We previously posted on yesterday’s Schrems II decision issued by the Court of Justice of the European Union. Today (Jun 17, 2020), the Berlin data protection authority (Berlin DPA) went even further than the CJEU opinion, issuing a statement on the Schrems II case, calling for Berlin-based data controllers to storing personal data in the US to transfer the same to Europe. The DPA stated that data should not be transferred to the US until that legal framework is reformed. In addition, regarding the SCCs that were cautiously validated by the CJEU, the Berlin DPA stated that European data exporters and third country data importers must check, prior to transferring data, whether the third country has state access to the data that exceeds that permitted under European law. If such access rights exists, the Berlin DPA stated, the SCCs cannot justify the data transfer to such third country. The Berlin DPA thus requested all data controllers to observe and comply with the CJEU’s judgment. In practice, the Berlin Commissioner provided that data controllers transferring data to the US, especially when using cloud service providers, are now required to use service providers based in the EU or in a country with an adequate level of protection.
This could impact the ability of Berlin-based companies to transfer personal data to their U.S. subsidiaries or other U.S.-based vendors or business partners.
To read the press release (currently available only in German), click here.