The data protection supervisory authorities of several federal states have decided on controls of data transfers from companies to countries outside the European Union or the European Economic Area (third countries) after voting in the data protection conference. This is reported by Maja Smoltczyk, the Berlin commissioner for data protection and freedom of information.
The aim of the concerted action is the broad implementation of the requirements of the European Court of Justice from the so-called Schrems II judgment of July 16, 2020 (case C-311/18).
The ruling declared data transfers primarily to the USA to be invalid due to the risk of access by US authorities as not compliant with the GDPR and the so-called Privacy Shield, the data protection agreement between the EU and the USA. “The European Court of Justice has expressly obliged the supervisory authorities to prohibit inadmissible data transfers. With the review that is now under way, we are responding to these challenges”, explains Maja Smoltczyk.
Questions about various data-sensitive areas
Specifically, the supervisory authorities of Berlin, Hamburg, Brandenburg, Bremen, Lower Saxony, Rhineland-Palatinate, Baden-Württemberg, Bavaria and the Saarland contact selected companies and ask them about specific topics. The common questionnaire, which serves as the basis, includes, for example, the topics of sending e-mails, hosting websites, web tracking, managing applicant data and the internal exchange of customer and employee data. The individual authorities decide for themselves which subject areas to review and whether the questions need to be adapted to regional characteristics.
The state commissioner for data protection in Lower Saxony, Barbara Thiel, for example announcesTo send questionnaires on the subject of mail and web hosting to 18 companies in Lower Saxony in various industries. “The decision of the ECJ put many companies and other responsible bodies in a difficult situation with regard to international data transfer,” says Thiel. “However, as a supervisory authority, we expect those responsible to deal seriously with the new requirements and to look for solutions on their own.”
EU institutions: Act in compliance with data protection regulations yourself
Those responsible also want to advance compliance with the GDPR at the European level. However, the topic of the highest European data protection authority EDPS is currently data protection in its own ranks. Only a few days ago, the authority headed two examinations onewho also rely on the Schrems II judgment. One deals with the use of the cloud services from Amazon Web Services and Microsoft by bodies, institutions and agencies of the European Union and one with the use of Microsoft Office 365 by the European Commission.
The investigations are part of the EDPS’s strategy for the EU institutions to comply with the Schrems II ruling so that ongoing and future international transfers are carried out in accordance with EU data protection law.
The background to this is an analysis by the EDPS which shows that personal data is transferred to countries outside the EU and in particular to the United States, particularly when tools and services from large service providers are used. However, the analysis also shows that EU institutions are increasingly using cloud-based software and cloud infrastructure or platform services from large ICT providers, some of which are based in the USA.
A faint doubt remains
The top European data protection officer, Wojciech Wiewiórowski, said that certain types of contracts had been identified that deserved special attention and that it was for this reason that the decision was made to initiate the two investigations. Both Amazon and Microsoft have announced new measures to adapt to the ruling, but: “Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and so it is necessary to properly investigate . “
It is true that the EU institutions (EUI), like other institutions in the EU and the EEA, are dependent on a limited number of providers. With the investigations, however, the data protection authority wants to help the EUI to improve their data protection compliance when they negotiate contracts with their service providers. The specifications for data protection in the EU institutions as well as the tasks of the European data protection officer are in the Regulation (EU) 2018/1725 set.