The Irish data protection regulator has imposed a record fine on the US company.
(Photo: dpa)
Berlin Leading German business associations have warned of delays in the planned new legal framework for the transmission of data from Europeans to the USA. The background is the concern that many affected German companies are exposed to an acute risk of fines if they continue to process data on servers in the USA without a legal basis.
In this respect, data protectionists see the recent record fine against the Facebook parent company Meta for breaches of data protection as a precedent that can be transferred to all companies. Iris Plöger, member of the executive board of the Federation of German Industries (BDI), sees the economy in a dilemma. “Without data transfers, cloud solutions and software, such as video conferencing systems, cannot usually be used by US providers,” she told the Handelsblatt.
Companies would therefore currently have to carry out “complex, individual preliminary checks” and take additional protective measures. However, there is always the risk of a breach of the General Data Protection Regulation (GDPR) because it is unclear what applies to these protective measures in individual cases.
Plöger complained that for the transatlantic transfer of personal data there had been no “adequacy decision on the US data protection level as a general legal basis” for three years and called for a “quick” solution.
However, that is still a long way off, although there has recently been movement. In October, US President Joe Biden issued an executive order detailing the steps the US will take to secure a possible new data protection agreement with the EU.
Data protection officer calls on companies to take action
As a result, the EU Commission initiated a procedure in December to certify that the USA has an adequate level of protection for personal data transmitted from the EU to companies in the USA. However, the EU countries have not yet approved the Commission’s recommendation.
>> Read also: “Siting out is not a good idea” – How Meta also threaten German companies with high EU penalties
The German Chamber of Industry and Commerce (DIHK) also called for urgency on the subject. Because of a judgment by the European Court of Justice (ECJ) in July 2020, which overturned the data agreement called “Privacy Shield”, which was in force until then, there were still “massive negative effects on the German economy,” said DIHK chief legal officer Stephan Wernicke to the Handelsblatt. “The US and the EU need a legally secure agreement to ensure the continuation of data flows between the EU and the US in the long term.”
So far there has been a way out: the EU Commission has provided companies with so-called standard contractual clauses for the transfer of personal data to third countries. However, the Irish Data Protection Authority ruled that these clauses were invalid in its decision against Meta. Not only are companies based in the USA affected, but also German companies of “all sizes,” said Wernicke.
Marit Hansen, data protection officer of Schleswig-Holstein, advised these companies to urgently end the transmission of data to US cloud providers. Otherwise, fines could be imposed as with Meta. The danger is acute: “In hundreds of cases, data protection authorities are investigating data transfers to the USA,” said Hamburg data protection officer Ulrich Kühn.
DIHK warns of “hardly to make up for setbacks” for the economy
Until a new EU-US data agreement is reached, the DIHK chief legal officer called for “pragmatic solutions” – also with regard to data transfer to other third countries. “Because even if international data traffic collapses only temporarily, this will cause considerable conversion costs and setbacks for the European economy that can hardly be made up for,” he said.
Wernicke appealed to the EU Commission and the data protection supervisory authorities to issue uniform information on the level of data protection in third countries “promptly” so that every authority and every company does not have to determine this themselves. “The legally compliant exchange of personal data between different legal areas is an essential basis for a successful digital transformation,” he emphasized.
Wernicke warned that companies should not be left alone with the currently unresolved legal issues. Because the ECJ ruling on the “Privacy Shield” is “an extraterritorial data protection decision by the EU compared to the law of a third country”, which the companies have no direct influence on, explained the DIHK lawyer.
From the company’s point of view, a “comprehensive” political solution is finally needed. Wernicke considers the sometimes “completely contradictory” standards and interpretations of the GDPR to be problematic within the EU and in the federal states, also with regard to state access rights. This should no longer be carried out on the backs of companies.
“Therefore, increased efforts by both the Federal Government and the European Commission are overdue to quickly bring about legal certainty for companies and a long-term, legally secure solution,” said Wernicke.
More: Authorities want to go to the cloud, but are not allowed to