Data trans­fer to third count­ries? Imme­dia­te action urgen­tly advised

In recent months, the­re have been iso­la­ted inves­ti­ga­ti­ons by the data pro­tec­tion aut­ho­ri­ties con­cer­ning imple­men­ta­ti­on of the “Schrems II” decis­i­on with regard to trans­fers to third count­ries, par­ti­cu­lar­ly the US. But it is now beco­ming clear that Euro­pean data pro­tec­tion aut­ho­ri­ties will be laun­ching a mas­si­ve cam­paign to inves­ti­ga­te third-country trans­fers in the coming weeks, using ques­ti­on­n­aires, pos­si­bly resul­ting in num­e­rous pro­hi­bi­ti­on orders and other pen­al­ties. This artic­le pro­vi­des an over­view as to the back­ground and recent deve­lo­p­ments, as well as pro­vi­ding tips on how to deal with the expec­ted questionnaires. 

What prompt­ed this cam­paign by the authorities?

Almost one year has pas­sed sin­ce the ECJ’s far-reaching “Schrems II” decis­i­on striking down the US Pri­va­cy Shield, which set rules for data trans­fers bet­ween the EU and the US. Sin­ce then, many com­pa­nies have had to revi­se their for­mer prac­ti­ces with regard to data trans­fers to third count­ries in order to ensu­re that their prac­ti­ces con­form to the GDPR. Based on the num­ber of ques­ti­ons we have recei­ved from com­pa­nies, it is clear that the­re is still con­sidera­ble need for cla­ri­fi­ca­ti­on, and that more infor­ma­ti­on is requi­red from the data pro­tec­tion aut­ho­ri­ties. The pre­cise sta­tus of data trans­fers to the US is still uncer­tain: the Com­mis­si­on has yet to issue a clear ade­quacy decis­i­on (Artic­le 45 of the GDPR). As a result, com­pa­nies will have to act on their own.

What recent deve­lo­p­ments have the­re been?

In ear­ly May, the Por­tu­gue­se data pro­tec­tion aut­ho­ri­ty issued an order pro­hi­bi­ting data trans­fers by a US com­pa­ny in con­nec­tion with IT secu­ri­ty services.

Hamburg’s data pro­tec­tion aut­ho­ri­ty publicly decried “defi­ci­ent enforce­ment” with regard to third-country trans­fers and announ­ced that spot checks will be con­duc­ted in the near future across mul­ti­ple Fede­ral Sta­tes.

The Bava­ri­an Data Pro­tec­tion Aut­ho­ri­ty (DPA) recent­ly found that a Munich com­pa­ny could not use the e‑mail pro­vi­der Mailchimp becau­se it had fai­led to con­duct an assess­ment with regard to data trans­fers to the US.

Austria’s data pro­tec­tion aut­ho­ri­ty should make a decis­i­on short­ly on a com­plaint lodged by pri­va­cy advo­ca­te Max Schrems with regard to third-country trans­fers by Goog­le. Com­pa­ra­ble com­plaints have been lodged by Max Schrems in Ger­ma­ny as well.

Rhineland-Palatinate’s data pro­tec­tion aut­ho­ri­ty has laun­ched an infor­ma­tio­nal cam­paign about data trans­fers to third count­ries, cal­ling upon com­pa­nies to take imme­dia­te action. The aut­ho­ri­ty has also announ­ced that it will be con­duc­ting spot checks and went on to sta­te as follows:

 “The land­mark ruling from the Euro­pean Court of Jus­ti­ce known as the “Schrems II” judgment affects near­ly every com­pa­ny and every public aut­ho­ri­ty, muni­ci­pa­li­ty, school, orga­niza­ti­on and medi­cal prac­ti­ce. All of them enga­ge in auto­ma­ted pro­ces­sing of per­so­nal data and the trans­fer of this data, often unkno­wing­ly, to count­ries out­side of the Euro­pean Uni­on and/or the Euro­pean Eco­no­mic Area. As a result, they are on thin ice as far as data pro­tec­tion law is con­cer­ned. In the cour­se of this year, it will be our task to inves­ti­ga­te whe­ther vio­la­ti­ons of data pro­tec­tion law are taking place and whe­ther pen­al­ties will have to be imposed.”

What can we expect now?

By sen­ding out the ques­ti­on­n­aires, as expec­ted, the aut­ho­ri­ties will be inten­si­fy­ing their inves­ti­ga­ti­ons while at the same time pla­cing them­sel­ves in a posi­ti­on to issue pro­hi­bi­ti­on orders and impo­se addi­tio­nal pen­al­ties. If you recei­ve such a ques­ti­on­n­aire, we would the­r­e­fo­re advi­se you as follows:

  1. If the let­ter does not con­tain ins­truc­tions as to legal reme­dies (which is very likely), it is mere­ly a request for infor­ma­ti­on. In this case, the ques­ti­on­n­aire is not an admi­nis­tra­ti­ve act by the aut­ho­ri­ties and reci­pi­ents are not requi­red to respond under thre­at of pen­al­ties from the authorities.
  2. The ques­ti­on­n­aires are inten­ded as a preli­mi­na­ry mea­su­re in order to pro­vi­de the aut­ho­ri­ties with an initi­al over­view to faci­li­ta­te future inves­ti­ga­ti­ons. Howe­ver, it is high­ly likely that the ques­ti­on­n­aires will be fol­lo­wed by addi­tio­nal mea­su­res, par­ti­cu­lar­ly pro­hi­bi­ti­on orders in case of sup­po­sedly unlawful third-country trans­fers. Accor­din­gly, com­pa­nies should take care at all times in respon­ding to the questionnaires.
  3. Get help from an att­or­ney if you have had litt­le or no cont­act in the past with the com­pe­tent aut­ho­ri­ty or if you feel unsu­re about how to deal with the aut­ho­ri­ty. We have exten­si­ve expe­ri­ence deal­ing with Ger­man and Euro­pean super­vi­so­ry aut­ho­ri­ties and are eager to pro­vi­de any assis­tance you may need.
  4. The ext­ent to which we can expect pro­hi­bi­ti­on orders and addi­tio­nal pen­al­ties such as fines is still unclear. But in order to pre­vent nega­ti­ve con­se­quen­ces, con­trol­lers should imme­dia­te­ly exami­ne their third-country trans­fers, if they have not alre­a­dy done so, as well as docu­men­ting the­se exami­na­ti­ons. If the aut­ho­ri­ties nevert­hel­ess find in the end that a vio­la­ti­on has taken place, this docu­men­ted exami­na­ti­on may have the effect of miti­ga­ting the penal­ty, as the aut­ho­ri­ties have express­ly stated.

What hap­pens now?

Unfort­u­na­te­ly, we will have to wait and see how inten­si­ve the inves­ti­ga­ti­ons will be and how the aut­ho­ri­ties will pro­ceed based on the results of the­se inves­ti­ga­ti­ons. Poli­cy­ma­kers are not curr­ent­ly expec­ted to adopt regu­la­ti­ons which would pro­vi­de grea­ter cla­ri­ty as to the legal situa­ti­on any­ti­me soon. The­r­e­fo­re, com­pa­nies will have to think about res­truc­tu­ring their pro­ces­ses. In light of the uncer­tain­ty con­cer­ning data trans­fers bet­ween the US and the EU, Micro­soft recent­ly pro­mi­sed that, in the future, data from the EU will be pro­ces­sed only on ser­vers in the EU.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.