The privacy authority of the German state of Baden-Württemberg published a guide on data transfers outside the European Economic Area after the decision of the European Court of Justice in the famous Schrems II judgment.
I had reviewed in a previous article the Schrems II judgment, which invalidated the Privacy Shield and raised some critical issues on the use of the Standard Contractual Clauses as a mechanism for the transfer of personal data outside the EEA.
Data transfers to the United States subject to more stringent restrictions according to the German privacy authority
In the guide issued by the German data protection authority after the Schrems II judgment, they challenge the possibility of continuing to make data transfers to the United States on the basis of the Standard Contractual Clauses if these are not accompanied by additional measures that are effective appropriate to ensure an adequate level of protection of personal data, thus preventing access to US intelligence agencies.
In this regard, they expressly advise that, as additional guarantees, the following should be used
- Encryption systems where only the data exporter has the decryption key and the data cannot be decrypted by US agencies; and
- anonymization or pseudonymization systems in which only the data exporter can link the data to a specific individual.
Alternatively, consideration could be given to having the data transfer based on Article 49 of GDPR, which introduces special “exceptions in specific situations“. However, this provision must be interpreted restrictively and, therefore, can only be invoked in a few exceptional cases (e.g., in the case of occasional transfers).
The German privacy authority extends the scope of the Schrems II decision to any data transfer outside the EEA
Extending its reflections to any non-EEA transfer, the guide nails down a checklist for data exporters, where it is suggested in particular to:
- identify the non-EEA countries to which personal data are transferred;
- communicate to service providers and contractual partners in third countries the decision of the European Court of Justice and its consequences;
- obtain information about the legal system of the third country to which the personal data are transferred;
- verify whether the European Commission has issued an adequacy decision concerning the country to which the transfer is being made;
- in the absence of an adequacy decision, verify whether the contractual clauses can be used without recourse to additional measures; and
- if none of the above conditions are met, verify whether the personal data can be transferred to the third country on the basis of additions to the standard contractual clauses introducing supplemental contractual obligations.
In this regard, according to the German data protection authority, in the case of dealings with data importers that act as data processors, the matter could, among other things, be tackled through some of the following supplementary provisions to the Standard Contractual Clauses:
- the obligation to inform data subjects in connection with any transfer of personal data in these countries (and not only in the case of transfers of special categories of data);
- the referral to the courts of the EU Member State where the data exporter is established of any dispute between the data subject and the data importer; and
- the inclusion of an indemnity clause for the case of violation of standard contractual clauses.
Finally, the German data protection authority has pointed out that, in the course of investigations, it will also take into account the possible existence of alternative service providers and/or contractual partners to which companies could turn without making data transfers to those countries that offer a low level of protection to personal data. Under such a scenario, if companies are unable to prove the reasons why the services provided by their suppliers/contractual partners are irreplaceable in the short or medium term, the authority may prohibit the relevant data transfers.
A more detailed analysis of the guide from the data protection authority of the German State of Baden-Württemberg in the light of the Schrems II judgment is available in this article from our German colleagues at DLA Piper.
My view on the guide and the consequences of the situation
During the last weeks, I heard several comments on how to assess data transfers. Some experts were wondering whether a data protection impact assessment would be enough to prove the adequacy of data transfers outside the SEE. My view is that the purpose of the DPIA is not to assess the risk of access by non-EEA authorities to transferred data. It is focused on the risks deriving from the data processing activity, without determining the scope, limits, and impact of the Non-EEA law on the processed data, and therefore the risk of access by foreign authorities to data.
This different perspective led my colleagues and I at DLA Piper to deploy an ad hoc methodology of assessment of data transfers outside the EEA, which reflects aspects of the guide from the data protection authority of the German State of Baden-Württemberg, but is broader. Thanks to the support from our non-EEA colleagues, we can provide a review of the foreign law and of how it impacts each specific data transfer, and through a legal tech tool developed by our team, we can automate the process of assessment.
You can read more about the DLA Piper methodology to assess data transfers in this article. Also, we are arranging a webinar (in Italian) on the 10th of September on the topic whose details are available here. But we will even organize a webinar in English with our DLA Piper colleagues on the same issue in the coming weeks.
Image Credit Judy van der Velden