On August 24, 2020, the data protection authority of the German state of Baden-Württemberg (the “DPA”) published guidance (the “Guidance”) on international transfers of personal data following the Schrems II judgment (which we have previously covered here). This represents the first comprehensive guidance by a European privacy supervisor indicating how it intends to enforce the Schrems II decision. As well as including a Schrems II compliance checklist, it provides some recommendations on modifying the Standard Contractual Clauses (‘SCCs’) to allow the parties to document their intent to act in accordance with the law.
The Guidance contains two main sections of interest for companies with cross-border operations, as they provide an insight into what the DPA sees as ‘additional measures’ that can support transfers of personal data from the EEA to the US.
- US-specific guidance: The Guidance begins with rules the DPA indicates will apply to transfers to the US.
-
- Privacy Shield: The DPA states that “Privacy Shield no longer represents a valid legal basis” for transfers to the US, and that “ transfers that occur in spite of this are illegal and can result in fines or claims for damages.”
-
- SCCs: The DPA states that transfers to the US on the basis of SCCs are “conceivable, but will only rarely meet the ECJ’s requirements for an effective level of protection.” Instead, US transfers must be subject to “additional guarantees” that “effectively prevent access by US intelligence services,” thus protecting the rights of the data subjects. The DPA offers the following examples of additional guarantees that could potentially be considered sufficient:
- Encryption for which “only the data exporter has the key and which cannot be broken by US intelligence services;” and
- Anonymization or pseudonymization, where only the data exporter can reidentify the data.
- SCCs: The DPA states that transfers to the US on the basis of SCCs are “conceivable, but will only rarely meet the ECJ’s requirements for an effective level of protection.” Instead, US transfers must be subject to “additional guarantees” that “effectively prevent access by US intelligence services,” thus protecting the rights of the data subjects. The DPA offers the following examples of additional guarantees that could potentially be considered sufficient:
- Compliance checklist: The Guidance also contains the first Schrems II compliance checklist issued by an EU supervisory authority. As a brief overview of the Checklist, the DPA expects companies to do (and presumably also document in accordance with the GDPR’s accountability principle) the following things “immediately”:
(1) Create an inventory of data transfers to third countries.
(2) Contact service providers in the third countries and inform them of the ‘consequences’ of the Schrems II
(3) Research information about the state of the law in the relevant third countries.
(4) Determine whether any third country has been found adequate by the Commission.
(5) If any third countries are not adequate, determine whether SCCs can be used without any additional measures for transfers to that country.
-
-
-
- Note that for this analysis, the DPA expressly states that for the USA, the ability to use SCCs without additional measures “was denied by the ECJ.” Thus, “transferring data to the USA using SCCs is only possible in very limited cases with the help of additional guarantees.”
-
-
(6) Determine whether SCCs with additional guarantees can be used to transfer data to the third country.
-
-
-
- The DPA indicates this determination should particularly focus on “whether you can relatively [effectively] avoid access by others” to the data being transferred. This could potentially be achieved by:
-
-
a) encryption (as outlined above), or
b) an “agreement that data will be hosted within the jurisdiction of the GDPR or that no transfers to the US will occur.”
-
-
-
- Additionally, the DPA expressly recommends that companies modify the SCCs “to document and demonstrate your intent to act in accordance with the law.” The DPA sets forth a list of modifications it states that EU data exporters “should” agree to with data importers located in third countries. The following is a table setting forth the DPA’s required modifications:
-
-
-
-
-
- Note one issue raised by this aspect of the Guidance: Clause 10 of the Controller-to-Processor SCCs explicitly states that the parties undertake “not to vary or modify the clauses.” It is not clear whether the DPA (or other supervisory authorities in the EU) would consider that the SCCs lose their pre-approved character when modified in the ways set out above. If the answer is “yes”, the SCCs potentially become ad hoc clauses that require prior approval by the relevant supervisory authority before transfers can be made under their protection. This issue may need to be resolved by coordination at the European level.
-
-
- Derogations – The Guidance states that Article 49 GDPR derogations are a “conceivable” basis for transfers if SCCs are not available, but will continue to be interpreted “restrictively.” However, the DPA states that Art. 49 derogation “can in particular be considered for data transfers within a corporate group” or “within one-to-one contractual relationships” – as long as the “restrictive character of [Art. 49] does not stand in the way of the transfer.”
- Enforcement – The Guidance closes by previewing how the DPA will enforce its Guidance. It indicates it will identify providers that have “transfer problems”, then approach local companies about why they are using them. If a local company cannot convince the DPA that the provider is “irreplaceable in the short- and medium-term by a provider without transfer problems,” the DPA will prohibit further transfers to the provider. Larger providers may thus want to consider materials that would enable customers to show irreplaceable aspects of services, or a lack of transfer problems.
The full Guidelines published by the Baden-Württemberg DPA can be accessed (in German) by clicking here.