Berlin: Berlin Commissioner issues guidance on post-Schrems II data exports
The Berlin data protection authority ('the Berlin Commissioner') announced, on 12 May 2022, its guidance on data transfers to third countries, addressing what applies after the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') and the audits it has initiated in this regard. In particular, the guidance provides, among other things, a breakdown of data export requirements under the General Data Protection Regulation (Regulation (EU) 2016/679)('GDPR'), and highlights that the concept of transmitting data abroad is very broad, requiring organisations to consider their entire service/value chain. Additionally, the guidance also gives an overview of the current legal situation with regards to international transfers and particularly those that concern the US, highlighting the legal opinion that the German Data Protection Conference had commissioned and outlining the implications of Schrems II.
Moreover, the guidance notes that the Berlin Commissioner has taken part in a cross-state campaign, as announced on 1 June 2021, to implement Schrems II across Germany. More specifically, the guidance highlighted that around 900 Berlin companies were subject to an audit with regards to their data exports to third countries, with particular focus on email and web hosting. In this regard, the guidance notes that the results of the audits show that the the implementation of Schrems II poses major challenges for the majority of companies, since the decision not only affects the storage of personal data on servers located in third countries, i.e. the direct transmission of data, but also, and at least in the case of the USA, applies to integrations with third country companies or their European subsidiaries.
As such, the guidance notes that services from US companies or their European subsidiaries frequently used in practice can no longer be used lawfully, requiring previous business practices to be changed significantly in some instances. Furthermore, the guidance emphasises that the mere possibility of accessing data from outside the EU, such as access given for administration and support from third country companies, constitutes a legal case of data export.
Lastly, the guidance noted that many of the audited companies agreed to refrain from the use of the problematic service providers without any formal measures taken on the part of the Berlin Commissioner. However, the Berlin Commissioner noted that campaign is not over yet, and that if necessary it will take measures to ensure the changeover to compliance takes place within a reasonable period of time.