A new EU ruling now makes it more cumbersome, and perhaps in some cases completely impossible, to send personal data out of the EU if you use non-European suppliers for e.g. its cloud solutions.
The result of the European Court of Justice's ruling in the Schrems II case may have major consequences for IT providers, as the Court now states that in future the level of protection of the recipient country itself must also be assessed.
This gives companies and in practice especially the IT suppliers a much greater task of being able to document the levels of protection in the various countries if they want to use subcontractors outside the EU in relation to e.g. cloud services.
Old transfer basis not good enough
In its judgment of 16 June 2020, the European Court of Justice ruled that it was not sufficient to assess only the level of protection of the recipient company, or that the recipient company had simply accepted that they were obliged to provide the necessary protection.
Because if the company's obligation in reality cannot be handled in the recipient country, e.g. if the recipient country can demand access to personal data without a legal process similar to that guaranteed in the EU, then the company must not have access to personal data, even through the use of standard EU contracts.
In the specific case, the European Court of Justice ruled that the US authorities had too wide access to personal data without the necessary judicial control or redress for EU citizens, and therefore concluded that the Privacy Shield was not a sufficient basis for transfer.
As such, the EU's own standard contracts can continue to be used as a basis for transfer, but there has been a sharpened focus on whether the recipient country now also actually has adequate protection. In other words, it must now be examined whether the recipient country's legal system and personal data protection meet EU requirements.
If it turns out that the standard contracts can not really be enforced in the country in question, then they can no longer be used as a basis for an agreement.
"It gives rise to some considerations. Can one e.g. through agreements raise the level of protection? Are there countries to which you will never be able to transfer personal data, such as China, Iran and Russia ?, ”says Tim Krarup Nielsen, Certified IT lawyer at DAHL Advokatfirma.
Larger task for the supplier
Although it is still initially the customer (the data controller) who has the obligation, as these contracts are always entered into with the data controller as one party, there is no doubt that in practice it is often the IT provider that ends up with the obligation.
Typically, a customer uses a supplier within the EU, e.g. a Danish IT company, which in turn has a subcontractor (sub-data processor) outside the EU.
The customer will therefore expect the supplier to have control over their subcontractors, and as something new also about the recipient country's level of protection and legal certainty is in order, as this must be documented and be able to be presented to the Danish Data Protection Agency.
Is it possible to have personal data outside the EU at all?
DAHL Advokatfirma recommends that you generally reconsider whether personal data can be kept within the EU. This way you avoid problems - whether you are a customer (data controller) or supplier (data processor).
“When you also have to familiarize yourself with and guarantee the recipient country's level of protection, it quickly becomes simply too expensive and risky for both the customer and the supplier to have personal data outside the EU. So I think that the use of suppliers outside the EU will decrease drastically in the future, "says Tim Krarup Nielsen, and notes that just reading access to personal data is considered a transfer - even if personal data is still physically located in the EU.
If you use the Privacy Shield today, this should be replaced immediately with another basis, e.g. the standard contracts (if applicable).
At the same time, the IT provider (data processor) must carefully consider the subcontracting chain and revisit all subcontractors outside the EU, so that a general study of the country's level of protection and legal certainty is now also carried out.
If you find that the protection is too low, stop using the subcontractor.