In the newsletter Update Datenschutz Nr. 71 of January 9, 2020, Attorney Dr. Hans Markus Wulf of Heuking Kühn Lüer Wojtek refers to a statement of the EU Advocate General in the ECJ proceedings regarding the data transfer from Facebook Ireland to Facebook USA (“Schrems II”). Specifically, the question is whether EU companies can take advantage of cloud offers from US companies (Case C-311/18).
What was the question?
In 2018, the Supreme Civil and Criminal Court in Ireland had submitted to the ECJ the question of whether, on the basis of the existing EU standard contractual clauses (Art. 46 DSGVO), data may be transferred from Facebook Ireland to servers of Facebook Inc. in the USA.
“It had been expected that the ECJ would make a negative statement on the EU standard contractual clauses, as some of these date back to 2001 and are therefore almost as old as the Safe Harbor Agreement, which was declared invalid by the ECJ in 2015 and which was also used as the legal basis for the US data transfer at that time.
The Advocate General’s answer to that question
“Surprisingly, however, EU Advocate-General Henrik Saugmandsgaard Øe concluded in his opinion in the present case that there are no concerns about the validity of the EU standard contractual clauses. There would be concerns about the effective implementation of the EU-US privacy shield, which continues to be used as the legal basis for data transfers. In this respect, however, the competent supervisory authorities themselves are in a position to issue a ban in individual cases if there are indications of a violation of the DSGVO.
What does that mean?
Dr. Hans Markus Wulf: “The prospects for companies that use or plan to use cloud services from US providers such as Amazon, Microsoft, Google or Facebook have brightened considerably as a result of the present statement. If the ECJ follows the recommendation of the EU Advocate General in its ruling in spring 2020, then US data transfer (…) will still be permitted on the basis of the privacy shield and/or the EU standard contractual clauses.
At the same time, however, the Irish regulator’s reaction to the opinion should be monitored very closely, as it was indirectly requested to take a closer look at data transfers to US servers in individual cases. In addition, it is possible that German supervisory authorities will also change their practice and will no longer accept the use of standard contractual clauses across the board in future, but will instead review their appropriateness in each individual case. It is therefore advisable to review one’s own use of standard contractual clauses in order to counter this problem at an early stage.
Read the complete article here
Further information of the law firm Heuking Kühn Lüer Wojtek on the subject of data protection can be accessed or obtained under this link.
Note: This is a machine translation. It is neither 100% complete nor 100% correct. We can therefore not guarantee the result.