Schrems II: LfDI Baden-Württemberg on data transfers, changes to SCCs and next steps for businesses
The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 24 August 2020, a guide ('the Guide') on international data transfers in light of the Court of Justice of the European Union ('CJEU') ruling of 16 July 2020 in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), including a checklist on privacy compliant data transfers and suggestions for changes in Standard Contractual Clauses ('SCCs'). In particular, the LfDI Baden-Württemberg noted that the CJEU, in its judgment, declared the Privacy Shield to be invalid, highlighting that as a consequence, US companies may no longer process personal data of EU citizens based on this mechanism. While the LfDI Baden-Württemberg agreed that the Privacy Shield did not effectively protect citizens from US secret services, which were able to access EU citizen data from US companies without a specific cause, for an unlimited period of time and without effective purpose limitation, it added that, due to the lack of an adequate alternative and a transitional period, businesses that use service providers in the US would face difficulties. To support businesses to conduct privacy-compliant data transfers, the Guide provides a step-by-step overview on the legal implications of the Schrems II Case and highlights the key findings, who is impacted by the decision and which steps need to be taken, with a particular focus on the legal scope of SCCs.
Alternative legal bases for data transfers
The LfDI Baden-Württemberg’s Guide provides detailed information on SCCs, following the CJEU's confirmation that this mechanism, which the European Commission established in 2010, continues to be a valid mechanism for data transfers provided that there is a sufficient level of personal data protection in the country that data is transferred to. In this regard, the LfDI Baden-Württemberg highlighted that whether the level of protection corresponds to the level of protection within the EU is to be interpreted in the light of the EU Charter of Fundamental Rights and Article 46(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), with suitable guarantees from the controller and processor, enforceable rights and effective remedies for the data subjects.
However, the LfDI Baden-Württemberg noted a particular challenge that arises when using SCCs: state authorities are not bound by SCCs agreed on between private companies, and in cases in which state authorities have the power to interfere with the rights of the concerned data subjects, SCCs that are not combined with additional measures by the service provider do not amount to an adequate protection. Therefore, for each individual case, businesses would have to examine whether the third country they want to transfer data to provides adequate protection and agree on additional measures. The LfDI Baden-Württemberg highlighted that this applies in particular if the law of the third country imposes obligations on data importers that might contravene with the agreed contractual rules, which provide appropriate protection against access by governmental authorities. Moreover, the Guide states that if such an adequate level of protection cannot be granted, the responsible data protection authority has to suspend or prohibit the data transfers in question.
Furthermore, the Guide details that the following measures may conceivably constitute additional guarantees that effectively prevent data access by US secret services and protect the rights of the data subjects:
- encryption, where only the data exporter has the encryption key and which cannot be solved by US services; or
- anonymisation or pseudonymisation measures, where only the data exporter can make the assignment.
Moreover, the LfDI Baden-Württemberg stated that data transfers based on Article 49 of the GDPR may generally be possible in certain cases but noted the restrictive and exceptional nature of the provision which covers derogations for specific situations. The LfDI Baden-Württemberg detailed that this mechanism should particularly be considered for data transfers within a company or for individual contractual relationships.
Suggestion to amend SCCs
In particular, the Guide includes practical information for businesses on how to amend their SCCs in light of the Schrems II Case. As a first step, the Guide recommends that in order to demonstrate and document willingness to comply with the GDPR, controllers should contact the recipient of the data and suggests that controllers and recipients agree on the following amendments to SCCs:
- Amendment to Annex Clause 4(f): informing affected persons not only when transmitting special categories of data, but with any data transmission (before or as soon as possible after the transmission) that their data will be transferred to a third country which does not have an adequate level of protection in the sense of the GDPR.
- Amendment of Annex Clause 5(d)(i): the duty of the data importer to inform not only the data exporter, but also the data subject(s) immediately about all legally binding requests from an enforcement authority to pass on the personal data; if this information transfer is otherwise prohibited, for example by a criminal law prohibition to maintain investigation secrecy in a criminal investigation, the supervisory authority must be contacted and the procedure clarified.
- Supplement to Annex Clause 5(d): to include obligations for the data importer to refrain against the disclosure of personal data to the respective authorities until the competent court sentences them to disclose such data.
- Amendment to Annex Clause 7(1): to only include Clause 7(1)(b) to referring the dispute to the courts of the Member State in which the data exporter is established in the event that a data subject asserts rights as a third-party beneficiary and/or claims for damages against the data importer based on the contractual clauses.
Enforcement based on proportionality
The LfDI Baden-Württemberg described the CJEU's new approach to data transfers with the US as comparable to a domino game in which the emphasis should be put on data protection authorities to challenge the economic relationship between EU and US companies with the aim of effecting a chain reaction that leads to political changes in US security policies. The LfDI Baden-Württemberg highlighted that while the supervisory authorities are obliged to implement the Schrems II Case ruling without delay, it will do so taking into account the principle of proportionality. In particular, the LfDI Baden-Württemberg announced that its approach to an individual case will be to always ask whether or not there is no alternative to transferring data to the US and detailed that the focus will be on whether there are reasonable alternative offers that do not cause data transfer issues in addition to the service provider chosen by the respective German company. Finally, the LfDI Baden-Württemberg stated in concrete terms that if a company cannot convince its office that the service provider with data transfer issues is irreplaceable in the short and medium term, it will have to prohibit the data transfer.
Lea Busch Privacy Analyst