After the ‘Schrems II’ decision of the Court of Justice of the European Union (CJEU) in July 2020, data protection authorities (DPAs) across the EU scrambled to publish guidance on how to interpret the case. One of the most prominent pieces of guidance was that of the Baden-Württemberg DPA. That guidance has recently been updated.
The Baden-Württemberg DPA’s original guidance
The DPA’s guidance included several clauses that EU data exporters were requested to conclude with non-EU data importers in addition to the EU’s (old) standard contractual clauses (SCCs) for safeguarding the transfer of personal data. Many tech companies that export data from the EU when providing their services, including Microsoft, voluntarily implemented these additional clauses – publicly known as ‘SCCs+’ – to their standard terms.
A lot has happened since then: in June this year, the EU Commission published its new SCCs, including several new obligations for data importers. And in July, after intensive debates, the European Data Protection Board (EDPB) published its final guidelines on how to follow Schrems II in practice, by implementing ‘supplementary measures’.
Considering these new circumstances, the Baden-Württemberg DPA published an updated version of its guidance in September this year.
Updated guidance: SCCs and transparency
In its updated guidance, the DPA provides a general overview of the structure of the new SCCs, which introduce a modular approach addressing four different processing scenarios (C2C, C2P, P2P, P2C). The guidance explains how to use the new SCCs and which of the modules should be used in each processing scenario.
The guidance also emphasises that data subjects must be informed of the controller's intention to transfer personal data to a third country, in accordance with Article 13 of the GDPR.
‘Practices’ in third country destinations as criterion for supplementary measures?
Under the new SCCs, a data exporter must consider practices in the third country of destination when determining the level of data protection in that country (clause 14) and, accordingly, whether any supplementary measures are required for ensuring compliance with the SCCs. According to footnote 12 of the new SCCs, for identifying these practices the data exporter must take various elements into account, most importantly relevant and documented practical experience of previous requests for disclosure by public authorities.
However, the Baden-Württemberg DPA urges caution, saying that that kind of practical experience will not necessarily satisfy the need for additional guarantees required by the CJEU. Instead, the DPA advises data exporters to implement the technical, organisational and contractual measures recommended in the EDPB’s recommendations on ‘supplementary measures’.
This seems to indicate a somewhat more restrictive view than that expressed in the EDPB recommendations: the EDPB stresses that it is not sufficient to rely solely on practical experience, but that the legal situation as a whole must be taken into account.
Recommended additions
The Baden-Württemberg DPA notes that some of its initial proposals for additions to the old SCCs are fully included in the new SCCs. However, it takes the view that there is room for improvement in the contractual safeguards provided in the new SCCs.
- First, it suggests amending clause 15(2)(a) of the new SCCs, which requires the data importer to take legal action against a disclosure of personal data to a public authority, and to disclose the data only if required by applicable procedural rules. The Baden-Württemberg DPA says the clause should clarify that an interim ruling is not sufficient. It recommends supplementing the clause to require the data importer not to disclose the data to the authority until it has been legally ordered to disclose by a competent court of final instance in the main proceedings.This should logically also be included in the third-party beneficiary clause, which allows data subjects to enforce certain clauses against the data importer or data exporter – particularly if the law of the third country imposes obligations on the data importer that are likely to run counter to contractual rules providing for appropriate protection against access by state authorities.
- Second, the Baden-Württemberg DPA recommends amending clause 8(2) of the C2C-module. The clause contains various transparency obligations designed to enable the data exporter to fully inform the data subject of the circumstances of the third-country transfer. The DPA recommends adding to this clause an obligation on the data importer to notify the data subject, if known, of the engagement of a further sub-processor. This should also be included in the third-party beneficiary clause.
Outlook – and post-Brexit developments
While many DPAs have been silent on further measures after the EDPB issued its final recommendations, the Baden-Württemberg DPA is the first DPA to suggest further concrete contractual additions. It remains to be seen whether these additions will become as relevant in practice as the DPA’s previous suggested additions. However, it is worth noting that the EDPB considers contractual measures less protective than technical measures (to the extent they can be implemented).
Meanwhile, EU and UK data controllers and processors should also monitor developments in the UK. The UK Information Commissioner’s Office is currently reviewing input it received on its plans for a UK data transfer agreement and transfer impact assessment, following a consultation earlier this year. And the government is consulting on proposed changes to UK data protection law. Among other things, the consultation suggests making the rules on data export more flexible. The EU Commission will be monitoring these developments too: if UK law diverges too far from the EU GDPR the Commission might reconsider its adequacy decision that allows data to be exported to the UK.
