German State’s Data Processing Authority Offers Strict Guidance on Post-Schrems II Data Transfers

August 25, 2020Alerts

The data protection authority of the German state of Baden-Wurttemberg issued a guidance for European Union data exporters in the wake of the Schrems II decision by the Court of Justice of the European Union (CJEU), which invalidated the EU-U.S. Privacy Shield and imposed conditions on the use of Standard Contractual Clauses.

Effect of the CJEU Decision

  • The Schrems II decision is binding on all authorities and courts of the EU member states, which have to deal with this question in accordance with the CJEU decision.
  • Transfers using Privacy Shield as the transfer mechanism are illegal and will result in fines and claims for damages.
  • Transfers based on Standard Contractual Clauses are conceivable, but will only rarely meet the requirements for an effective level of protection as required by the CJEU.
  • Using Article 49 derogation may be possible, but is subject to the innate limitations of such mechanism (e.g. necessity, occasional transfers only etc).

Policy Direction of the DPA

  • When assessing transfers, the DPA will focus on the question of whether there are reasonable alternative services the data exporter could use that do not pose transfer problems and will decide its action plan based on the principle of proportionality.
  • If the DPA cannot be convinced that the service provider/contract partner with transfer problems you are using is irreplaceable in the short and medium term by a reasonable service provider/contract partner without transfer problems, the DPA will prohibit the data transfer.

What To Do

  • Take inventory of all your data transfers.
  • Contact your service provider in the third country and inform them of the CJEU decision.
  • Obtain information on the legal situation in the third country (including as with respect to surveillance).
  • Check whether there is an adequacy decision for the third country.
  • Check whether you use the Standard Contractual Clauses for your transfer.
  • Check whether there are any supplementary measures that can be adopted (see below).

Supplementary Measures

In order to use SCC the data exporter must offer additional guarantees. Those can be:

  • Encryption, with the data exporter being the only holder of the encryption key and which cannot be broken even by U.S. authorities
  • Anonymization or pseudonymization where only the data exporter can re-identify
  • An agreement that the data be hosted in an EU member state
  • An agreement that no data be transferred to the U.S. altogether
  • Incorporating the following amendments to the Standard Contractual Clauses

Amendments to Standard Contractual Clauses

  • Data exporters to notify individuals of all transfers to third countries: Clause 4(f)  Expand the data exporter's obligation to inform data subjects of the cross-border transfer of special category data to include all transfer of personal data to a third country that doesn't provide an adequate level of protection.
  • Data importers to notify individuals of authorities' requests for disclosure: Clause 5(d)(i) Expand the obligation of the data importer to notify the data exporter of any legally binding request for disclosure of personal data by a law enforcement authority and require the data importer to also notify the data subjects of such requests. If you are legally prohibited from doing this, you should contact the supervisory authority for guidance. It's worth mentioning that in most controller-processor relationships, the processor is unable to comply with this requirement because they have no direct relationship with the individuals and often don't even know who they are or how to contact them.
  • Data importers to take legal action against disclosure requests: Add a new obligation on the data importer to take legal action against the disclosure of personal data and refrain from disclosing personal data to the relevant authorities until a competent court of last instance has ordered the data importer to disclose the data in a legally binding manner.
  • Disputes to be referred to courts not mediation: Clause 7(1)  Remove the ability to resolve a dispute under the clauses by mediation and leave only the possibility of resolution by the competent courts of the member state of the data exporter.
  • Add a liability (indemnification) clause: Incorporate an allocation of liability clause which provides for indemnification by a party for its breach of the clauses.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with Privacy Shield and EU-.U.S. data transfer issues, contact Odia at [email protected] or 215.444.7313.