After the European Court of Justice (ECJ) in July the Transatlantic "Privacy Shield" and thus one of the most important foundations for the transfer of customer data from the EU into the United States, the EU Commission now tries to rescue a substantially remaining alternative instrument. On Friday, it publishes a draft of new so-called standard contract clauses (SVK) for information transfer in third countries.
Taking into account of Schrems II
According to the Brusseler government institution, the overarched SVK should be the requirements from the "Schrems II judgment" the ECJ as well as the new recommendations of the European Data Protection Committee (EDSA) to be considered.
It was clear in the face of the decision of the Luxembourg Richter already that it becomes tight in the submission of customer data to the USA. The ECJ had repeatedly found that there are laws such as the FISA or the Cloud Act a mass monitoring by security authorizations such as the NSA or the FBI and therefore not the data protection standard does not comply with the EU.
Laws in the target country can not prevent clauses
In the proposal of the Commission, it now means that the clauses – "Especially in the light of the case-law of the Court of Justice" – provide special guarantees, "Any effects of the laws of the country of destination" to regulate the complaint of the SVK by the data importer. Above all, it applies, "How to deal with binding requests from resistants in the third country after a transfer of the subjected personal data".
The transfer and processing of personal information should only be made to the design, "If the laws of the country of destination do not prevent the data importer from complying with these clauses". If it is necessary to stop surveys in third countries, as the SVK could not be adhered to, the status Member State inherently inform the Commission. This will forward the appropriate message to the other EU countries.
Information concerned in the case of legally binding application for a government
Further details on the conditions that are already hinted in the SVK draft contains the addition to the match in the game: The Contracting Parties should therefore be true to have no reason to ame that the laws in the country of destination "Including any requirements for disclosure of personal data or measures that allow the access of authorities to prevent data importer in the exploitation of its obligations arising from these clauses".
This is due to the understanding that laws that respected the essence of fundamental rights and freedoms and necessary in a democratic society and mabig in a democratic society is not contrary to the clauses hours. The importer also explains the addition of notifying concerns inventively if he receives a legally binding request of a public data ie. Let us know details about the requested personal information, the requesting Office, the legal basis for the request and the answered answer.
Contestation of the request and specification of the measures taken
If it is forbidden to the data recipient to notify the supplier or direct affected people, he must be "to the best for a lifting of the prohibition" make an effort, "To practice as much information as possible and as soon as possible". In addition, the importer should optionally "All available appeals to prepare the application" push off. At the same time, he must surely meet for interim measures, "In order to suspend the effects of the request until the court has decided in the matter".
In addition, measures are given, with which the amount of personal data is kept in front of a transfer possible, pseudonymised and captured. If the processing is valid on an external service provider, the suppliers must ensure that they also make these additional precautions.
Responsible must provide for EU privacy level
The data protection habers gathered in EDSA drove in their advice on the implementation of the Schrems II judgment in parallel on the basis of a more earlier question-response list that those responsible in the transfer of personal information particularly to the USA "Additional measures" Meeting had to meet. With it "the same privacy level" As in the EU to resource. The exact circumstances of transfers had to "from case to case" to be viewed as. This applies to transfers in all third countries.
In addition, the Commission has submitted a draft of model data protection clauses between companies or authorities and order workers who are based in the EU. On both initiatives now a public consultation takes up to the 10th. December. The final clauses, the Brussel Executive Instance pursues unopdrates when no contradiction comes from the Member States.
Privacy Shield is history – what happens now with our data? | # from 01.10.2020