Schrems II: GDD Guidance for companies

Schrems II: GDD Guidance for companies

The ECJ declared the EU-US Privacy Shield to be invalid in its ruling of 16.07.2020 (C-311/18) and reminded of the obligations for data exporters and data importers when applying the Standard Contractual Clauses, especially with regard to legally compliant data transfer. Data exporting Controllers in the European Union or in countries of the European Economic Area now face the challenge of how personal data can continue to be transferred to third countries in a legally compliant manner. The GDD would like to provide recommendations for action in this regard in order to support data controllers and their data protection officers in implementing the ECJ ruling.

1. EU-US Privacy Shield

After the above-mentioned ECJ ruling, personal data from the European Union can no longer be transferred to the United States on the basis of the EU-US Privacy Shield Agreement. Since the conclusion of a successor regulation to the EU-US Privacy Shield is not foreseeable, a change to another mechanism for legitimizing personal data transfers to importers based in the US in accordance with Chapter V of the GDPR must be implemented without delay.

2. Standard Contractual Clauses

According to the ECJ judges, the so-called Standard Contractual Clauses[1] can still be used for the transfer of personal data to a third country under certain conditions. However, there is an obligation on the part of the Controller (data exporter) as well as the data importer to review the data transfer. This obligation to review relates to whether the Standard Contractual Clauses already provide sufficient guarantees for the transfer or whether additional guarantees need to be created or agreed upon. In practice, this also requires a reassessment of international data flows already in use.

a) Assessment

Using the existing records for processing activities, data transfers to countries outside the European Economic Area must be identified and categorized according to the guarantees used. The data exporter's existing obligation to check the compatibility of the laws in the data importer's country with the provisions of the Standard Contractual Clauses and the importer's obligations to cooperate generally apply to data transfers using the Commission's Standard Contractual Clauses.

b) Nature, scope, purpose, context and recipient of the data transfer

After the initial assessment, the circumstances of each data transfer should be examined. In particular, the risk for data subjects regarding the data to be processed by the data importer should be taken into account. Here, the following criteria can be used:

  • Type of data (e.g. customer data, employee data, log files)
  • Purpose of the transfer (e.g. in the context of the fulfilment of a contract or to protect organisational interests)
  • Scope of the processing (e.g. processing of all customer data in the third country or only user IDs in the area of IT support by a subcontracted processor)
  • Context of the processing (e.g. hosting, technical support, backup, travel management)
  • Recipients (e.g. external service providers or internal group companies)

On the one hand, this classification can form the basis for examining the appropriateness of data export to the legal system in the recipient country. On the other hand, the Controller can check to what extent the transferred data should be exposed to the country-specific risk of, for example, access by public authorities without adequate legal protection.
Recommendation: Re-analysis of the personal data transferred to the third country with regard to their nature (=sensitivity of the data, e.g. whether personal data within the meaning of Article 9 GDPR are processed), the scope, the purpose, the context of the processing and the intended recipients.

c) Technical-organizational measures

As far as possible, unlawful access to transferred personal data should be prevented by appropriate technical and organizational measures (Art. 32 GDPR). For this reason, the Controller should check in particular whether protection is feasible at the technical level by using (end-to-end) encryption in accordance with the state of the art[2] using a strong crypto-algorithm. It should also be considered to what extent the key management can be controlled by the Controller and whether data is encrypted only during transport (data in transit) or also on data processing servers (data at rest). Only end-to-end encryption (E2EE) offers maximum security here.

Alternative technical-organizational measures may also be considered, such as anonymization of personal data or pseudonymization (e.g.: use of a pseudonymization gateway or assignment of a data trustees). A reduction of the scope of data in the sense of data minimization in accordance with Art. 51 c GDPR can also generally reduce the risk of unauthorized access.

d) Adequate level of data protection at the recipient of the data export

As the ECJ states in the operative part of the second part of the judgment (see No. 2 in paragraph 203), the Controller must assess, as to whether the data importer is able to comply with the Standard Contractual Clauses, in particular whether there are disproportionate possibilities for intervention by public authorities with regard to the personal data transferred. The assessment of the adequacy of a level of protection may include further criteria. Art. 452 GDPR provides indications of the criteria against which a review of the data exporter can be carried out.

Recommendation: Regularly reviews by the data exporter for indications of existing laws contrary to the Standard Contractual Clauses. In particular, the possibilities for access by public authorities to the data exporter's personal data and their proportionality must be evaluated with regard to the legal requirements in the EU, respectively in the data exporter's Member State.
The data importer's information and assurances can also be included in the assessment of the level of protection (e.g. that the data importer will challenge disproportionate orders that are in conflict with the GDPR). With regard to the invalidity of the EU-US Privacy Shield, there are already indications from service providers of how they have reacted to the respective legal situation and how legal conformity can be achieved.((The GDD initiated a first collection of information: https://www.gdd.de/eu-us-privacy-shield-schrems-ii-urteil/Ansichten-Softwarehersteller-AV-eu-us-privacy-shield))

e) Conractual safeguards

The Standard Contractual Clauses contain the possibility of agreeing on further guarantees for the rights and freedoms of data subjects via business-related clauses. In the case of Standard Contractual Clauses that have already been concluded, the first step is to obtain an updated confirmation from the data importer that to its knowledge there are no laws in its country that conflict with the Standard Contractual Clauses.
Recommendation: For already existing contracts: Obtaining updated confirmation from the data importer that, to its knowledge, there are no laws in the recipient country that prevent personal data from being processed in accordance with the contract. Depending on the possibility of influencing the drafting of the data protection agreement with the data importer in general, the permissibility of data access by public authorities can be made more specific by means of a business-related clause.
Recommendation (optional): Inclusion of a contractual clause that makes data access by public authorities to the data at the data importer dependent on prior transparent information and subsequent approval by the data exporter.
Recommendation (optional): Inclusion of a contractual clause making the transfer of the personal data in scope of the transfer to an authority in the third country a condition for its compatibility with the GDPR. Alternatively, in order to enable the data exporter to assess the data transfer to authorities in individual cases, a contractual clause can be used to stipulate that the data importer must obtain approval for data access by public authorities. In this way, the data exporter gains knowledge of the individual request and can check it for admissibility.

