Data Transfer Post-Schrems II: FAQ’s from a German Data Protection Authority

September 18, 2020Alerts

The Data Protection Authority of Rhineland-Palatinate, Germany has issued FAQs on Schrems II, weighing in on the EU-U.S. Privacy Shield and Standard Contractual Clauses. The guidance comes on the heels of FAQs issued recently by Baden-Wuerttemberg's DPA.

Key Takeaways:

Privacy Shield

  • The EU-U.S. Privacy Shield can no longer be used as a transfer instrument.
  • Data transfers on this basis are illegal. Those responsible must immediately switch to other transfer instruments from Chapter V of the General Data Protection Regulation (GDPR).
  • If no other transfer instruments are available and no exception under Art. 49 GDPR can be invoked, the person responsible must suspend the data transfer.
  • Data that had already been transmitted must be reclaimed or destroyed.

Standard Contractual Clauses (SCCs)

  • SCCs are valid as an instrument but controllers who use them must fulfill their obligations arising from them.
  • If the data protection guarantees named in the standard contractual clauses cannot be met by the data importer due to the legal situation in its home country, the data exporter, i.e. the person responsible in the EU, must suspend data transfers there. Data that has already been transmitted to the third country must all be returned by the data importer or destroyed
  • The Court of Justice of the European Union (CJEU) names the possibility of supplementing the standard contractual clauses by the contracting parties in order to nevertheless create suitable guarantees.
  • It is unclear whether this is actually possible in individual cases, in particular, transfers to the U.S. This is because under the application of security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), U.S. authorities are not bound by the Standard Contractual Clauses.
  • The security laws in the U.S., such as Sec. 702 FISA, which allows U.S. security agencies to access personal data in certain cases without a court order, take precedence over telecommunications companies. As a rule, the standard contractual clauses cannot be used for data transfers to such companies.
  • The law may also have an impact on other companies, for example if these companies make use of the services of telecommunications providers, such as cloud services.
  • It is also conceivable that solely due to the fact that the data is transmitted electronically, i.e. the fact that the data flows through the cables of U.S. telecommunications providers on the way to the recipient in the U.S., Sec. 702 FISA applies to all data transmitted in this way.

Therefore

  • In the event that the U.S. security laws that conflict with EU data protection law apply to all data transfers from the EU to the U.S., the level of protection in the U.S. as a whole cannot be regarded as equivalent to the level of protection prevailing in the EU. In this case, the standard contractual clauses, as they are formulated, do not constitute suitable guarantees for data transmission to the U.S.
  • In the event that the U.S. security laws only apply to certain data transfers to the U.S., it is up to the data exporter in the EU, including the respective data importer in the U.S., to check whether or which laws in his home country the data importer, or the respective data transfer, is subject to and to evaluate whether the standard contractual clauses represent suitable guarantees in this case.

Derogations

It may be possible to use derogations as your transfer mechanism (Art. 49). The latter is often an option for travel bookings, for example, but is unlikely to be considered for typical outsourcing scenarios, i.e. services that could also be provided in the EU/European Economic Area but are easier, cheaper or better provided in a third country.

Direct Transfers

Can EU individuals still transfer their own data to the U.S.?

Yes, nothing will change for people who transfer their own personal data to a third country. They are not affected by this judgment.


Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with cross-border data transfer issues, contact Odia at [email protected] or 215.444.7313.