German DPA Issues Guidance on Schrems II and the Transfer of Personal Data to Non-EU Countries
Since the Court of Justice of the EU (“CJEU”) decided in its Schrems II ruling that the Privacy Shield is no longer valid and that EU Standard Contractual Clauses (SCC) can no longer be used without extra scrutiny and require the implementation of additional security measures by both the EU data exporter and the US data importer, companies are wondering on how they can transfer data to non EU countries. According to the CJEU, the SCCs are still valid, but a level of protection for personal data equivalent to that in the EU must be ensured, which would not be the case if public authorities, such as intelligence services, can access EU personal data without adequate judicial oversight or due process.
Reactions from the Data Protection Authority of Baden-Wuerttemberg
The DPA of Baden Wuerttemberg is, thus far, the only German DPA that has issued relatively detailed guidance, which was published on September 7, 2020. While this is directly applicable only to companies established in Baden-Wuerttemberg, the guidance nevertheless may serve as a point of reference. Pursuant to the guidance, data controllers must offer additional guarantees so that access by the third-country public authorities is essentially prevented. To achieve this, parties to SCCs should duly assess the legal situation in the recipient country and should agree on additional contractual clauses and on technical security measures, such as:
- Encryption, in which case, only the EU data exporter holds the key so that data cannot be accessed by US security authorities
- Anonymisation or pseudonymisation, where only the EU data exporter can reverse the anonymisation or pseudonymisation
Pursuant to the guidance, transfers based on the derogations in Art. 49 of the GDPR are still possible. However, given the restrictive character of these provisions, systematic transfers might be excluded.
The DPA of Baden-Wuerttemberg concluded that while they are aware that the CJEU ruling imposes extreme burdens on companies, the DPA’s focus on data transfers would be whether there are reasonable alternatives to the chosen third-country service provider. The burden will lay with the controller to supply convincing reasons that the third-country service provider used is irreplaceable. Otherwise, the DPA will prohibit the data transfer.
How to Proceed
As a consequence of the decision, companies should examine their data transfers through comprehensive data mapping.
Data transfers done on the basis of the EU-US Privacy Shield must stop and all processors, who have thus far used the Privacy Shield, must be instructed to immediately cease data transfers on that basis.
Data transfers based on SCCs should be scrutinised and documented.
Companies should consider whether data transfers to third countries are necessary or whether a service provider in a third country can be supplemented with one located in the EU.
Should a company that is established in Baden-Wuerttemberg determine that a third country service provider is irreplaceable, then the SCCs should be supplemented with additional terms as proposed by the DPA of Baden-Wuerttemberg.
Companies should also update Art. 13-information, records of processing activities, and should implement extra technical measures. Given that the EDPB and the German Federal Commissioner for Data Protection and Freedom of Information have decided to establish a task force on complaints against the use of social media and web analytics services, companies involved in providing or using these services are encouraged to act swiftly on the measures outlined above.