The LfDI provides guidance and defines its further course of action in response to the judgment of the European Court of Justice (ECJ) of 16 July 2020, Case C-311/18 ("Schrems II")

  • What is it about?
    • Background:
      A legal dispute between a private individual (Maximilian Schrems) and the Irish regulatory authority regarding the transfer of his personal data by Facebook Ireland to Facebook's parent company in the USA

      Key statements:
      • The General Data Protection Regulation (GDPR) is also applicable to the transfer of personal data to a third country in cases where, for reasons of national security or defense, access by the secret services of that country is necessary.

        The exceptions in Art. 2 (2) a, b, d of the GDPR apply only to the Member States.
      • The so-called "Privacy Shield", an adequacy finding of the Commission under Art. 45 GDPR (2016/1250 of 12.07.2016, referring still to the Data Protection Directive 95/46/EC), by which the Commission decided in 2016 that the USA had provided an adequate level of protection for the data of natural persons under certain circumstances and had thus made the transfer of data to the USA generally possible, is invalid with immediate effect.

        Due to the powers of the US secret services and the legal situation in the USA, an adequate level of data protection cannot be guaranteed (among other things):
        • Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the secret services and no guarantees for non-US citizens
        • Presidential Policy Directive 28 (PPD-28) does not provide effective remedies against measures taken by U.S. authorities and does not provide safeguards that would ensure measures are proportionate
        • the ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the secret services
      • The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05.02.2010), Art. 46 (2) c GDPR, remain valid.
        However:
        A level of protection for personal data must be ensured which is equivalent to that in the European Union.


        • They must be interpreted in the light of the EU Charter of Fundamental Rights and with regard to Article 46(1) of the GDPR: appropriate guarantees from the controller and processor, enforceable rights and effective remedies for data subjects
        • Not only the contractual relationship between data exporter and data importer is relevant here, but also the possibility of access to the data by authorities of the third country and the legal system of that country in general (legislation and jurisprudence, administrative practice of authorities)
        However, the standard contractual clauses cannot bind the authorities of the third country and therefore do not provide adequate protection in cases where the authorities are empowered under the law of the third country to intervene in the rights of data subjects without additional measures being taken by the parties.

        The data controller must assess on a case-by-case basis whether the law of the third country provides an adequate level of protection and take appropriate additional measures or agree upon them with the data importer.


        • in cases where the controller cannot provide suitable protection even with additional measures, he must suspend / terminate the transfer
        • this applies in particular if the law of the third country imposes obligations on the data importer that are likely to contravene contractual rules providing for appropriate protection against access by state authorities
      • If such an adequate level of protection is not ensured, the data protection supervisory authority must suspend or prohibit the transfer of data if the protection cannot be achieved by other means.
  • Who is affected by the court's decision?
    • Although the judgment of the European Court of Justice initially only has an inter partes effect, it is therefore only binding on the Irish court making the reference. In fact, however, it is already binding on all authorities and courts of the Member States that are dealing with the same question of interpretation and must interpret and apply the GDPR in accordance with the case law of the ECJ.

      If the ECJ declares a Community legal act (such as the Privacy Shield) invalid, all courts and authorities in all Member States are bound by it and thus also all companies subject to EU law (erga omnes effect).

      In this respect, the decision affects all public authorities or companies that transfer data to the USA, especially if they have previously based the transfer on the Privacy Shield, but also if they have used standard contractual clauses for this purpose (more details in the following).

      Examples ( non-exhaustive):
      • You are in commercial relations with companies based in the USA and exchange personal data with them relating to customers (delivery addresses, complaints, orders, etc.) or your employees (contracts, networks, etc.)
      • You store data in a cloud hosted by a company in the USA outside the EU.
      • You use a videoconferencing system from a US provider that collects data on participants and transmits it to the USA.
    • At the same time, the ruling contains general statements on the use of standard contractual clauses for transfer of data to third countries, so that all public authorities or companies that transfer data not to the USA but to another third country are also affected by the ruling.

      Example: You transfer data to the United Kingdom.

      The effects of the court decision are therefore conceivably extensive.
  • What does the ruling mean in practical terms?/ What is to be done?
    • If you transfer data to the USA or use a processor who transfers data to the USA:
      • the Privacy Shield no longer constitutes a valid legal basis for the transfer, but any data transfers carried out nevertheless are illegal and may result in fines and claims for damages.
      • Although a transfer based on standard contractual clauses is conceivable, it will only rarely meet the requirements that the ECJ has set for an effective level of protection:
        In this case, the controller must provide additional guarantees that effectively prevent access by the US secret services and thus protect the rights of the data subjects; this would be conceivable in the following cases:

        • Encryption in which only the data exporter has the key and which cannot be compromised even by US secret services
        • Anonymisation, or Pseudonymisation where only the data exporter can determine the assignment
      • Transfer under Article 49 of the GDPR is conceivable; however, the overall restrictive character of this provision must be taken into account here, please see also Guidelines 2/2018 on the exceptions under Article 49 of Regulation 2016/679 of the European Data Protection Committee (EDSA) of 25 May 2018, available at https://edpb.europa.eu/our-work-tools/our-documents/directrices/guidelines-22018-derogations-article-49-under-regulation_de:

