Best prospects for the future: information and contact exchange in Stuttgart
Auskunftsanspruch über Mitanleger eines treuhänderisch organisierten Publikumsfonds unter Geltung der DS-GVO
Stärkung des Justizstandorts Deutschland
ECJ rules that Privacy Shield is invalid – What does this mean for companies?
Prof. Dr. Ulrich Schnelle recommended by GLOBAL LAW EXPERTS
Sind Weisungen Dienstleistungsaufträge?
Euroforum annual conference: Law in the Automotive Supply Industry
Image rights in film, photo and illustration for plain sailing!
Welcome to the information and contact exchange of the Stuttgart Bar Association in the „Haus der Wirtschaft“ on October 13th. The HAVER & MAILÄNDER team will give you an insight into various specialist areas, working methods, and answer your questions about the law firm and the prospects from 3.00 p.m. onwards. We look forward to seeing you, and will be happy to provide you with your documents.
Von: Dominik Nast
In: NZG, Neue Zeitschrift für Gesellschaftsrecht, 2020, 826
Im Blickpunkt: Startschuss für „Commercial Court“ in Baden-Württemberg
Von: Dr. Roland Kläger und Dr. Fabian Brugger
In: Deutscher AnwaltSpiegel 16/2020 S. 15
ECJ rules that Privacy Shield is invalid – What does this mean for companies?
by Bettina Backes, HAVER & MAILÄNDER Rechtsanwälte Partnerschaft mbB
The recent judgment on the Privacy Shield passed by the European Court of Justice (ECJ) on 16.07.2020 (Maximilian Schrems v Facebook Ireland - C-311/18) poses new challenges for transatlantic data transfers. Not only companies and supervisory authorities but also the EU Commission now face difficult tasks.
What does the Privacy Shield ruling say?
In its ruling of 16.07.2020 (C-311/18), the European Court of Justice (ECJ) declared that the EU Commission’s adequacy decision on the Privacy Shield was invalid. In the past it was permissible for a company domiciled in the EU to transfer personal data to a company in the USA which participated in the Privacy Shield. This now no longer applies. The ECJ also addressed the transfer of data to US companies based on EU Standard Contractual Clauses. In principle, the ECJ held that these standard contractual clauses were admissible, but it did impose extensive verification obligations on the users. According to the ECJ, the standard contractual clauses can only serve as the legal basis if the level of protection of the European Union is also actually complied with in the target country (third country). This has to be checked by exporters of personal data. Since, when it examined the Privacy Shield, the ECJ considered the level of data protection in the USA to be inadequate, it can be assumed that the transfer of data on the basis of the standard contractual clauses could hardly be considered to be effective either. De facto this is currently likely to lead to a situation whereby it is not permissible to transfer data to the USA on this basis either. This means that companies are now being faced with considerable difficulties.
What is the reasoning for the ruling of the European Court of Justice?
The rationale for the ECJ’s decisions is, essentially, the comprehensive rights of the US security authorities to access personal data. The ECJ established, for instance, that, on the basis of the surveillance programmes PRISM und UPSTREAM pursuant to Section 702 FISA (Foreign Intelligence Surveillance Act) and also based on E.O. 12333, the American authori-ties are entitled to access the personal data transferred from the European Union to the United States. The ECJ is of the opinion that, in this regard, the law of the United States does not ensure the fundamental rights enshrined in the Charter of the European Union, as the relevant regulations do not provide for the necessary limitations and safeguards or ensure effective legal protection against such interferences. The Privacy Shield Ombudsperson would not be able to remedy this deficiency either. To this extent it was not held to be possible to guarantee, in particular, a level of data protection adequate for the European Union. Whilst, in this connection, the fact that the FISA primarily addresses telecommunications corporations and not all US corporations, had to be taken into account, accessing data on the basis of the FISA surveillance programmes can, nonetheless, also be indirectly extended to the communications of other US corporations if they use the services of telecommunications corporations whose data can be accessed by the US authorities. It therefore seems doubtful whether US corporations can actually fully exclude such data access.
What are the practical effects of the ruling?
The judgment will create considerable practical difficulties for a large number of companies.
Companies are permitted to export personal data to a third country, i.e. to a country outside the EU, only if one of the following guarantees of an adequate level of data protection applies:
Through the current ruling of the European Court of Justice, the two tools for transferring data to the USA that are the least complicated and most frequently used in practice, notably the Privacy Shield and the standard contractual clauses, have been practically eliminated. Although the standard contractual clauses can still be used formally as the basis for transferring data, the court does impose considerable verification obligations on the companies. For instance, the ECJ establishes that it is incumbent above all on the data controller and/or its processor to verify in every single case – if appropriate in conjunction with the recipient of the transfer – whether the law of the third country of destination guarantees adequate protection, in accordance with the law of the European Union, to the personal data transferred on the basis of standard data protection clauses and whether, in case of need, even more guarantees have to be provided than those required under the clauses. If this protection cannot be afforded by such additional guarantees either – as has to be assumed in the case of the USA according to the ECJ ruling – then the legally effective transfer of personal data to this third country is not possible.
