Baden-Württemberg: Updated post-Schrems II guidance on data transfers and SCCs from the LfDI Baden-Württemberg
On 1 October 2021, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') published an updated version1 of its 2020 guidelines2 on data transfers to third countries ('the Guidelines'). The Guidelines enable companies to get a clearer picture of the LfDI Baden-Württemberg's legal opinions on the matter and support them with concrete proposals for supplementary measures for Standard Contractual Clauses ('SCCs'). Philipp Quiel, Counsel at Piltz Legal, summarises the most important changes and provides insights on the views of the LfDI Baden-Württemberg and its advice for companies under its supervision.
The Guidelines take into account both the old version of SCCs ('old SCCs') and a more recent version ('new SCCs'), as based on the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/6793 ('the Decision'). Even though the Guidelines address controversial aspects, it is interesting to note that Recital 7 of the Decision is not mentioned at all.
Short overview on the updates of the Guidelines
The Guidelines contain new parts, such as regarding SCCs, and slightly amended statements, as well as extracts that were already part of the 2020 guidelines. While some of the most relevant updates are sections added to the new SCCs, there is also one visible change regarding the view on the effectiveness of pseudonymisation. In fact, the Guidelines do not mention pseudonymisation anymore (see also further below in the section on the old SCCs). Another important aspect is that the checklist already part of the 2020 guidelines was further developed, which concerns the new SCCs, but also other topics.
The old and updated versions of the Guidelines state that data transfers based on Binding Corporate Rules ('BCRs') are in principle possible. The Guidelines, however, outline that when BCRs are used, supplementary measures might still have to be in place. Another update of the Guidelines is the reference to the principle of accountability pursuant to Article 5(2) the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Arguably, neither data protection authorities, nor companies and their legal advisers, currently have a clear picture on the scope of the accountability principle. In the context of data transfers, the LfDI Baden-Württemberg states that companies should verify that they have documented all of their assessments regarding data transfers and can prove all audit steps and conclusions.
No updates were added to the derogations for specific situations. This also means that the LfDI Baden-Württemberg continues to apply the criteria 'occasional[ly]' to Article 49(1)(b), (c) and (d) of the GDPR due to the first sentence of Recital 111 of the GDPR, but sees room for applying consent as the transfer mechanism for data transfers that can occur more frequently, as long as the general derogatory nature of Article 49 of the GDPR is respected. Furthermore, reviewing whether, as a last resort, the transfer of data pursuant to the exception provision of Article 49 of the GDPR can be considered, is still part of the Guidelines, particularly for data transfers within the group or in the case of individual contractual relationships. In these cases, checks on whether the restrictive nature of the standard does not prevent the transfer would be necessary.
As part of the checklist, the Guidelines advise companies to think about the following possible solutions to avoid data transfers to third countries:
- only using services that do not transfer data to a third country;
- making a contractual agreement that no data will be transferred to a third country; or
- encrypting the data and having sole access to the key, whereby the entire legal situation of the third country must be taken into account (e.g. national regulations on access to data outside of one's own territory, such as the initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence4).
In this context, it is interesting to note that the LfDI Baden-Württemberg seems to accept companies contractually agreeing that no data is transferred to third countries as a solution to avoid data transfers in the first place. It could even be concluded that when one contractual partner violates the agreements made regarding data transfers, this is not the other company's fault and the latter will therefore unlikely have to face sanctions and other measures by the LfDI Baden-Württemberg.
Some of the most relevant parts of the Guidelines deal with data transfers for which the old or new SCCs apply as a transfer mechanism.
Information relevant for the old SCCs
Since the old SCCs already concluded prior to 2 September 2021 are still a valid transfer mechanism until 27 December 2022, it is helpful that the Guidelines still cover those. The LfDI Baden-Württemberg explicitly states that companies generally cannot use the old SCCs without supplementary measures. In this context, there is also a reference to the proposals for supplementary measures which only feature in the previous guidelines published in August 2020. The wording of the 2020 guidelines was not as strict and did not directly show that a general requirement exists according to the LfDI Baden-Württemberg.
With regard to data transfers to the U.S., the Guidelines state that companies are required to implement supplementary measures that effectively prevent access by U.S. intelligence agencies and, thereby, to protect the rights of data subjects. In contrast to the old document, the Guidelines outline anonymisation as another suitable measure, in addition to encryption where only the data exporter has the key which cannot be compromised by U.S. agencies. Pseudonymisation in which only the data exporter can match the pseudonym to the person, is no longer mentioned. This implies that the LfDI Baden-Württemberg does no longer think that this kind of pseudonymisation is sufficient when using the old SCCs. The Guidelines also acknowledge that, in practice, it is not possible for most data transfers to the U.S. to only take place in an encrypted or anonymised form.
