Greetings from Brussels!

Despite the slower summer months compounded by the pandemic, there is still a good deal of uncertainty being discussed around the "Schrems II" decision. We can imagine that the collective of European data protection authorities is presently looking for elegant solutions to advise on international data transfer questions coming from businesses across Europe. Earlier in the week, one of the European data protection authorities climbed over the parapet and took a leap. State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg Stefan Brink published fairly concrete guidance (in German only) on international data transfers resulting from the CJEU decision; that’s a first.

The guidance, referred to as an "orientation aid," makes some very practical suggestions as to what EU companies should be looking to implement considering the decision. For example, companies should be making an inventory of third countries where they are exporting personal data and checking whether those countries have an adequacy status in line with Article 45 of the GDPR. It is important to establish the legal situation in those countries, be it through your respective data protection authority, the European Data Protection Board, European Commission, or in the case of Germany, the Federal Foreign office can also assist. Importantly, companies need to enter into a dialogue with their respective service providers and partners to inform them of the CJEU ruling and discuss the impact on operational transfer data flows. As necessary, one needs to assess whether the existing SCCs for those transfers can be used (unchanged) or look to agree on amendments to contractual clauses. 

According to Baden-Württemberg, data transfers under Article 49 GDPR remain possible. However, the DPA emphasizes the restrictive character of the Article 49 derogations of the GDPR. In respect to onward transfers to the U.S., the guidance states that continued transfer on the basis of standard contractual clauses is permissible, although such transfers are unlikely to meet the requirements for adequate protection as determined by the CJEU. The German watchdog advises the use of additional safeguards. One such measure is the use of encryption technology where only the data controller has the key thus preventing access by third-party intelligence services. An example of this is cloud storage with U.S. providers; incidentally, the likes of Microsoft, Amazon and Google are in the process of developing their technology to offer end-to-end encryption services in the future, also, while data is being processed. Another suggestion is making use of anonymization or pseudonymization features, where only the data exporter has the key to reidentify the individuals. Lastly, establishing localized agreements with third parties to only host data in the EU avoiding access by U.S. counterparts and third organizations is also mooted. Similar the same considerations also apply to the use of software-as-a-service model companies, such as Salesforce and other CRM design platforms.

Brink concludes that “the State Commissioner for Data Protection and Informational Freedom in Baden-Württemberg will proceed with a focus on the issue of whether there are any reasonable alternative offers without transfer problems, that is, beyond the service provider/contractual partner you have chosen. (...) The State Commissioner for Data Protection and Informational Freedom will act in accordance with the proportionality principle. We will continue to monitor developments and continuously review and develop our positions accordingly.”

For now, it is my understanding that Brink will not actively seek enforcement; there is also the expectation of a wider and more pronounced position from the EDPB that continues to analyze the decision as they undoubtedly confer with other EU authorities.

While only scratching the surface here, there is much to digest from this first guidance. It is worth speaking with German colleagues or obtaining a decent translation for study; you may find it particularly helpful in reviewing SCC clauses and potential amendments as embodied in the document. My thanks to IAPP members Sebastian Kraska of IITR Datenschutz GmbH and Ulrich Baumgartner of Allen Overy Germany for walking me through the guidance and sharing their thoughts. The view is that while the practical guidance approach is welcome, it remains only one regulatory view. And one not necessarily shared by all German DPAs or other EU counterparts.