We all have to make rubber figures
My youngest daughter came home one day from kindergarten and showed me a brownish figure she had made in school. The figure was a bit uninteresting as it stood there on the kitchen table, but you clap as you should as a father. What the elementary school says is always right, and I should not go out with a school teacher not to mention an educator at all.
The figure was made of recycled rubber from bicycle tires, and the children had to make them to save the planet's climate. Recycling is the way forward, and that is also true enough.
However, in the best sense, in my opinion, the teachers pushed the biggest problem out to those who actually have the least influence on it.
It's a bit the same in the Schrems II case. The problem now lies with all of the CVR numbers that, for example, more or less directly buy cloud services in the USA or in other third countries.
I will not review the judgment here. It has made better others locations. I will instead focus on the Data Protection Council's latest FAQ. So far, 12 questions have been answered.
Within the limits of tolerable legal, technical and organizational difficulties, it must be said that, as a starting point, the United States is currently a third country to which personal data cannot be transferred. The general level of protection in the country is too low. And you can not risk assess yourself out of it. There is thus a bottom line that you cannot risk assess yourself over.
If you have unimaginable amounts of resources, I'm not even sure that you can do that, because how do you contractually ensure the same level of protection in the US as in the EU? This is a task the EU must fight against the US government, including in several different bilateral negotiations, depending on who has something to press.
Instead, we now all need to make shapes out of used bicycle tires. We all need to make sure that the US government does not lie at the bottom of the Atlantic and listen to data traffic from Europe.
Exceptionally, transfers to the United States may be made under Article 49, but it is in itself rather cumbersome to use one of the exceptions (read: We easily get over the tolerance limit for common legal, technical and organizational hassles). And none of the exceptions alleviate the real need for transfer to the United States in particular, which quite a few data controllers and data processors have.
In a work context, however, the exceptions cover the fact that an employee in a Danish company emails once in a while with an employee in an American company, but it probably does not take much before the framework in the exception is broken. As a global company, for example, you can no longer make a salary centrally in the USA. Yes, it can be preserved, but then you have to ensure that the level of protection is the same as in the EU. And then it is my contention that the framework for tolerable legal, technical and organizational hassle is easily broken.
The limit of tolerable legal, technical and organizational difficulties
If you are a data controller or data processor with processing activities in the USA or another third country, the legal advice must read: Hire a global law firm that can check the level of protection in the third countries where you have personal data for processing. If you are a global company, you can set the legal department in the various countries in motion. You can also consider moving personal data processing to the EU, as the limit on how much more it may cost has just moved. And then one has to take it on a price increase or a request for an extra grant. In the end, the bill ends up with the customer / taxpayer.
If you can in no case withdraw your processing activities to the EU (including support, development and emergency incidents), and you do not want to hire the global law firm, you must - regardless of the basis of transfer - carry out the necessary legal analyzes from the desk, continue processing and so on. bet that you will not be caught in it, and if it happens, bet that you have made an ok good analysis that shows that you were then in good faith about a given third country's level of protection. However, it is probably a bit difficult to get away with it in relation to the USA, unless we get new legislation over there.
It would thus be of great help if the Data Protection Council made a “blacklist” which could be used to show which countries are highly doubtful to transfer to. Here, then, the United States would be at the top right now. Then there was a good starting point to work on when the various countries were legally chewed by the Data Protection Council - not least in relation to deciding from where to get your data to the EU as soon as possible. One would have a kind of negative list as a counterpart to the list of safe third countries that can be said to be the positive list.
In any case, it has been established that any data controller who does not take his processing activities to the EU must know the nationality of the final processor in a given third country in order to assess the level of protection there. It will no longer be enough to accept that there may be a transfer from one third country to another third country on one or more of the available grounds, cf. answer no. 9:
"The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the US applies to any third country."
What does the EU itself do with its own IT systems?
For the time being, they are not doing much - they are awaiting their own analysis of the judgment. The European Data Protection Supervisor, which is, among other things, the Data Inspectorate for the EU's own institutions, states the following:
"As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analyzing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies."
But they have to do something. For the Supervisor has just also completed a major study of the EU's use of Microsoft services, which demonstrated a number issues.
What's going to happen now?
My guess is that the data processors will soon write to the data controllers that data has now been moved to the EU. Then the data processors start to find out how the data is actually moved to the EU. In the meantime, the various supervisors are probably still busy traveling to meetings and scratching their necks.
But the individual data processor can probably still not wait for the European data center, Gaia-X, will be completed. The aim of the project is precisely that data should remain in European hands:
Data sovereignty: Existing cloud offerings are currently dominated by non-European providers, that are able to rapidly scale their infrastructure, and that hold significant market power and large amounts of capital. At the same time, we are seeing growing international tensions and trade conflicts across the globe. Europe needs to ensure that it can establish and maintain digital sovereignty permanently. ”
Until then, we must - as always - do our best to find the balance between compliance and the tolerance limit for common legal, technical and organizational difficulties. There are many options that need to be risk assessed, contracts that need to be checked for and probably data that need to be moved - we are happy to help you with that.