Information relevant for the new SCCs
Since there are already new SCCs in place and because there are many open questions arising in practice, it is helpful that the Guidelines contain references to the new SCCs. Interestingly, the LfDI Baden-Württemberg does not mention the heavily debated Recital 7 of the Decision at all. The wording of this Recital and different assumptions made on the Commission's intention behind Recital 7 resulted in uncertainty on the applicability of the new SCCs and triggered a discussion among data protection professionals5. Interestingly, the Guidelines remain completely silent on questions around the applicability of the new SCCs. Instead, the Guidelines generally promote the development of more obligations for supplementary measures proposed for the old SCCs, now being part of the new SCCs. There is also no reference to statements of the European Data Protection Board ('EDPB') on the scope of applicability.
The notes of the EDPB's 54th plenary meeting, which took place on 14 September 2021, include the following statement: 'The EU COM confirmed, that, after the draft guidelines are adopted, they intend to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR'6. Here it becomes clear that the Commission indeed wanted to limit the scope of SCCs to data transfers where the data importer is not subject to the GDPR.
Given the lack of any information on Recital 7 of the Decision provided in the Guidelines, companies under the supervision of the LfDI Baden-Württemberg are likely able to use the new SCCs for all kinds of data transfers without having to face sanctions or other measures. Using the new SCCs for data transfers that cannot be covered by the old SCCs anymore might be potentially even encouraged under the supervision of the LfDI Baden-Württemberg.
The Guidelines also reveal the LfDI Baden-Württemberg's opinion on to what extent the new SCCs must be amended to better reflect that only some parts of the text are relevant for certain modules. The LfDI Baden-Württemberg specifically states that for some parts of Clause 3 and starting from Clause 8 for every subsequent clause, only those parts should be included and signed that are relevant for the module applicable. In other words, the LfDI Baden-Württemberg says that companies must delete parts which are not relevant as they only fit other modules.
The Guidelines include statements on the heavily debated, by data protection authorities highly criticised, and by companies favoured 'risk-based approach' mainly indicated in footnote 12 of the new SCCs. The LfDI Baden-Württemberg, however, notes that caution is highly required here as it can hardly be assumed that a retreat to such mere practical experiences satisfies the supplementary measures required by the Court of Justice of the European Union to ensure that data protection provisions and the rights of the data subjects are observed in a manner appropriate to the processing within the EU. The LfDI Baden-Württemberg further outlines that data exporters are much more advised to follow and implement the practical examples of possible supplementary measures as contained in Annex 2 of the Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data7.
Nevertheless, the following assessments are now explicitly part of the checklist provided in the Guidelines:
- data protection laws of the third country;
- access possibilities of governmental bodies including intelligence services;
- rights and legal remedies available to the data exporter, the data importer, and the data subject; and
- the jurisprudence and authorities' practice in the third country related to the level of data protection.
The Guidelines recall that Clause 15.1(a) regulates the obligation of a data importer to not only notify the data exporter, but also the data subjects about certain details of legally binding requests from public authorities and about any direct access by public authorities to personal data transferred. According to the LfDI Baden-Württemberg, the clause on third-party beneficiaries in Clause 3(a)(vi) allows data subjects to, inter alia, request relevant information on requests received from authorities on a regular basis.
Supplementary measures for the new SCCs
Some data protection professionals currently discuss whether there is a general need to conclude supplementary measures when the new SCCs are used as a transfer mechanism. The LfDI Baden-Württemberg does not explicitly state that the new SCCs do not require additional measures to be sufficient, but rather emphasises that there must always be an essentially equivalent level of protection and enforceable data subject rights, and effective legal remedies for data subjects. Nevertheless, it is clearly visible that this statement regarding the new SCCs is not nearly as strict as the demand for supplementary measures when using the old SCCs.
In the context of data transfers to the U.S., on which the LfDI Baden-Württemberg holds a critical perspective, the Guidelines do not explicitly state that supplementary measures are needed for those transfers under the new SCCs in each case. However, since the LfDI Baden-Württemberg is also proposing concrete supplementary measures for the new SCCs, it is also clear that the measures are meant to not only be part of the Guidelines, but also of the contracts concluded by data importers and data exporters, where necessary, to ensure an adequate level of protection.
