„Schrems II“ and stan­dard con­trac­tu­al claus­es

Maximilian

"Schrems II" and Standard Contractual Clauses

Since the decision of the European Court of Justice ("ECJ") in Case C-311/18 in July 2020 - better known as the "Privacy Shield decision" or "Schrems II" - it has been established in principle that there is no adequate level of data protection in the USA.

Since then, transfers of personal data to US recipients have therefore only been permitted under extremely limited conditions.

What seems to have caused confusion since then (or is probably also being used in a deliberately confusing way in some cases) is the question of how the so-called "EU standard contractual clauses" can be used. The "EU standard contractual clauses" are in themselves a catalog of regulations which, if included in a contract between the transferor and the recipient of personal data, can form a legal basis for transfers outside the EU as well.

The ECJ also addressed the question of whether these standard contractual clauses can constitute a suitable basis for data transfers outside the EU in its decision. However, what the ECJ had to say about this and what consequences this entails seems to be spreading very hesitantly in practice.

The core statement on this is first of all: the use of standard contractual clauses can constitute a suitable legal basis for the transfer of personal data from the European Union to third countries. So far so (semi-)clear. However, if you then look at what the ECJ uses to justify the fundamental permissibility of using standard contractual clauses, it becomes clearer what this means for transfers to U.S. recipients.

The ECJ considers the EU standard contractual clauses to be a suitable legal basis for data transfers to third countries in particular because the clauses themselves provide rules for what must happen if the recipient of the data can no longer meet its contractual obligations. Indeed, the immediate consequence is that any data transfers must be stopped immediately and the transferor has the right to withdraw from the underlying contract.

"THE CONTROLLER IS OBLIGED TO SUSPEND DATA TRANSFERS AND/OR WITHDRAW FROM THE CONTRACT IF THE RECIPIENT OF THE TRANSFER IS NOT OR NO LONGER ABLE TO COMPLY WITH THE STANDARD DATA PROTECTION CLAUSES."

The standard contractual clauses are therefore a viable legal basis for third country transfers because they themselves provide a mechanism to immediately stop any transfer as soon as the third country recipient is no longer able to comply with its contractual obligations, which are precisely intended to ensure an adequate level of data protection.

It therefore follows that the use of EU standard contractual clauses is of course permissible - but the permissibility of their use does not mean that data transfers are therefore automatically permissible. Quite the contrary. Especially when using standard contractual clauses, the transferor and recipient must carefully check whether the recipient can also fulfill its contractual obligations. For transfers to U.S. recipients, the ECJ has effectively ruled out the possibility of compliance with these obligations. After all, contractual obligations cannot change the fact that U.S. recipients are forced to hand over data on the basis of national legal rules.

The consequence of the use of standard contractual clauses in connection with transfers to U.S. recipients would thus only be the inadmissibility of the data exchange resulting from the standard contractual clauses, including the possibility of withdrawal for the data transmitter.
The question of the permissibility of the use of standard contractual clauses is therefore completely separate from the question of data transfers based on them.
Under current law, EU standard contractual clauses cannot provide a legal basis for transfers of personal data to U.S. recipients. On the contrary, the use of standard contractual clauses is already permissible in principle only because standard contractual clauses prevent transfers to U.S. recipients under the given circumstances.

What is punishable under these circumstances is the processing of personal data that has been entrusted or accessed on the basis of professional employment or that has been obtained unlawfully.

Personal data in which the data subject has a confidentiality interest worthy of protection is protected. According to Section 1 of the Data Protection Act, a confidentiality interest worthy of protection does not exist "if data is not accessible to a confidentiality claim due to its general availability or due to its lack of traceability to the data subject". Otherwise, the law generally assumes that a confidentiality interest worthy of protection exists.
While data processing with intent to cause damage in the corporate sector will only be realized under exceptional circumstances, data processing with intent to enrich is accomplished much faster than one would like to believe.

A problem in this context is the unfortunately widespread use of online tools, which are now generally known to be made available free of charge because they serve as data collection tools in the background for the companies providing them. This applies in particular to tools integrated into many corporate websites, such as Google Analytics or YouTube videos. The quid pro quo for the use of these tools is that data of every website visitor flows to Google or YouTube.

This data outflow is inadmissible under data protection law in most cases, at the latest since the repeal of Privacy Shield. Apart from the fact that the outflowing data in connection with company websites mostly became accessible in the context of professional employment, this also usually constitutes unlawful acquisition.
The crux of the matter, however, is that the use of these tools, which are highly questionable under data protection law, is usually based solely on the fact that they are made available free of charge and thus no costs are incurred for the company's own provision of such resources or the use of data protection-compliant solutions. However, intent to enrich is not only given if the aim is to achieve a profit, but also if the result of the frowned-upon action is to be a saving.

Inactivity on the part of data protection authorities currently often leads to known data protection problems being taken lightly, as there are supposedly no consequences under data protection law.
However, anyone who accepts problems under data protection law in order to avoid the expense of implementing them in compliance with data protection law is committing a crime of data processing with intent to enrich and is suddenly no longer dealing with an elusive data protection authority, but with the responsible public prosecutor's office.

The use of YouTube videos on corporate websites in particular therefore poses a massive risk for corporate decision-makers, which in the worst case can result in the imposition of custodial sentences.