The ruling of the European Court of Justice (ECJ) against the transatlantic Privacy Shield draws wider circles. The EU data protection officer Wojciech Wiewiórowski has “emphatically” requested all committees, institutions and authorities of the EU, including Parliament, the Commission and the Council of Ministers, to refrain from passing on personal information to the USA, at least in the context of new processing purposes and contracts with service providers.

This emerges from a strategy paper, according to which Wiewiórowski intends to continuously examine in the future how the EU institutions will implement the so-called ” Schrems II judgment “implement. The ECJ ruled in a case first brought forward by activist Max Schrems in Ireland that the transatlantic data protection shield is invalid because US laws such as the Foreign Intelligence Surveillance Act (FISA) allow mass surveillance. The alternative standard contractual clauses can no longer be used by companies or institutions to which US security authorities have access.

European data protection law takes precedence Transfers of personal data by EU institutions to third countries must be in accordance with the European Charter of Fundamental Rights as well as with provisions such as the General Data Protection Regulation (GDPR), emphasizes Wiewiórowski. His strategy is therefore based on the cooperation and accountability of the data processors. On this basis, he will assess whether the equivalent standard of protection required by the ECJ is guaranteed for transfers to third countries.

The data protection officer announced that it would continue to work closely with other national supervisory authorities in the To want to cooperate within the framework of the European Data Protection Board (EDPB) on open questions about the judgment. He is currently doing an inventory to sound out which current contracts, procurement procedures and other forms of cooperation include data transfers. His main focus is on transmissions without a suitable legal basis and those that were based on exceptional provisions.

Tracking with data transfer to the USA It was previously known that numerous tracking services are active on the internal online portal of the EU Parliament for the detection of corona tests, some of which send data to US companies. The website is operated by EcoCare, a subsidiary of the United Arab Emirates-based Ecolog. MEPs are also supposed to use the platforms to enter sensitive personal data about whether they have had high-risk contacts or suffer from Covid 19 symptoms.

The Green MP Alexandra Geese was amazed at the online magazine “Euractiv” that all of her registered information would be sent to the USA. Overall, around 150 tracking requests were made via the site from companies such as Google and Stripe. The representative of the people had therefore complained to the EU data protection officer.

(jk)