        • The wording of the title "Exemptions for specific cases": Exceptional nature of Art. 49 as a derogation from the prohibition of transfers to third countries where an adequate level of data protection is not provided
        • for Art. 49 (1) subparas. 1 b, c and e GDPR (required for the contract or to assert legal claims) additionally:
          wording EC 111: "occasional" data transmissions, not systematically repeated
        • even more restrictive: Art. 49 (1) subpara. 2 for cases where there is no exception for specific cases (transfer not repeated, only a limited number of data subjects, necessary to safeguard the controller's compelling legitimate interests, no overriding interest nor the rights and freedoms of the data subject)
        • In addition, according to Art. 49 (3) GDPR, Art. 49 (1) subparas. 1 a, b and c as well as (2) do not apply to public authorities when exercising their sovereign powers
    • If you transfer data to another third country:
      In this case, you should check the legal situation in the country in question, especially with regard to the access possibilities of the secret service and the rights and legal protection possibilities to which the data subject is entitled, and also include the supplements to the guarantees of the standard contractual clauses mentioned under IV.
  • Where and how to start?/ Checklist

    You should immediately
    • make an inventory of the cases in which your company/authority exports personal data to third countries;
      These may include access by private or public entities in third countries to data held by you, so a physical export of the data is not necessary.
    • contact your service provider/contract partner in the third country in contact him and inform him about the decision of the ECJ and its consequences
    • inform yourself about the legal situation in the third country (public bodies such as the data protection supervisory authorities, the European Data Protection Committee (EDSA), the EU Commission or the Federal Foreign Office should be able to provide assistance)
    • verify whether there is an adequacy finding for the third country in accordance with Art. 45 GDPR
      For the USA, this has now been declared invalid, but for Argentina, Canada, Japan, New Zealand or Switzerland, for example, this possibility still exists, see a detailed list here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en; if necessary, you can also refer to binding internal data protection regulations according to Article 47 (BCRs)
    • verify whether you can use the standard contract clauses adopted by the Commission for the country in question (Art. 46 (2) c GDPR) - these are available at https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX%3A32010D0087.

      This is to be denied if authorities or other bodies in the third country can interfere in a disproportionate manner with the rights of the data subjects (e.g. mass retrieval of data without informing the data subjects and without procedural safeguards such as a judge's reservation) and there is no effective legal protection for the data subjects.

      This was denied by the ECJ in case of the USA. A transfer of data using the standard contractual clauses is therefore only possible in the USA in very limited cases with the help of additional guarantees (e.g. encryption, see above and in the following).
    • verify whether you can transfer the data to the relevant country using the standard contractual clauses and additional guarantees,

      This includes in particular considering whether you can avoid transmission or access by others (encryption, agreement that data is hosted in one of the member states of the GDPR or that no data is transmitted to the USA)

      In order to demonstrate and document your willingness to act in accordance with the law, you should also contact the respective recipient of the data and agree in particular on the following changes to the provisions of the standard contractual clauses:
      • Amendment of Annex Clause 4f: Informing the data subject, not only in case of transfers of special categories of data, but also in case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country which does not provide an adequate level of protection within the meaning of Regulation (EU) 2016/679
      • Amendment of Annex Clause 5d i: obligation of the data importer to inform not only the data exporter but also the data subject without delay of any legally binding requests by an enforcement authority to disclose the personal data; if this disclosure of information is otherwise prohibited, e.g. by a criminal law prohibition to maintain the confidentiality of criminal investigations, you must contact the LfDI supervisory authority to clarify how to proceed
      • Addition to Annex Clause 5d to include an obligation on the data importer to take legal action against the disclosure of personal data and to refrain from disclosing personal data to the relevant authorities until a competent court of last instance has issued a final judgment ordering the disclosure of the data 
      • Amendment of Annex Clause 7(1), only addition of (b): Referral to the courts of the Member State where the data exporter has established itself, to deal with the dispute, in the event that a data subject asserts rights as third-party beneficiary and/or claims for damages against the data importer on the basis of the contractual clauses
      • Inclusion of the example of a compensation clause set out in Annex 2:

        Liability
        The parties agree that in the event that one party is held liable for a breach of the clauses committed by the other party, the other party will compensate the party held liable for all costs, damages, expenses and losses incurred by the breaching party to the extent that the breaching party is liable.
        The compensation shall be subject to
        (a) that the data exporter immediately notifies the data importer of any claim for compensation; and
        (b) that the data importer has the opportunity to cooperate with the data exporter in defending the claim for damages or agreeing on the amount of damages.

In the event that data transfer would not be permissible after these verification steps, the last resort would be to transfer data in accordance with the exceptional provision of Art. 49 GDPR.

This can be considered in particular in the case of data transmission within the Group or in the case of individual contractual relationships. In this case, it would have to be examined whether the restrictive character of the norm does not prevent the transfer.

The main focus of the further procedure of the LfDI Baden-Württemberg is to examine whether there are reasonable alternatives without transfer problems in addition to the service provider/contract partner you have chosen. If you are unable to convince us that the service provider/contract partner with transfer problems you are using is irreplaceable in the short and medium term by a reasonable service provider/contract partner without transfer problems, the LfDI Baden-Württemberg will prohibit the transfer of data.

We are aware of the fact that the ECJ ruling could possibly result in extreme burdens for individual companies. The LfDI will base its further action on the principle of proportionality. We will continue to monitor developments and will continuously review and develop our positions accordingly.


SOURCE:
IAPP News article: https://iapp.org/news/a/germanys-bfdi-releases-data-transfer-guidance/

Original in German: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/LfDI-BW-Orientierungshilfe-zu-Schrems-II.pdf