Germany: Schrems II: And now? First German supervisory authority provides guidance on data transfers

The Commissioner for Data Protection and Freedom of Information for the German State of Baden-Württemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg –  “LfDI BW”) recently published guidance for international transfers of personal data in the post-Schrems II era.

Background

The Court of Justice of the European Union (“CJEU”) not only invalidated the EU-U.S. Privacy Shield – with immediate effect – in the Schrems II decision. The court also ruled that controllers need to assess the adequacy of transfers based on standard contractual clauses (“SCC”). Consequently, many companies and other organizations now face significant legal uncertainty how to structure such transfers.

According to the CJEU, the SCC in principle are still valid but must safeguard a level of protection to individuals whose personal data is transferred essentially equivalent to that guaranteed by the EU General Data Protection Regulation (“GDPR”). Therefore, companies are required to assess whether the SCC are sufficient taking into consideration the legal framework in the third country to which personal data is transferred, including potential access by public authorities of that country to the personal data. If the result of this assessment is that there is a lack of protection in the destination country which cannot be compensated by the use of unmodified SCC, the data exporter and data importer need to implement additional safeguards, and may also need to modify the SCC to remedy identified deficiencies.

Numerous supervisory authorities as well as the European Data Protection Board (“EDPB”) have already issued general statements on Schrems II and how to tackle data transfers in the aftermath; now the LfDI BW has issued more specific guidance.

The LfDI BW guidance

The LfDI BW reiterates that the Privacy Shield no longer constitutes a valid legal basis for the transfer of data, and that any transfer of data conducted based on the Privacy Shield is illegal and may result in fines and claims for damages.

When it comes to the use of SCC, the LfDI BW states that SCC cannot bind authorities in the destination country and therefore without supplementary measures are not sufficient to provide adequate protection in cases where authorities (e.g. intelligence agencies) are empowered by law to interfere with data subjects’ rights (e.g. may access the personal data) in a disproportionate way. Hence, supplementary measures shall be agreed where necessary. In the event that even with additional measures in place an appropriate level of protection cannot be ensured (in particular if the destination country’s legal system imposes obligations that contravene the measures agreed upon) the corresponding transfer of personal data shall be suspended or stopped. Otherwise, unless an adequate level of protection cannot be established through other measures, the supervisory authority will be obligated to suspend or prohibit the transfer.

With regard to transfers to the US based on SCC, the LfDI BW deems it necessary to take additional measures that effectively prevent US intelligence agencies from accessing transferred personal data. In this regard the LfDI BW expressly points out the following types of additional safeguards:

  • Encryption where only the data exporter has the key and which cannot be decrypted by US agencies; and
  • Anonymization or pseudonymization where only the data exporter can link the data to a natural person.

The LfDI BW acknowledges that alternatively transfers potentially can be based on Art. 49 GDPR (which under certain circumstances allows such transfers without the requirement that an adequate level of data protection is ensured). However, the authority stresses that said provision needs to be interpreted in a restrictive way and therefore can only be relied upon in few exceptional cases. For example, transfers that are not occasional but systematically recurring do not qualify for a transfer under Art. 49 GDPR.

Checklist

The LfDI BW provides a checklist for data exporters on how to deal with the current situation:

  1. Identify where personal data is transferred outside the EEA.
  2. Contact the service provider/contract partner in the third country and inform them about the Schrems II decision and its consequences.
  3. Collect information on the legal system of the third country to which personal data is transferred.
  4. Check whether the third country is covered by an adequacy decision by the EU (please find a list of countries recognized as providing adequate protection here). If the third country in question is covered by an adequacy decision it is not necessary to agree on SCCs because the transfer can already be based on said decision.
  5. Review whether SCCs can be used without additional measures. This is not the case if authorities of the third country can disproportionally interfere with data subject’s rights (e.g. mass retrieval of data without informing the data subjects and without procedural safeguards such as court order) and there is no effective legal protection with regard to such interference.
  6. Review whether personal data may be transferred to the third country based on SCCs in combination with supplementary measure (e.g. encryption, agreement that data will be hosted in a country where GDPR applies).

Suggested supplementary measures to Controller-to-Processor SCC

In order to demonstrate and document GDPR compliance, the LfDI BW suggests modifying Controller-to-Processor SCC and provides some (not comprehensive) examples:

  • Amendment to SCC Clause 4(f): Informing the data subject, not only in the case of transfers of special categories of data, but also in the case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country that does not provide an adequate level of protection within the meaning of Regulation (EU) 2016/679.
  • Amendment to SCC Clause 5(d)(i): Obligation of the data importer to inform not only the data exporter but also the data subject promptly of any legally binding requests by a law enforcement authority for disclosure of the personal data; if this disclosure of information is otherwise prohibited, e.g. by a criminal law requirement to maintain the secrecy of investigation, the data exporter must contact the LfDI BW and clarify the further procedure.
  • Addition to SCC Clause 5(d): Obligation of the data importer to take legal action against the disclosure of personal data and to refrain from disclosing personal data to the relevant public authorities until a competent court of last instance has ordered the importer to disclose the data in a legally binding manner.
  • Amendment to SCC Clause 7(1)(b): Agreement to refer the dispute to the courts of the Member State in which the data exporter is established in the event that a data subject claims rights as a third party beneficiary and/or damages against the data importer under the SCC.
  • Inclusion of the illustrative indemnification clause set out in Appendix 2 to the SCC.

It remains open whether the LfDI BW thinks that SCC supplemented as above (or any other way) in order to meet the requirement of the Schrems II decision require an authorization under Art. 46 (3) GDPR or whether they will still qualify as “unchanged” SCC which can be used without consultation.

If none of the items on the above checklist (including amendment of the SCC) may justify the transfer, the LfDI BW recommends to review whether the transfer of personal data alternatively can be based on Art. 49 GDPR.

Outlook

The LfDI BW concludes its guidance by pointing out that it in particular will take into account whether there are alternative service providers/contract partners which could be resorted to without problematic third country transfer of personal data. If companies cannot demonstrate that such service providers/contract partners are irreplaceable in the short or medium term, the LfDI BW intends to prohibit the respective transfers. However, the LfDI BW recognizes that the Schrems II decision poses a serious challenge for certain companies. It intends to base its approach on the principle of proportionality and will monitor further developments in order to review and continue to develop its position.

Conclusion

While the supplementary measures (encryption, anonymization/pseudonymization) suggested by the LfDI BW in the context of data transfers to the US may be technically effective to protect transferred data against third country government access, they may also be impractical for many business needs. The guidance does however provide a useful checklist on how to manage compliance and some helpful insights to the LfDI BW’s approach to Schrems II (which may be adopted by other supervisory authorities). Whether (all of) the suggested changes to the Controller-to-Processor SCC will be feasible on a practical level and acceptable for third country service providers remains to be seen.

Companies should thoroughly review their data flows, put in place supplementary measures (e.g. further contractual obligations) where necessary (and effective) and should diligently document every step of their efforts to comply with GDPR as well as reasons for why the transfers to third countries are essential for business operations and why specific service providers/contract partners in third countries are irreplaceable.

Verena Grentzenberg, Jan Spittka, David Schele, Andreas Rüdiger 

If you have any questions on what this may mean for you or your organisation, please contact the authors listed above or your regular DLA Piper contact.