Data Transfers: Post-Schrems II guidance from the LfDI Baden-Württemberg

In the wake of the Court of Justice of the European Union’s (‘CJEU’) judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case-311/18) (‘the Schrems II Case’), the future of international data transfers hangs in the balance, with EU supervisory authorities playing a crucial role in shaping the case’s impact. Dr. Carlo Plitz and Philipp Quiel, Partner and Senior Associate respectively at reuschlaw Legal Consultants, discuss recent guidelines (‘the Guidelines’) issued by the Baden-Württemberg data protection authority (‘LfDI Baden-Württemberg’), covering topics such as additional measures usable when transferring data to the US through Standard Contractual Clauses (‘SCCs’), among other things.

On 24 August 2020, the LfDI Baden-Württemberg published the Guidelines, addressing international data transfers following the the Schrems II Case. The Guidelines explain under which conditions data transfers to third countries are legal, provide a checklist for companies transferring data, and recommend additional safeguards and changes to specific clauses of the SCCs that could ensure compliance with Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In the following, the Guidelines of the LfDI Baden-Württemberg are summarised, as well as the next steps companies should take according to the Guidelines and which enforcement actions the LfDI Baden-Württemberg plans to take.

Opinion of the LfDI Baden-Württemberg

As one of the first statements, the Guidelines recall what has been written and said many times after the judgment was published: data transfers based solely on the EU-U.S. Privacy Shield (‘the Privacy Shield’) are no longer lawful, since the Privacy Shield was declared invalid by the CJEU with immediate effect. In contrary to what companies that are located in the US may hear from the U.S. Department of Commerce, data importers continuing to rely on the Privacy Shield is not of help for ensuring that data transfers meet the conditions set out in Chapter V of the GDPR. The Guidelines stress that the Privacy Shield is not a valid transfer mechanism anymore and that if companies continue to rely on it, they are illegally transferring data and are risking fines and compensation for damages.

The Guidelines also emphasise that, in general, SCCs are valid, but that it must be ensured that the level of protection in the third country is appropriate in relation to the level of protection guaranteed under EU law. This makes sense, since under the SCCs both contractual parties agree to follow applicable European data protection laws; that is, the GDPR.

Within the Guidelines, it is also made clear once more that in order to be able to rely on SCCs or other appropriate safeguards such as Binding Corporate Rules (‘BCRs’), there must also exist enforceable data subject rights and effective legal remedies for data subjects in the third country. The Guidelines stipulate that SCCs cannot bind authorities of third countries. It also recalls marginal 135 of the CJEU’s judgment and highlights the importance of being aware of national laws which conflict with obligations under the SCCs. In cases where authorities, in accordance with the law in the third country, are authorised to intervene in the rights of data subjects, additional safeguards must be implemented. If in those cases, additional safeguards are not implemented, then there is no adequate level of protection. The Guidelines emphasise that this must be assessed on a case-by-case basis, taking into account whether the law of a respective third country provides enough protection and, where this is not the case, implementing additional measures to ensure an adequate level of protection.

Regarding the territorial scope of the implications of the CJEU’s judgment, the Guidelines stress that this extends beyond data transfers to the US, also impacting every third country without an adequacy decision in the meaning of Article 45 of the GDPR. However, the Guidelines also explicitly mentions that the situation regarding data transfers to the US is currently very complicated: ‘Using SCCs is therefore only possible for transfers to the USA in very limited cases and only with additional guarantees (e.g. encryption).’ Companies must be able to protect data from access by US intelligence agencies and for that should consider using:

encryption, where only the data exporter has the key, and which cannot be broken even by US services; and/or
anonymisation or pseudonymisation, where only the data exporter can match the information with the data subject.

It is positive to note that the Guidelines make a concrete proposal here. Nevertheless, it remains unclear to what extent companies can effectively protect data from being accessed by intelligence agencies.

As one possible transfer mechanism, the Guidelines refer to Article 49(1) of the GDPR, but at the same time also recall the narrow interpretation of the scope of Article 49 by European Data Protection Board (‘EDPB’) within the Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679². In general, the Guidelines stress that an exception should not become the rule. As an example of a data processing activity for which Article 49(1) of the GDPR can be used as transfer mechanism, the Guidelines refer in abstract to data transfers within company groups.