The German data protection authority of the federal state of Baden-Württemberg (LfDI BW) has issued detailed guidance (Guidance) on international data transfers this August and September. This is the first official guidance by a data protection authority following the decision of the Court of Justice of the European Union (CJEU) in the Schrems II case (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) that contains some solid guidance and suggestions for next steps.
Summary of the Guidance: (i) Checklist plus (ii) action items
The LfDI BW iterates that international data transfers shall be subject to an adequacy assessment and, where necessary, additional safeguards must be implemented that supplement the transfer mechanism relied upon. For this assessment, the LfDI BW proposes a checklist and specific action items for the amendment of the SCCs and potentially other data transfers mechanisms.
The LfDI BW’s checklist lists items that each data exporter should check and assess when transferring personal data outside the EU/EEA:
(a) Identify cases in which personal data is transferred to third countries (including e.g. private and governmental remote access);
(b) Contact service providers and contractual partners in third countries and inform them about the CJEU’s judgement and its implications;
(c) Assess and update privacy notices if required, particularly provide information on international data transfers, such as the transfer mechanisms that are relied upon (Art. 13(1) lit. f) GDPR);
(d) Assess and amend records of processing activities if required;
(e) Request data processors that transfer personal data based on the Privacy Shield Framework to the US, to immediately stop such transfer until the service provider (or sub-processor deployed) ensures a level of data protection that corresponds to that within the EU;
(f) Assess the legal situation in the third country (privacy laws, governmental access requests, data subject rights, legal remedies, etc.) and also whether there is an adequacy decision for that third country (Art. 45 GDPR);
(g) Rethink the transfer to the third country and assess whether the transfer can be avoided, e.g. by the use of service providers that do not require a transfer of personal data to third countries or encryption of personal data without providing the key to any other party;
(h) Assess whether the SCCs can be relied upon for the respective third country and if so, whether additional safeguards are required, e.g. amendment of SCCs (see below) or technical measures such as encryption or anonymization);
(i) Assess whether Binding Corporate Rules (BCRs) can be relied upon (Art. 47 GDPR) and if so, whether additional safeguards are required;
(j) Assess whether – as ultima ratio – any of the derogations for special cases can be relied upon, e.g. for intra-group data transfers (Art. 49 GDPR);
(k) Assess whether each assessment and subsequent steps are sufficiently documented and can be proven to authorities (Art. 5(2) GDPR).
(ii) Action items – Amendment of SCCs
Where the data transfer relies upon SCCs and the risk assessment by the data exporter in the individual case shows that additional safeguards are required, the LfDI BW recommends to at least reach out to the data importer and suggest the following amendments to the SCCs:
(a) include an obligation for the data importer to inform the data subjects about transfers of personal data to a third country;
(b) include an obligation for the data importer to inform not only the data exporter but – as far as known – also the data subjects about any legally binding requests for disclosure of personal data made by an enforcement authority; if the latter notification is prohibited, e.g. under criminal law, the data importer must be obliged to inform the data exporter who should contact the local data protection authority to assess how to proceed; in such cases, the data importer shall be obliged to frequently provide general information on requests of disclosure by authorities (at least number of requests, type of requested data, authority) to the data exporter;
(c) include an obligation for the data importer to take any legal action available against such requests for disclosure and refrain from disclosing any personal data, until a competent court (last instance) has confirmed the request;
(d) include an obligation for the data importer to inform the data subjects of any engagement of sub-processors;
(e) include an obligation of the data importer to indemnify the data subject, regardless of any fault, from all damage of the data subject, caused by access to the personal data by authorities of the data importers state;
(f) include indemnification clause, to cover liability of possible damages caused my non-compliance by the data importer with its obligations.
According to the LfDI BW, these amendments should either be included in a separate agreement or the agreement itself.
For transfers of personal data to the US, the LfDI BW however in most cases considers additional safeguards, such as encryption and anonymization of personal data, to be required.
The Guidance is the first of its kind, as it contains some specific thoughts and steps to make data transfers possible despite the Schrems II decision. It specifically addresses SCCs, but also translates to other data transfer mechanisms (such as BCR). So far, EU data protection authorities had only cloudily commented on the Schrems II decision. The LfDI BW’s authority is limited to the federal state of Baden-Württemberg. It however remains to be seen whether other German or European data protection authorities follow the LfDI BW’s interpretation.
The EU Commission is working on a new set of Standard Contractual Clauses for international data transfers, which is highly anticipated and will hopefully bring some more clarity still this year.
Data exporters should continue to assess their international transfers of personal data and implement additional safeguards/action items, where necessary. Additional contractual clauses should however be flexible and have the ability to adopt to changes, such as a new set of the SCCs.
Our blog on the CJEU’s Schrems II judgement can be viewed here.