Baden-Württemberg DPA Issues Guidance on Data Transfers Following Schrems II

The Baden-Württemberg Data Protection Authority issued advice to data controllers in this German state following the Schrems II judgment on 28 August (in German).

This passage correctly sums up the EU Court of Justice (CJEU) approach to Standard Contractual Clauses (SCCs) as the basis for transfer of personal data outside the European Economic Area:

“SCCs cannot bind the authorities of a third country. In cases in which the authorities [of a third country] can, under the law of [that] third country, [unduly] interfere with the rights of the data subjects, [SCCs] can therefore not provide appropriate protection unless the contract parties adopt supplementary measures [to protect any data that are transferred to that third country under the relevant SCC from such undue interference].”
(Die Standardvertragsklauseln können allerdings die Behörden des Drittlandes nicht binden und stellen daher in den Fällen, in denen die Behörden nach dem Recht des Drittlandes befugt sind,  in die Rechte der betroffenen Personen einzugreifen ohne zusätzliche Maßnahmen der Vertragspartner keinen angemessenen Schutz dar.)

Baden-Württemberg Data Protection Authority

Below is my rough translation/paraphrase of the main bits:

[Whether the data can be protected against access by the US (or other third countries: see below) secret services] must be assessed by those responsible (Verantwortliche) on a case by case basis. If they find that they cannot protect the data against undue access, they must not transfer the data/cease any transfer. If a DPA notes this, the DPA must order the ending of the transfer.

Immediately affected entities: all public bodies or companies that transfer data to the USA, especially when they did this until now under the Privacy Shield – but also when they used SCCs.

Non-exhaustive examples:

  • you have a commercial relationship with companies that have their seat in the USA and exchange personal data on customers with them in that context (suppliers’ addresses, complaints, orders, etc.) or on employees (contracts, networks, etc.)
  • you store data in a cloud that is hosted by a US company [on a server] outside the EU.
  • you use a video conference system of a US provider who collects data on the participants and transfers those [data] to the USA.

This also applies if you use a processor who transfers data to the USA. This actually also applies to any other third country, “for example the UK” (!) (Repeated with further detail at the end of section III, under number 2)

Transfers that continue to be based on the Privacy Shield are unlawful and can be punished with fines and compensation payments.

Transfers on the basis of SCCs are (just about) feasible (“denkbar”), but the conditions set by the Court will only be able to be met in “rare cases” (“in seltenen Faellen”).

The supplementary measures must ensure that the US secret services are “effectively prevented” from gaining access to the data, this may be (just about) feasible (again: “denkbar”) in these cases:

  • encryption with the key held by the [EU-based] data exporter – but the encryption has to be strong enough to be not breakable by the US authorities
  • anonymisation or pseudonymisation, that allows only the [EU-based] data exporter to re-identify the data.*
  • *DK comment: if such data are matched against other data in the USA, they will often become re-identifiable, but the BW DPA does not address that.

Transfers of personal data under Art. 49 is (just about) feasible (again: “denkbar”), but note should be taken of the generally restrictive application of this article, as clarified in the EDPB Guidelines 2/2018. Art. 49(1) can only be relied on in relation to incidental transfers, not in relation to regular, repeated transfers. Art. 49(2) is even more restrictive. Art. 49(3) applies only to public authorities.

What to do next/check list
Take stock of the transfers to [any] third country. Check also if private or public entities in third countries may be able to access (some) of your data remotely, “a physical export is not required”.
Inform any supplier/contract partner in all third countries of the judgment and its consequences.

Find out about the legal situation in all the third countries to which you transfer data. “Public authorities such as the DPAs, the EDPB, the EU Commission or the Foriegn Office should provide guidance on these matters.” (DK: really?)

Find out if there is an adequacy decision in relation to the third countries. In certain cases, you be able to rely on BCRs.

See if you can use any of the SCCs that have been issued by the Commission:

“You will have to conclude that they cannot be used if authorities or other bodies of the relevant third country can interfere in a disproportionate way and means in the rights of data subjects, e.g., if they can collect data in bulk without informing the data subjects and without constitutional protection such as a [requirement for a] judicial order [granting access].”

“That was what the Court concluded in relation to the USA. Therefore, transfers to the USA on the basis of SCCs will only be possible in extremely limited cases (“eng begrenzte Faelle”), with the use of supplementary measures such as encryption (see above and next).”

Check to see if you can use SCCs with supplementary measures:

“This means in particular that you should consider if you can make access by others [read: third country agencies] relatively avoidable, e.g., by using encryption, or stipulating that the data must remain in the area of application of the GDPR [I think this should be read as: within the EU/EEA] and that no data will be transferred to the USA.

Parties that rely on the (Commission-approved) SCCs should immediately amend some of the clauses, i.e.:*

  • Clause 4f should be amended to require all data subjects to be informed of all transfers of any of their data to a non-adequate third country (rather than only if the data are sensitive, as currently specified);
  • Clause 5d(i) re the duty of the importer to inform the data exporter (in the EU) about any “legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation”. “If such a prohibition is in force, you must contact the DPA and discuss what to do” (“das weitere Vorgehen abklaeren”);
  • Add to Clause 5d a duty on the part of the data importer to challenge any demand for access [to the transferred data] in court and to not provide the data to the authority in question [i.e., that is demanding access] until a final judgment ordering disclosure has been issued.
  • (DK: This rather assumes that the third country obeys the rule of law, or implies that exports to any not rule of law-compliant country can never be permitted)
  • Delete from Clause 7(1) the possibility of data subjects choosing to take their cases in which they invoke the third-party effect of the clauses to arbitration, leaving only the option of taking the case to court.
  • Always use the indemnity/liability clause set out in Annex 2 to the SCCs

(NB: The SCCs to which the BW DPA refers are the controller-to-controller processor (thanks Kuan!) ones, adopted by the Commission on 5 February 2010).

If after going through the check list it has to be concluded that the transfer is not allowed (under Article 46), the last remaining option is the exception clause in Art. 49. It may be possible to use this clause in relation to [incidental] data transfers within a company, or in relation to one-off contracts. But care must be taken to check that the restrictive application of this provision does not stand in the way of such a transfer.

As to the enforcement policy of the BW DPA in this respect, the note says that companies must check if they cannot use alternative [read: non-US] providers or alternative transfer arrangements.

“If you cannot convince us that the [US] provider or contract partner that you use cannot be replaced in the short to medium term by a reliable provider or contract partner without transfer problems, the transfers [to the US provider or partner] will be prohibited by the BW DPA.” (original emphasis)

But the BW DPA is aware that the judgment may pose extreme problems for some companies and will act proportionally. It will keep the issue under review and will continue to develop its position.