Some of the supplementary measures contained in the old document are now part of the obligations under the new SCCs. However, the LfDI Baden-Württemberg emphasises the absence of an obligation of the data importer in the new SCCs to indemnify the data subject, regardless of fault, against any damage caused by access to data by agencies of its country concerning the data subject. This was already part of the supplementary measures in the 2020 guidelines and the authority continues to advise companies to additionally include this obligation in contracts, when the new SCCs apply.
As per the Guidelines, the LfDI Baden-Württemberg, however, advises to make the following additions to the new SCCs:
- adding a general obligation of the data importer to indemnify the data subject, regardless of fault, against any damage caused by access to data concerning the data subject by agencies of its country;
- Addition to Clause 15.2(a): Addition of an obligation of the data importer to refrain from disclosing the personal data to the respective authorities until it has been ordered by a court of competent jurisdiction in the main proceedings to disclose the data in a binding judgment of the final instance. This was added due to the new SCCs not referring to 'main proceedings' and 'final instance'.
- Addition to Clause 3(a)(vi): Addition of Clause 15.2(a) and the addition to Clause 15.2(a) mentioned above to the clause on third-party beneficiaries.
- Addition to Clause 8.2: Addition of the obligation of the data importer, insofar as they know it, to notify the data subject about the commissioning of a processing operation to a sub-processor.
- Addition to Clause 3 (a) (ii): Addition of the addition to Clause 8.2 mentioned above to the clause on third-party beneficiaries.
The LfDI Baden-Württemberg writes that the additions to Clause 15.2(a) and Clause 3(a)(vi) are particularly important when the law of the third country imposes obligations on the data importer which are likely to conflict with the new SCCs, requiring appropriate protection against access by government authorities.
Interestingly, the Guidelines also touch upon situations in which there are no sufficient supplementary measures and, as already done in the 2020 guidelines, the LfDI Baden-Württemberg refers to demonstrating and documenting willingness to act in accordance with the law, and advises to contact the respective recipient of the data, in the absence of effective supplementary measures, in order to at least demonstrate and document the willingness to act in compliance with the law.
Next steps the LfDI Baden-Württemberg will take in enforcement
The Guidelines still contain the exact same information on the next steps the LfDI Baden-Württemberg will take in enforcement. In fact, the Guidelines centre around the question as to whether there are reasonable, alternative offers to the service provider or contract partner selected by companies without transfer problems. If a company is unable to prove that the service provider or contract partner with transfer problems is not replaceable by a reasonable alternative without transfer problems in the short and medium term, the Guidelines state that the LfDI Baden-Württemberg will prohibit the data transfer.
It becomes clear that, on the one hand, the LfDI Baden-Württemberg still understands that in some cases there are little to no alternative services offered. On the other hand, there is still the requirement that companies should be able to prove that such a situation is indeed the case. For companies it is good to know that the enforcement action from the LfDI Baden-Württemberg will likely not substantially change.
The Guidelines also still acknowledge the large amount of effort that companies must invest due to the current legal situation on data transfers and recognise that the ruling of the CJEU may possibly entail extreme burdens for individual companies. Therefore, the Guidelines outline that the LfDI Baden-Württemberg will base its further action on the principle of proportionality, continue to monitor developments, and continuously review and develop its positions accordingly.
Overall, the Guidelines are helpful for companies, as the latter gain insight on the position of the LfDI Baden-Württemberg on the new SCCs and on how it continues to enforce the current legal situation as it did before. Companies under the supervision of the LfDI Baden-Württemberg that follow the Guidelines can probably expect the same for the companies' actions over the next few months.
Philipp Quiel Counsel
Piltz Legal, Berlin
1. Only available in German at: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2021/10/OH-int-Datentransfer.pdf
2. Only available in German at: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/LfDI-BW-Orientierungshilfe-zu-Schrems-II.pdf
3. Available at: https://www.dataguidance.com/legal-research/commission-implementing-decision-eu-2021914-4
4. Available at: https://edps.europa.eu/sites/edp/files/publication/19-07-10_edpb_edps_cloudact_annex_en.pdf
5. A summary of the discussion available at: https://www.delegedata.de/wp-content/uploads/2021/06/20210613_Scope-of-the-new-SCC-discussions-about-recital-7.pdf
6. Available at: https://edpb.europa.eu/system/files/2021-10/20210914plenfinalminutes_54thplenary_public.pdf
7. Available at: https://www.dataguidance.com/legal-research/recommendations-012020-measures-supplement