24 Sept. 2020

Post-‘Schrems II’: Understanding Baden-Württemberg’s updated guidance on international data transfers

On Sept. 7, 2020, Germany’s Baden-Württemberg Commissioner for Data Protection and Freedom of Information updated its guidance on international data transfers. It is the first and only European national supervisory authority as of yet that has issued mandatory guidance following the Court of Justice of the European Union’s judgment in the “Schrems II” case.

Overview

As per the Baden-Württemburg’s updated guidance, the standard contractual clause is still valid as a data transfer mechanism to companies in third countries without an adequacy decision; however, it has been clarified that the standard and level of data protection in the third country must be equivalent to that of the EU. In this regard, the EU data exporters must review the level of data protection granted to EU residents in the third country keeping in consideration Article 46(1) of the EU General Data Protection Regulation and the EU Charter of Fundamental Rights, specifically focusing on the following factors: suitable guarantees by the controller and processor within the SCCs; enforceable rights for the data subjects within the third country; effective remedies for the data subjects within the third country; and the possibility of access to the transferred personal data by public authorities in the third country.

Mandatory checklist

The updated guidance of the Baden-Württemberg’s Commissioner provides a checklist of action items that companies should consider to ensure compliance with the “Schrems II” judgment. The checklist includes the following major action items:

Syrenis: What does the future of privacy look like?

Make an inventory of your international data transfers to both public and private companies. See whether you are transferring data to any companies or processors based in countries that have not been deemed adequate by the European Commission. Transfer of data includes not just the physical storage of data, but also remote access, retrieval and maintenance of personal data.
Adapt your data protection declarations and list of processing activities accordingly — data subjects need to be transparently informed where their data is being transferred, what transfer mechanism will be used and what protections will be taken by you.
Contact all of your processors that are still transferring personal data to the U.S. through the Privacy Shield to immediately suspend all transfers until an alternative processing or transfer mechanism ensuring protection of the data is figured out.
Review the legal situation of the third country to which you are transferring data. Focus on the data protection laws of the third country; public authorities' access options, including surveillance of the data by intelligence services; legal protections that can be employed by you, the data importer and the data subjects; case law; and the official practice in the third country concerning data protection, etcetera. Employ the help of the European Data Protection Board and relevant supervisory authorities to conduct the legal review.
Reassess whether the transfer to the third country can be avoided by contracting a ban on transfers to the third country or using encryption.
Undertake supplementary measures along with the SCCs to protect the data if transfer to the third country cannot be avoided and is necessary.
Assess whether you can use binding corporate rules as per Article 47 of the GDPR to transfer the data; however, this transfer mechanism may also be subject to additional guarantees.
Consider if the transfer of data can be covered under the extraordinary situations of derogations provided under Article 49 of the GDPR (such as in the case of data transfers within the group or in individual contractual relationships).
Document the entire process and that you can prove all the steps and conclusions as per the requirement of Article 5(2) of the GDPR.

Protection against the intervention of the public authorities

Where public authorities disproportionately intervene with the transferred personal data, additional safeguards need to be taken by the EU data exporter, in agreement with the data importer, for the level of protection in the third country to be considered adequate for the transfer. After the CJEU’s assessment of the U.S. in “Schrems II,” the following two additional safeguards need to be mandatorily taken for transfers to the U.S.: encryption for which “only the data exporter has the key” and “cannot be broken by U.S. [intelligence] services”; and anonymization or pseudonymization where “only the data exporter can re-identify the data.”

However, the aforementioned safeguards are considered sufficient only for particular types of data transfers and are not a catch-all solution. The LfDI did not specify which type of data transfers would be covered under these safeguards, but it would be reasonable to assume that data transfers to U.S. electronic communication service providers would require more protections since they are subject to surveillance under Section 702 of the U.S. Foreign Intelligence Surveillance Act. Thus, other specific and enhanced protections may be required against the intervention of public authorities on a case-by-case basis.

It is important to note that despite these safeguards, the LfDI can still stop any data transfer that it believes does not ensure adequate data protection standards against the intervention of the public authorities of a third country.

Amendments to the SCCs

Finally, the LfDI recommends the following changes in the SCCs be made, as part of the main agreement or separately, as minimum additional safeguards when transferring data to companies based in risky third countries:

Amendment to SCC Clause 4(f): Informing the data subject, not only in the case of transfers of special categories of data, but also in the case of any transfer (before or as soon as possible after the transfer) that their data will be transferred to a third country that does not provide an adequate level of protection within the meaning of the GDPR.
Amendment to SCC Clause 5(d)(i): Obligation of the data importer to inform not only the data exporter, but also the data subject (if known) promptly of any legally binding requests by a law enforcement authority for disclosure of the personal data. The data importer shall be obliged to regularly provide the data exporter with general information, including at least the number of requests, type of data request and the requesting party, in connection with such requests. If reporting of such requests by the law enforcement authority is not allowed under the law, the supervisory authority needs to be advised of such a situation.
Amendment to SCC Clause 5(d): Data importers to take legal action against disclosure/surveillance requests by public authorities of their country and refrain from disclosing the transferred personal data until a competent court of the last instance has ordered them to disclose the data in a legally binding manner.
Amendment to SCC Clause 5(h): Along with the data exporter, the data importer should be obligated to inform/notify the affected data subject of any award of a contract to a sub-processor.
Amendment to SCC Clause 6: The data subject can hold the data exporter or the data importer liable for any breach of the provisions of the SCC by the data importer or a sub-processor. The data subject who has suffered damage as a result of such breach shall be entitled to obtain compensation from both data exporter and importer.
Include an obligation for the data importer to compensate the affected data subjects, independent of fault, for damages caused by the access of their data by the public authorities of their country.
Inclusion of an illustrative compensation clause in Appendix 2 of the SCCs, according to which, if one party is held liable for a breach of the SCCs, the other party shall, to the extent it caused the breach, compensate the other party for all costs, damages, expenses and losses incurred.

With the European Commission reviewing and updating the SCCs soon, it can be safely concluded that these amendments suggested by the LfDI will be definitely considered and future SCCs will most probably closely resemble the amended versions suggested here.

What’s next?

A recent survey discovered that around 60% of EU companies say that they would not reduce transfers to the U.S., despite the existing risks. Thus, the on-ground reality is that trans-Atlantic data transfers are not slowing down anytime soon. So, a solution needs to be posited that protects the fundamental privacy rights of European residents while allowing EU-U.S. businesses to function.

Thus, in these uncertain times, the guidelines issued by the LfDI serve as a beacon of hope as they provide a concrete international data transfer solution to companies. In particular, the mandatory checklist provided within the guidance serves as a practical action plan for companies that are still deliberating on how to conduct their risk assessments for continuing their cross-border data transfers in a compliant manner.

The recently established EDPB’s task force for "the uniform application of the 'Schrems II' judgment" is likely to study this guidance, as well, to extract a unified and comprehensive response for the European supervisory authorities to follow. It’s safe to say that companies, even outside the LfDI’s jurisdiction, can begin to take this guidance as the minimum threshold for legal transfers of data of EU residents to the U.S. until the EDPB appointed taskforce can finalize its recommendations.

Photo by Kyle Glenn on Unsplash

This article is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page