Guten Morgen from Munich.
The "Schrems II" hibernation is finally over.
This was the key learning from our recent virtual DACH regional KnowledgeNet. If there ever was any hibernation mode over the last winter dominated by COVID-19, it will end abruptly next week or the week after. According to EU Commission Deputy Head of Unit for International Data Flows Ralf Sauer, this is when the EU Commission will publish its long-awaited new set of standard data protection clauses. Additionally from Sauer, the EU Commission has carefully weighed all feedback it received on the draft SCCs during the public consultation phase. As a result, we will likely see some significant changes in the soon-to-be published SCCs compared to the draft version — one of them being an extended period allowing companies more time to transition from the old to the new set of clauses. There will also be a rather short period during which contracts based on the existing SCCs can still be concluded.
Alexander Filip, the head of international data transfers at the Bavarian supervisory authority and a substantial voice in the European Data Protection Board, indicated that we might see the eagerly awaited final version of the EDPB recommendations on supplementary measures for international data transfers in June, provided the EDPB is able to agree on them during its next plenary meeting 15 June — which seems to be the plan. Both speakers suggested that intense discussions and coordination took place between the EDPB and the EU Commission.
As a result, there's reason to hope that the EDPB will accept some sort of “risk-based approach” even for transfers falling under U.S. FISA Section 702. Remember, in its draft Recommendations 1/2020, the EDPB was clear that in certain use cases no room for a risk-based analysis exists, whereas the EU Commission’s draft implementing decision (Recital 20) mentioned controllers should take into account the “specific circumstances of the transfer (such as … the nature of the data transferred, … the purpose of the processing and any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer).” It now seems the final SCCs will include similar wording, and the EDPB will allow such aspects to be considered at least to a certain, limited extent.
That said, both speakers agreed there continues to be a very limited margin for data transfers to the U.S. where the data importer falls under Section 702 and where the data exporter is not able to apply technical measures that exclude access to the clear data on the data importer’s side. Unsurprisingly, strong technical security measures will remain the only real solution.
The good news is that the EDPB apparently aims at applying a coherent approach across Europe regarding data transfers to major U.S.-based cloud and technology providers, especially whether these providers fall under Section 702 and whether their supplementary measures — contractually and technically — meet the EDPB’s requirements.
A revamped EU-U.S. Privacy Shield is still far away. After some promising signs shortly after the new administration took over the White House, the discussions are ongoing but companies might be well-advised not to expect rapid progress.
Looking at the online space in particular, both the EU Commission and the Bavarian regulator see no room for application of Article 49 of the GDPR. Both panelists agreed derogations like individual consent are not suitable to justify a repetitive transfer of website user data to a technology provider located outside of Europe, though admitted this is a somewhat “grey area.” Considering the increasingly common practice to include respective wording into website consent banners, it will be interesting to see how courts decide, given that the Court of Justice of the European Union itself referred to Article 49 of the GDPR in its "Schrems II" ruling.
Finally, Filip was very clear that we should expect an increased level of enforcement in the coming months, not in the least due to the high number of complaints regulators receive. However, the event also showed there is plenty of legal uncertainty — which is why this was certainly not the last IAPP KnowledgeNet on this subject.