of the further procedure of the LfDIBaden-Württemberg will be the question of whether, besides the service provider/contract partner you have chosen, there are also reasonable alternative solutions without transfer issues. If you cannot convince us that the service provider/contract partner with transfer issues you are using is irreplaceable in the short and medium term by a reasonable service provider/contract partner without transfer issues, then the LfDI Baden-Württemberg will prohibit data transfer […].“ (translated by the author).
etracker Analytics users are still on the safe side. Because personal data is processed exclusively in the EU at our computer centre in Hamburg, Germany.