The DPA of Baden-Wurttemberg has published further modifications to be agreed upon concerning the Standard Contractual Clauses in its published guidance "What now in matters of international data transfer?"3 These are intended, among other things, to ensure more transparency for data subjects with regard to access to personal data by public authorities and should be checked in individual cases for their feasibility with the data importer. During the meeting of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament on September 3rd, 2020, it was however expressed that new Standard Contractual Clauses should be adopted by the end of the year. A first draft is to be published shortly4.

f) Switching to European providers

It is to be expected that the supervisory authorities will assess in the course of their supervisory activities to what extent a change of a contractual partner or service provider and a relocation of data processing to the EU is a reasonable request towards the data exporter, especially if no additional guarantees for data subjects can be created or agreed upon. In the sense of the existing accountability obligations arising from Art. 5 (2) GDPR, considerations will have to be expressed by the data exporters. Companies are required to evaluate corresponding scenarios in advance. This should also include scenarios that involve hosting the data in the EU, even if the service provider is headquartered in a third country.

g) Views of the supervisory authorities

The possibility of exporting personal data on the basis of the Standard Contractual Clauses is currently judged differently by the German supervisory authorities, especially with regard to the United States.
Recommendation: Depending on the competence of the respective supervisory authority, opinions of the authorities on the admissibility of the transfer of data to a third country should be regularly examined by the data exporter.((The GDD continuously monitors statements by the supervisory authorites concerningthe ECJ ruling on Schrems II: https://www.gdd.de/eu-us-privacy-shield-schrems-ii-urteil/ansichten-der-aufsichtsbehoerden-eu-us-privacy-shield))

The European Data Protection Board has also prepared a FAQ on the implications of the ECJ ruling on Schrems II.((https://edpb.europa.eu/our-work-tools/our-documents/ovrigt/frequently-asked-questions-judgment-court-justice-european-union_en))

3. Adequacy decisions of the Commission

Adequacy decisions by the Commission include a legally binding statement as to whether the third country in question offers a level of data protection that is essentially equivalent to that in the European Union with regard to the protection of personal data. Since the ECJ decision only declared the EU Commission's adequacy decision regarding the EU-US Privacy Shield of July 12th, 2016 ((EU) 2016/1250) tob e invalid (see no. 5 of paragraph 203 of the Schrems II ruling), the other adequacy decisions of the EU Commission remain valid:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

If - in relation to the destination country in which the data importer is located - there is a Commission adequacy decision which attests that the destination country has a level of data protection adequate to that of the EU, data exporters are not subject to any special review obligations with regard to the legal situation in the third country concerned. This is a matter for the Commission, which must evaluate its decisions on a regular basis (see Art. 45 (3) GDPR). Without prejudice to a Commission decision, the supervisory authorities are, however, free to prohibit data exports to third countries under an adequacy finding.

4. Other safeguards (Art. 46 GDPR) or derogations for specific cases (Art. 49 GDPR)

Since the ECJ's findings were limited to the EU-US Privacy Shield and the Standard Contractual Clauses, the remaining guarantees of Art. 46 GDPR and the derogations for certain cases (Art. 49 GDPR ) are in principle still suitable for exporting personal data to a third country.

With regard to the wish for a short-term change of the guarantees used so far, especially with regard to the EU-US Privacy Shield Agreement, the practical peculiarities must be taken into account. The other guarantees available in the GDPR for third-country transfers are either time and cost-intensive in their implementation (e.g. the development and implementation of binding corporate rules pursuant to Art. 46 Para. 2 lit. b GDPR) or require the approval of the competent supervisory authority (e.g. the ad hoc contractual clauses pursuant to Art. 46 Para. 3 lit. a GDPR). Alternative guarantees pursuant to Art. 46 GDPR are therefore generally unsuitable for short-term legitimization of a data transfer, e.g. to the United States.

The "derogations for specific situations" pursuant to Art. 49 GDPR are already, according to their legal title, only intended for exceptional cases and are partly limited to "occasional" transmissions, e.g. in the context of the consent of the person concerned, the performance of the contract or the establishment, exercise or defence of legal claims (see Consideration 111 GDPR). The derogations for certain cases pursuant to Art. 49 GDPR are in principle equally unsuitable for the legitimization of outsourced business processes.

  1. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en []
  2. Z.B: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr02102/index_htm.html []
  3. https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/Orientierungshilfe-Was-jetzt-in-Sachen-internationaler-Datentransfer.pdf []
  4. https://multimedia.europarl.europa.eu/en/committee-on-civil-liberties-justice-and-home-affairs_20200903-1345-COMMITTEE-LIBE_vd?s=09 []