Response to Schrems II judgment US Department of Commerce publishes white paper

von Nadja-Maria

The judgment of the European Court of Justice, which determined the ineffectiveness of the Privacy Shield Agreement between the European Union and the USA (Schrems II), did not go unnoticed in the USA either. In response, the US Department of Commerce has now published a white paper on data protection risk analysis as part of data export to the USA.

Effects on US companies too

This shows that the ECJ ruling mentioned does not only have consequences for European companies. Rather, it could also have serious consequences for US companies if it were ultimately no longer possible to simply export data to the USA. The European Union is also a relevant market for large US IT companies.

Commerce Department arguments

In terms of content, the white paper takes a position on the arguments that the ECJ specifically listed to justify the ineffectiveness of the Privacy Shield Agreement. Therefore, the potential access of the secret services to European personal data as well as the possibilities of legal protection against this are discussed in particular.

Access of the secret services

Only the arguments regarding the access of the secret services to transmitted European personal data are picked out from the extensive statement. The ECJ saw the extensive statutory access rights of the secret services as a reason that European personal data in the USA are not adequately protected by the Privacy Shield.

The US Department of Commerce is now arguing that most US companies would not process any data that would be of any interest to secret services and that there was no reason to accept access here.

Whether this argument is convincing is now up to each of our readers.

The fact is, however, that the US secret services have extensive statutory powers to intervene and that these do not generally contain any exceptions for European personal data.

Effects of the white paper

It should be noted with this publication that the white paper is expressly not legally binding and is only intended as an aid to interpretation and argumentation for the companies concerned. Whether and if so, to what extent the arguments of the US Department of Commerce will be taken into account by European authorities and courts is currently not foreseeable. It is to be hoped, however, that the European side will find a pragmatic compromise to legitimize data export to the USA as soon as possible.

Reacting in compliance with data protection regulations now poses major challenges for most companies. We’ll gladly assist you. Just contact us.

assets/images/e/Nadja-Maria-Becke-1-e4dcbac5.jpg
Nadja-Maria

Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.

Schlagworte: IT security, GDPR, GDPR compliant, judgment, GDPR-penalty, Data protection, Personal data, Easily explained, Basics