On August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020). As we previously reported, the judgment of the CJEU invalidated the EU-U.S. Privacy Shield framework and confirmed the ongoing validity of the controller-to-processor EU Standard Contractual Clauses (“SCCs”), subject to an adequacy assessment and, if necessary, additional safeguards to protect the personal data transferred pursuant to the SCCs. The guidance is notable because it is the first substantive guidance from a DPA following the Schrems II judgment (although the guidance is only applicable to companies established in the federal state of Baden-Württemberg).
A summary of the key points of the Baden-Württemberg guidance is set out below.
Assessment of Data Transfers
- For data transfers to the U.S., data controllers should seek to provide additional safeguards to mitigate risks, in particular (1) encryption for which “only the data exporter has the key” and which “cannot be broken by U.S. [intelligence] services,” (2) anonymization or (3) pseudonymization, where “only the data exporter can re-identify the data;”
- For data transfers to other non-EU jurisdictions, data controllers should verify the legal context regarding “access to EU personal data by secret services” and the “rights and legal protections granted to data subjects” in the importing jurisdiction;
- In the DPA’s view, the derogations of Article 49 of the EU General Data Protection Regulation (“GDPR”) could potentially be used for intra-group data transfers, if appropriate in a specific context – however, the DPA noted that derogations should generally continue to be interpreted restrictively; and
- The DPA calls on companies in its jurisdiction to assess and document the necessity of the transfer, rely on reasonable alternative transfer mechanisms and/or select a contractual partner/service provider that would reduce the risks associated with the transfer. The Baden-Württemberg DPA also indicated that it may take steps, such as prohibiting the transfers, if it is not convinced of the necessity of the transfer and the measures taken by the controller to mitigate relevant risks.
Checklist for Compliance and Changes to SCCs
In addition, the DPA provides a checklist of action items that companies should consider post-Schrems II, including the following:
- Identify all transfers of EU personal data to third countries, including remote access to the data;
- Inform service providers in third countries of the legal developments in the EU regarding data transfers after the CJEU judgement;
- Assess the legal situation in the third country, in particular whether it has been found to provide an adequate level of data protection by the European Commission; and
- Where SCCs can be relied upon for the transfer, assess whether additional safeguards are required.
Surprisingly, the DPA suggests amendments to the controller-to-processor SCCs. Among other amendments to the SCCs, the DPA suggests: (1) including an obligation for the data importer to inform not only the data exporter but also data subjects of any legally binding requests for disclosure of personal data made by an enforcement authority; (2) if such notification is prohibited, for example under criminal law, the data controller should contact the Baden-Württemberg DPA to agree how to proceed; and (3) that the parties should agree that any third party beneficiary rights invoked by data subjects should be exercised before the courts of the EU Member State in which the data exporter is established, eliminating the option currently included in the SCCs to refer such dispute to mediation.
The Baden-Württemberg DPA is the first EU data protection authority to provide detailed guidance setting out how it expects companies subject to its jurisdiction to address the issues raised by the Schrems II case. However, the guidance does not address the challenges that global companies would face in practice in trying to implement the proposed changes to the SCCs, such as the fact that in most cases data importers/data processors do not have direct relationships with data subjects that would allow notification. Furthermore, it is unclear whether the proposed amendments to the SCCs would have the effect of transforming them into ad hoc clauses, thereby requiring DPA approval under the GDPR. It remains to be seen whether other DPAs will follow the lead of Baden-Württemberg.