German Supervisory Authority Publishes First Substantive Guidance on International Data Transfers in the Post Schrems 2.0 Era

August.25.2020

On 16 July, 2020 the European Court of Justice (“CJEU”) published its decision invalidating the EU-U.S. Privacy Shield and setting out enhanced requirements for using the so-called Standard Contractual Clauses for Processors (Decision 2016/1250 – “SCCs”) (judgement C-311/18 – “Schrems II”). See our previous blog on the Schrems II decision for further details. Shortly thereafter, the European Data Protection Board (“EDPB”) adopted FAQs (see our follow-up blog post), which mainly focused on how to conduct the required risk assessment in connection with the SCCs.

Whereas the CJEU was very clear that companies need to act in order to remain in compliance with the GDPR’s requirements with respect to cross-border data transfer, companies found themselves scrambling to make sense of the rather abstract guidance provided by the CJEU and the EDPB.

On 24 August, the Data Protection Supervisory Authority for the State of Baden-Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden Württemberg, “Supervisory Authority”), one of 17 German data protection supervisory authorities, issued more substantive guidance (“Guidance”) on how to conduct the necessary analysis and risk assessment. The Guidance is particularly noteworthy as it calls into question whether data transfers to the U.S. based on the SCCs can continue if they are not accompanied by additional measures such as encryption. In addition, the Supervisory Authority threatens companies with enforcement actions if they fail to take the required steps.

In this blog post, we summarize the Guidance, analyze the practicality of the recommendations and provide guidance on how companies should proceed.

What are the Key Features of the Guidance and What Should Companies Do?

Privacy Shield: The Supervisory Authority indicates that it will not hesitate to issue fines against companies that still rely on the EU-U.S. Privacy Shield for data transfers to the U.S.
- If not already done, companies should immediately determine whether they or their vendors still rely on the Privacy Shield for transfers of personal data into the U.S. If so, companies should pivot to an alternate method of cross-border data transfer, such as the SCCs.

Data Transfers to the US: The Supervisory Authority takes the view that, at least for data transfers to the U.S., the SCCs alone would not ensure an essentially equivalent level of data protection. As a result, either supplementary measures would be needed or data transfers would need to be limited to occasional transfers or to specific situations. According to the Guidance, such additional measures could include encryption, anonymization or pseudonymization of the personal data at issue. However, the Supervisory Authority appears to require that the encryption mechanism is one that cannot be decrypted by foreign intelligence services. Further, the Guidance indicates that, where possible, data should be pseudonymized in a way that only the company transferring the data to another country would be able to re-identify the relevant individual.
- Companies should focus on applying state-of-the-art encryption mechanisms. However, given the technical know-how and capacities of most intelligence services, it remains questionable from a technical perspective whether an encryption mechanism actually exists that could withstand decryption efforts including brute-force attacks by intelligence services. Thus, companies should focus on using encryption mechanisms that make access to personal data considerably more difficult. We assume that state-of-the-art encryption mechanisms will still have a beneficial impact from a sanction risk perspective, provided the company has documented its efforts in this regard.

Consider Data Migration: The Supervisory Authority suggests that companies should review every data transfer and determine with every service provider whether the data transfer remains justifiable. The Supervisory Authority recommends considering localizing the personal data in the EEA in order to avoid a transfer of data to third countries.
- Companies should determine whether they can mitigate risks by using additional technical or contractual measures or assessing whether a data transfer is still justifiable without any further supplementary measures. If not, companies should check whether it is feasible to localize data in the EEA. While service providers may still have remote access to personal data located on servers in the EEA, the risks associated with mere remote access are lower than storing the data on servers located in a country outside the EEA.

Data Transfers to Other Third Countries: The conditions imposed on continuing to rely on the SCCs do not apply only to data transfers to the U.S. but also to all other countries that do not provide an equivalent level of protection. Consequently, an assessment must be conducted, and measures taken (if necessary) in relation to all data transfers to countries located outside the EEA that do not have adequacy decisions.
- Companies should assess where they are transferring personal data. On the basis of this assessment, companies should reach out to their contractual partners or service providers in the respective countries in order to understand the applicable legal framework.

Privilege for Group Internal Data Transfers? The EDPB’s guidelines on data transfers on the basis of Art. 49 continue to apply. While the EDPB emphasized in the FAQs that it takes the view that data transfers for the performance of a contract must be occasional, the Supervisory Authority suggests that Art. 49 GDPR could be appropriate for intra-group data transfers and individual contracts, i.e. also for non-occasional limited data transfers.
- Given the limited scope of Art. 49 GDPR (that the Supervisory Authority seems to endorse), this is a rather innovative approach and would certainly be helpful for intra-group data transfers. It remains to be seen in which cases such data transfers can actually be justified under Art 49 GDPR and further guidance in this regard is highly anticipated…

Suggested Contractual Improvements: The Supervisory Authority suggests certain amendments to the SCCs to demonstrate the transferring parties’ intentions to mitigate the risks associated with transfer of personal data. The Supervisory Authority in particular recommends modifying the applicability of Sec 4 lit. f, Sec. 5 lit. d (i)and Sec. 7 (1) of the SCCs to ensure that (i) data subjects will be informed of a transfer of their personal data to a third country, (ii) data subjects will be informed of any disclosure of such data to enforcement authorities (where this is prohibited by law the data importer consults with the supervisory authority in the EU), (iii) the data importer in the third country is obliged to take legal actions against such disclosure requests and personal data will only be disclosed upon final judgement; and (iv) disputes will only be referred to the courts in the member state in which the data exporter is established. In addition, the Supervisory Authority suggest implementing a clause on indemnification for breaches of the provisions set forth in the SCCs.
- Companies should reach out to their service providers in third countries or their affiliates and suggest negotiating supplementary clauses to accompany the SCCs.

Measured Approach: The Supervisory Authority indicates that it will in its assessment also take into account whether the transfer of personal data to a third country is actually necessary, i.e. it requires companies to assess whether reasonable alternative service providers exist in countries within the EEA or otherwise providing for an essentially equivalent level of data protection. The Supervisory Authority also states that it will prohibit transfers of data to service providers in third countries if the transferring company cannot demonstrate that the engagement of this particular service provider located in a third country is irreplaceable but that any such enforcement actions would be measured.
- Companies should place a particular focus on the description of the services provided by their services providers located in third countries, e.g. in data processing agreements. Generic descriptions are likely to be challenged by the Supervisory Authority with the argument that equivalent service providers exist in the EEA so that it is important to document the uniqueness of the services provided. The Supervisory Authority did not clarify whether economic considerations will be taken into account when assessing the uniqueness of the services. It is questionable whether this view can be upheld as this severely limits the freedom to operate.
- The fact that the Supervisory Authority notes that any of its enforcement actions will be measured and proportionate should be self-explanatory as this is a fundamental principle of European law. However, it is nevertheless a good sign that, unlike the CJEU, the authorities do not consider privacy rights to be absolute. The legal principle of proportionality of state actions will thus help companies to defend a continued transfer of data where the overall risks to the personal data seems limited and where clear economic needs/advantages speak in favor of a continued data transfer.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.