Hamburg: HmbBfDI considers broad impact of Schrems II judgment, highlights inconsistency on SCCs and expanding role of supervisory authorities
The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 16 July 2020, its statement on the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II case'). In particular, the HmbBfDI welcomed the Judgment as it stated that the previous Safe Harbor instrument, which was declared invalid in 2015 was only marginally improved with the EU-US Privacy Shield, as it had not led to change in the practice of US mass surveillance without cause, and also that there had not been any substantial strengthening of the rights of those affected. Furthermore, the HmbBfDI concurred with the CJEU's view that the ombudsman did not have the appropriate powers.
However, the HmbBfDI noted that it found the CJEU's decision to maintain Standard Contractual Clauses ('SCCs') as an appropriate instrument to not be consistent as, if the invalidity of the Privacy Shield is primarily due to the escalating secret service activities in the USA, the same must also apply to the SCCs. Moreover, the HmbBfDI opined that contractual agreements between data exporter and importer are equally unsuitable to protect those affected from government access.
The HmbBfDI highlighted that the possibilities for data exporting companies to act are now the same as they were five years ago when the Safe Harbor mechanism was declared invalid, and that, in addition to Binding Corporate Rules and individual agreements, SCCs can be used as the basis for transfers to third countries. In addition, the HmbBfDI stated that the CJEU is passing the ball to European supervisory authorities, as the CJEU emphasised these authorities' task of suspending or prohibiting data transfers based on SCCs, and that supervisory authorities will have to observe the content-related standards of the Judgment, specifically, the level of data protection in the recipient country. Furthermore, the HmbBfDI noted that the exporter must be able to, upon request, prove to their relevant data protection authority that the accessibility of the authorities is proportionate and that legal protection is guaranteed. Finally, the HmbBfDI noted that the supervisory authorities in the European Data Protection Board are called upon to jointly evaluate the legal and factual situation in the recipient states and that this responsibility also applies to other states outside the EEA, for which the European Commission has not made any adequacy decisions, in addition to the USA. Finally, the HmbBfDI noted that the network of data protection supervisory authorities in Germany and Europe must now quickly agree on how to deal with companies that now continue to rely illegally on the Privacy Shield, and that companies will have to do the same.
You can read the Statement, only available in German, here.