In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission’s Decision 2016/1250 on the transfer of personal data to the United States (Privacy Shield) invalid. At the same time, the ECJ stated that Commission Decision 2010/87/EC on standard contractual clauses remains valid in principle.
As a result of this decision, it is now questionable whether and under what circumstances a U.S. company can offer a SAAS solution in Europe, or more precisely, whether anyone in Europe can use a U.S. provider’s SaaS solution without committing a data privacy violation by using it.
What follows from the decision according to the current state of discussion?
The decision deprived more than 5,300 registered companies as processors of the legal basis to transfer and receive the data. The main justifications for this are that data transferred to the U.S. may be processed by the authorities there for public security, national defense and state security purposes. As an alternative, there are now only the standard contractual clauses as regulated in Decision 2010/87/EU of 05.02.2010. Theoretically, these can still be used, but only if the level of protection of the GDPR can be guaranteed during and after the transfer by the processor located in the USA. This is unlikely to succeed, at least in the case of unencrypted data and companies that are not 100% independent of a US company under group law.
Simply having a server in the European Union, at least without encrypting the data, is probably not enough
Following the ruling, the supervisory authorities will, indeed must, press for the standard contractual clauses to be adapted in line with the ruling. However, it is to be expected that the processors will not be able to guarantee the GDPR level of protection due to the far-reaching powers of the US authorities under Section 702 of the Foreign Intelligence Surveillance Act. A transfer of the data to the USA is thus inadmissible. According to the ECJ ruling, national authorities are even obliged to suspend or prohibit data traffic with the USA in accordance with Article 58 (2) f) and j) of the GDPR and to impose heavy fines in the event of a violation. Non-European companies that want to process data of Europeans, be it in streaming, cloud, data processing etc. will have a hard time. Those directly processing customer data may have three options, but all will be difficult to implement.
- Customers can be fully informed about the circumstances where and which data is processed and which persons and authorities in the USA have access to this data, possibly even if this data is located on European servers. Since this customer consent may not be hidden in T&Cs and must be fully comprehensive, this is likely to be at least a major competitive disadvantage.
- Data can probably be completely encrypted. And “end to end”. Only time will tell to what extent this is technically possible, e.g., for streaming solutions, etc., where not only the person who posts the data has access again. What is clear is that it will require extensive technical updates, adjustments to server structures, legal adjustments and possibly also adjustments to business models for US providers.
- The data of Europeans would likely only be processed by companies that are involved under group law or contract to hand over data to a U.S. company. If at all, providers would have to establish as independent European subsidiaries that are only linked to the U.S. company, for example, through profit transfer or licensing agreements. The extent to which this is practicable for a majority of U.S. providers is difficult to assess.
So what do providers transferring data in the U.S. need to do?
- First and foremost, it must be checked whether there are data processes with the USA that are still based solely on the EU Privacy Shield. This is the duty of every data controller within the scope of the processing inventory pursuant to Art. 30 GDPR. If this is the case, the transfer must be stopped immediately and alternatives must be examined as to how the conversion of the data processes can be managed while remaining in the EU.
- If, in addition to the EU Privacy Shield, standard contractual clauses are also used or must be agreed as an alternative to this, it must be checked in the sense of the ECJ ruling whether the level of protection can be complied with. Otherwise, the data traffic must also be stopped. Under certain circumstances, the standard contractual clauses could be supplemented to the effect that requests from U.S. authorities must be disclosed to the controller so that it can react in such cases and, under certain circumstances, inform its customers or other data subjects of this. It should also be considered to have the so-called Binding Corporate Rules approved by the national supervisory authorities pursuant to Art. 47 GDPR. However, this is associated with a long and cumbersome process.
- As the most important measure to be taken immediately, the consent of each data subject must be obtained pursuant to Art. 49(1)(a) GDPR. Alternatively, the transfer of data is to be based on Art. 49 (1) c) GDPR, according to which it is necessary for the performance of a contract between the data subject and the controller. However, this requires a corresponding data protection declaration. However, this legal basis is only a temporary remedy for the individual case and cannot be used for the regular transfer of data to the USA.
The opportunity for competitive advantage
Even if the ECJ, as an independent body for the administration of justice, is not to be accused of political intentions, this ruling and situation can be a great opportunity for a SaaS provider to change its corporate structure and/or business concept in such a way that the above-mentioned points are fulfilled. This would represent a major competitive advantage over all other providers and at the same time would be a great opportunity for the company’s own marketing, growth and a highly interesting investment case.
The Federal Data Protection Commissioner has also brought into play options for simple data storage such as pseudonymization or the use of trustees who process data on behalf of U.S. companies and who do not have to grant U.S. security authorities access. Since this will be a lengthy process to implement for larger providers, there is an enormous opportunity here for smaller, agile providers.
I have and can provide comprehensive advice on these issues and help U.S. providers establish corporate and other contractual foundations to take advantage of this opportunity.
Just contact me without obligation and let’s find out how I can help you to offer your own SaaS solution legally compliant in Germany!