Problem remains

The EU Commission is presenting new standard data protection clauses that are intended to make international data transfers more legally secure. The background to this is the ruling by the European Court of Justice (ECJ) in the summer of 2020, which declared the so-called Privacy Shield, which regulated the exchange of data between the EU and the USA, invalid and established additional requirements for international data transfers.

With the new standard data protection clauses, the EU wants to create more legal certainty for companies with data processing in the USA or other third countries. This is a right step. It is crucial for globally active companies to be able to handle their business processes and data flows in a legally secure manner. However, the new clauses do not solve the problem of case-by-case examination.

At the same time, companies are now faced with a huge conversion effort without being spared the need to evaluate the data flows to the so-called third countries in each individual case. In addition, there are further ambiguities in the new regulations: For example, companies are supposed to implement additional protective measures to safeguard the data flows - but exactly what these measures should be is left up to internal evaluation.

Many companies can hardly cope with this. The frequently mentioned demand to simply process data exclusively in Europe is not a solution. It is hardly feasible, both technically and practically. Data exchange is essential for day-to-day work, especially for companies and organizations with cross-border or global operations and locations in different regions.

European companies from the healthcare sector with research centers in the USA or India are just as affected by this as IT companies that secure 24-hour support globally and thus across all time zones.