Another important correlation also has to be taken into account. Although the relevant ruling of the European Court of Justice is merely concerned with the transfer between the European Union and the USA, and not therefore with the transfer of data to any other third countries, such as India, China or Russia, the judgment nonetheless also indirectly impacts the transfer of data to these third countries. The ECJ did not mention these countries, but even so this begs the question here too as to whether transferring data to these third countries is possible at all. The judgment imposes difficult verification obligations on the data exporter which it is hardly able to fulfil without assistance as they involve an in-depth understanding of the law of the relevant recipient country.
Companies are clearly being left entirely to their own devices and cannot currently rely on receiving any support from government authorities or from the European Union. The EU Commission was reportedly already prepared for the negative judgment. The Commission advises, that discussions are to be recommenced with the US administration in order to establish mechanisms for transferring data with legal certainty. Experience shows, however, that negotiations sometimes take too long for businesses. The negotiations took six months in 2015 already, when the Safe Harbour Agreement, the predecessor to the Privacy Shield, was repealed by the ECJ (ECJ of 06.10.2015 – C-362/14). Faster and clearer progress appears rather unlikely in the current political climate.
The German Association for Data Protection and Data Security (GDD) therefore demands that the EU supervisory authorities initially refrain from imposing any sanctions on the export of personal data to ensure that companies have sufficient time to evaluate their data flows. In addition, the GDD requests that the European Data Protection Board draws up indications of the criteria that will apply to discontinuing the export of data to a third country and that it en-deavours to prevent national supervisory authorities from acting unilaterally.
What action has to be taken?
Companies are advised to take the following measures:
a) Primarily, to examine whether it is possible to avoid transferring data to the USA and to replace existing contracts by corresponding agreements with companies domiciled in the European Union; in particular, to ensure that the locations of the servers and computer centres used are in the European Union. Companies should at least take preparatory action so as to be ready and prepared for audits by the supervisory authorities. The use of service providers with US subcontractors should also be stopped.
b) All the contracts (order processing, joint data processing) have to be revised. This also applies to Data Protection Notices and to Data Privacy Statements.
c) EU standard contractual clauses should be agreed as a precaution unless this has already been done. In particular, all recipients in the USA must be asked how the EU data protection standard can be ensured. If their responses are negative, then there should be an immediate changeover, however. If it transpires that the recipient is not in a position to ensure the data protection standard, the data transfer can be suspended. Companies also have to examine whether rescinding or terminating the contract is conceivable. In this case, all the data have to be returned or destroyed. Claiming damages can also be given consideration in individual cases. It is possible that there might be a reporting obligation to the supervisory authorities.
d) If at all possible, consents are to be sought from the data subjects. Here, informing the data subjects in a transparent and comprehensive manner is of particular importance, as is ensuring that consent is given freely. It must always be borne in mind, however, that the consent is revocable. This means that once consent has been withdrawn, data processing has to be discontinued unless there is another legal basis permitting further processing.
What consequences do companies face if they improperly transfer data to the USA or to any other third country?
Problems for companies loom from the supervisory authorities, from data subjects and from competitors.
If at all possible, companies should refrain from transferring data to the United States and instead they should select companies with registered offices in the EU or EEA, especially European service providers and sub-contractors.
GLOBAL LAW EXPERTS recommends HAVER & MAILÄNDER and Prof. Dr. Ulrich Schnelle in the competence area Antitrust Law.
Zum Stand der Rechtsprechung von EuGH und BGH über Direktvergaben im ÖPNV mit Bussen und Straßenbahnen
Von: Dr. Alexander Hübner
In: VergabeR 2020, Seite 559
Within the frame of the “Euroforum annual conference” in Stuttgart from 14th - 15th July 2020, Dr. Thomas M. Grupp (Regional Committee of the British Chamber of Commerce in Baden-Württemberg) will moderate the “WORLD-CAFÉ SESSION: 2020 International Law in Automotive Practice” on July 14th. The topic will be the legal situation of cooperation with suppliers in the UK after BREXIT and Corona.
Date: Tuesday, 14th July - Wednesday, 15th July 2020
Location: Le Méridien Stuttgart, Willy-Brandt-Straße 30, 70173 Stuttgart
Further information and registration:
Bettina Backes will be giving a lecture on image rights in production and use in an online seminar for creative professionals. Participants will receive information on image usage, how to license correctly and what is important when using Open Content.
Date: Thursday, 7 July 2020, 02:00 pm – 06:00 pm
Place: Online via Zoom
Further information and registration: