International data transfer in the light of Schrems II – new guidance

On 24 August 2020, the State Commissioner for Data Protection and Information Security of Baden Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg - LfDI-BW) published a guidance on international data transfer in the light of the decision of the European Court of Justice (ECJ) of 16 July 2020, no C-311/18 (Schrems II). In this decision, the ECJ found that:

1. the EU-US Privacy Shield does not provide for an appropriate level of data protection. As a result, and with immediate effect, this tool cannot be used any longer for transferring personal data from the EU to the US. Any data transfer that continues to rely on the Privacy Shield is illegal and may result in administrative fines and claims for damages; and

2. the standard contractual clauses (SCC) adopted by the Commission in 2010, are still valid. However, a level of protection for personal data must be ensured which is equivalent to that in the European Union.

In its guidance the LfDI-BW particularly sets out:

• a compliance checklist for companies that export data outside the EU, including the need to provide additional guarantees in cases of disproportionate access rights of third country state authorities to the exported data); and

• a set of amendments to the SCCs for controllers who want to export personal data to a country that does not provide for an appropriate level of data protection. The amendments particularly aim at ensuring appropriate safeguards by the controller and the processor, as well as providing the data subjects, whose data has been exported outside the EU, with enforceable rights and effective remedies.

The LfDI-BW highlights, that where the controller cannot provide such suitable protection, even with additional measures, he/she must suspend/terminate the transfer.

In the following you will find an English translation of the aforementioned checklist, as well as on the set of amendments to the SCCs.

1. Checklist

You should without undue delay:

• Make an inventory of the cases in which your company exports personal data to third countries (meaning states that are not EU Member States); this may include access by private or public bodies in third countries to data held by you, physical export of the data is therefore not necessary.

• Contact your service provider/contract partner in the third country and inform them about the ECJ decision and its consequences.

• Obtain information on the legal situation in the third country (public bodies such as data protection supervisory authorities, the European Data Protection Board (EDPB), the EU Commission or the Federal Foreign Office (Auswärtige Amt) should be able to provide assistance).

• Check whether there is an adequacy decision for the third country in accordance with Art. 45 GDPR. This has now been declared invalid for the USA, but for Argentina, Canada, Japan, New Zealand or Switzerland this possibility still exists, see a detailed list here; if necessary, you can also invoke binding internal data protection rules under Article 47 GDPR (BCRs).

• Check whether you can use the standard contractual clauses adopted by the Commission for the country in question (Article 46 para. 2 lit. c GDRP) - these are available here.

  The answer is in the negative, if authorities or other bodies of the third country can interfere in a disproportionate way with the rights of the data subjects (eg mass retrieval of data without informing the data subjects and without procedural safeguards such as a judicial reservation (Richtervorbehalt) and there is no effective legal protection for the data subjects.

  This was denied by the ECJ for the US. A transfer of data using the standard contractual clauses is therefore only possible in the US in very limited cases with the help of additional guarantees (see below).

• Check whether you can transfer the data to the country in question using the standard contractual clauses and additional guarantees. Such guarantees must effectively prevent access by the US intelligence services and thus protect the rights of the data subjects. For the following two cases, the LfDI-BW considers it as possible that such requirements could be met:

  a) Encryption that cannot be broken by US services and where only the data exporter has the (decryption) key.

  b) Anonymization or pseudonymization, where only the data exporter is capable to attribute the data to a natural person.

Nevertheless, the LfDI-BW highlights that such check must also include the consideration, whether it is relatively easy to avoid transmission or access by others, eg by means of an agreement that the data is hosted in one of the (European) member states of the GDPR or that no data is transmitted to the US at all.

2. Amendments to the SCCs

In order to demonstrate and document the willingness to act in accordance with the law, the BfDI-BW recommends data exporters to also contact the respective recipient of the data and agree in particular on the following changes to the provisions of the standard contractual clauses (controller to processor):

• Amend clause 4f: Informing the data subject, not only when special categories of data are transferred, but also in the case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country which does not provide an adequate level of protection within the meaning of the GDPR.

• Amend 5d i: Obligation for the data importer to inform not only the data exporter but also the data subject without undue delay of any legally binding request by an enforcement authority for disclosure of the personal data; if such provision of information is otherwise prohibited, for example by a ban under criminal law on maintaining the confidentiality of criminal investigations, you must contact the (responsible) data protection supervisory authority, namely the responsible State Commissioner for Data Protection and Informational Freedom to clarify the further procedure.

• Addition to Clause 5d of an obligation on the data importer to take legal action against any disclosure of personal data and to refrain from disclosing the personal data to the relevant authorities until a competent court of last instance (letztinstanzlich) has ordered the data importer to disclose the data.

• Amend Clause 7 para. 1: use only b): referral of the dispute to the courts of the Member State where the data exporter is established, in case a data subject claims rights as third party beneficiary and/or damages against the data importer under the contractual clauses.

• Inclusion of a indemnification clause as set out in Annex 2:

  "Liability

  The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

  Indemnification is contingent upon:

1. the data exporter promptly notifying the data importer of a claim; and

2. the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim."

The BfDI-BW continuous that in cases, where a data transfer would not be permissible after the aforementioned testing steps, a last resort would be to transfer data in accordance with the exceptional provision of Art. 49 DS-GVO. This can be considered in particular in the case of data transfers within a group or in the case of individual contractual relationships. In this case, it would have to be examined whether the restrictive nature of the norm does not prevent the transmission.

You can find the full (German) guidance of the LfDI-BW here. If you have any questions in relation to the LfDI-BW's guidance, or any other questions relating to international data transfers, please do not hesitate to contact us at any time.