However, according to the Schrems II ruling , the use of standard contractual clauses entails adhering to stricter regulations : companies must introduce additional measures and in principle treat each data transfer as a particular case , and must ensure that each country has a sufficient level of data protection. If this condition is not met, for example, due to security legislation in that country, the company is obliged to stop the transfer of data.
Furthermore, these standard clauses are subject to inspection by the European supervisory and data protection bodies . If the legal situation of a country prevents the recipient of the data from complying with its obligations under the standard clauses, the data transfer may be interrupted or even prohibited. The whole process must be taken into account when analyzing the level of data protection. It must be ensured at all times that, for example, the judicial or national security authorities of the host country do not have access to personal data..
In the current situation, case-by-case assessment is particularly difficult for SMEs as they usually do not have the technical knowledge and the means to verify in detail whether there is, for example, an adequate level of data protection in a third country . Furthermore, the CJEU ruling does not specify exactly what rules will apply specifically to individual case evaluations or possible extensions to standard contractual clauses.
SMEs should still actively address the issue. Legal experts advise taking the greatest possible precautions and documenting in detail the data protection procedures that apply. Companies will thus be prepared for a possible legal dispute and will be able to better defend their own actions in court once the Privacy Shield is terminated.
A concrete protection measure is to carefully apply the formal aspects of the general data protection clauses (for example, by means of a detailed description of the data flows). Furthermore, only absolutely necessary personal data should be collected and transmitted. In addition, legal experts recommend conducting a well-founded and well-documented risk analysis that considers relevant issues. For example, the legal situation in the United States or in countries outside the EU should be thoroughly analyzed and the likelihood of unauthorized access to data assessed.
Furthermore, it should be clarified whether, given the current situation, the recipient of the data assumes additional contractual obligations (eg increased monitoring and reporting obligations). In the current situation, companies could also require their business partners and service providers in the United States to use all available technical means in order to optimize data protection - for example, the use of end-to-end encryption in a video conferencing software.
Those who can renounce data transfers, cloud services and servers in third countries outside the EU, should look for alternatives in the EU that comply with the regulations of the General Data Protection Regulation (RGPD) . In addition, they should also closely monitor developments concerning data protection legislation . The European Data Protection Committee (CEPD) reports on the current situation in its frequently asked questions about the CJEU ruling on the Privacy Shield agreement.