It has been almost a year since the Court of Justice of the European Union (CJEU) issued its well-known Schrems II decision which invalidated the Privacy Shield for data transfers between the EU and US. The Court established that if Standard Contractual Clauses (SCCs) are used instead, the sending party must examine privacy laws in the recipient country to ensure that SCCs are enforceable and adopt appropriate supplemental technical and organisational safeguards, such as encryption, anonymisation and internal policies for data transfers. These conditions fully apply to the newly adopted SCCs as well.
Despite putting new compliance requirements on data controllers and processors, the Schrems II decision did not provide for any grace period. On the contrary, it obliged supervisory authorities to prevent inadmissible transfers and to respond with regulatory measures where necessary. And although it might have seemed for a little while, that an “unofficial grace period” has been provided by supervisory authorities, that is not true anymore.
In mid-March 2021, Bavaria Data Protection Authority (DPA) barred a European online magazine from using the popular US-based newsletter delivery service Mailchimp as this required the EU company to transfer personal data (email addresses of the recipients) to Mailchimp servers in the US. While this was previously possible under the Privacy Shield, now the EU company had to use SCCs and assess whether additional safeguards might be needed. Unfortunately, the company did not implement additional safeguards and was thus in violation of Schrems II. In this case, the Bavarian DPA did not impose a fine or issue an official decision – it simply informed them that the transfer was not GDPR compliant. This case can therefore serve as a good warning to EU companies transferring data to US cloud providers as it is unlikely that the German DPAs would be similarly lenient in the future.
In fact, in an effort to enforce the Schrems II decision, on 1 June 2021, German DPAs announced they are starting a coordinated audit of international data transfers. Until now, nine DPAs out of 16 are participating in this audit by sending out questionnaires to selected companies in their respective regions. Published in German, the questionnaires cover five topics (Applicant portals, Intra-group data traffic, Mailhoster, Tracking and Web host), designed to provide the DPAs with enough detail to assess companies’ compliance with international data transfers.
Among other responses, companies must also state why they concluded that the recipient country provides sufficient guarantees as to the data protection or on the contrary why not, and in that case what additional safeguards they have implemented along with providing copies of all relevant parts of their record of processing related to the topics of the questionnaires.
While other EU DPAs may not be using audit initiatives, SCCs and Schrems II enforcement are firmly in their purview. For example, the Spanish DPA (AEPD) recently imposed a €2 million fine for Vodafone’s violation of Article 44 of the GDPR which governs transfers to third countries not covered by adequacy decisions, in this case to Peru. The issue was that the contract between the sending and receiving party did not contain certain mandatory contractual clauses.
Similarly, the Portuguese DPA (CNPD) ordered the National Institute of Statistics (INE) to suspend all international transfers of personal data from the Census 2021 to the US or other third countries without adequate protection levels. It outsourced the operation of the census questionnaire to California-based, Cloudflare. Under the service agreement, INE sent data to the US and although SCCs were used for the transfer, additional guarantees for their enforcement were missing. In line with the Schrems II decision, this led the CNPD to immediately suspend the data flow.
All the above-described actions undoubtedly demonstrate that supervisory authorities are taking the enforcement of the Schrems II seriously and we can only expect similar efforts from other DPAs. It is also clear that the mere signing of SCCs is not sufficient. Having SCCs in place is the bare minimum which must be supplemented by proper examination of the privacy laws in the receiving country and appropriate organisational and technical safeguards. Given the difficulty of GDPR compliance in this matter, an appropriate organisational safeguard, among others, is Data Protection Officer (DPO) oversight of adequacy of international data transfers.
HewardMills, a global DPO, helps organisations operating in the EU with their efforts to be GDPR compliant when transferring data to third countries, thus avoiding fines and other undesired regulatory measures. HewardMills’ data privacy consultants located around the world properly assess the regulatory requirements of the recipient country and propose adequate technical and organisational safeguards as well as regularly audit them. Specifically for Germany, HewardMills also provides significant support for answering the Schrems II audit questionnaires. Considering that supervisory authorities may suspend the flow of data in the case of non-compliance in addition to imposing fines, organisations must appreciate the gravity of appropriate measures to adhere to the Schrems II requirements.
Please contact your HewardMills client team for further information or send an email to firstname.lastname@example.org
By Katarina Sivakova