Data transfer to third countries? Immediate action urgently advised

Stefan Hessel

In recent months, there have been isolated investigations by the data protection authorities concerning implementation of the "Schrems II" decision with regard to transfers to third countries, particularly the US. But it is now becoming clear that European data protection authorities will be launching a massive campaign to investigate third-country transfers in the coming weeks, using questionnaires, possibly resulting in numerous prohibition orders and other penalties. This article provides an overview as to the background and recent developments, as well as providing tips on how to deal with the expected questionnaires. 

What prompted this campaign by the authorities?

Almost one year has passed since the ECJ's far-reaching "Schrems II" decision striking down the US Privacy Shield, which set rules for data transfers between the EU and the US. Since then, many companies have had to revise their former practices with regard to data transfers to third countries in order to ensure that their practices conform to the GDPR. Based on the number of questions we have received from companies, it is clear that there is still considerable need for clarification, and that more information is required from the data protection authorities. The precise status of data transfers to the US is still uncertain: the Commission has yet to issue a clear adequacy decision (Article 45 of the GDPR). As a result, companies will have to act on their own.

What recent developments have there been?

In early May, the Portuguese data protection authority issued an order prohibiting data transfers by a US company in connection with IT security services.

Hamburg's data protection authority publicly decried "deficient enforcement" with regard to third-country transfers and announced that spot checks will be conducted in the near future across multiple Federal States.

The Bavarian Data Protection Authority (DPA) recently found that a Munich company could not use the e-mail provider Mailchimp because it had failed to conduct an assessment with regard to data transfers to the US.

Austria's data protection authority should make a decision shortly on a complaint lodged by privacy advocate Max Schrems with regard to third-country transfers by Google. Comparable complaints have been lodged by Max Schrems in Germany as well.

Rhineland-Palatinate's data protection authority has launched an informational campaign about data transfers to third countries, calling upon companies to take immediate action. The authority has also announced that it will be conducting spot checks and went on to state as follows:

 "The landmark ruling from the European Court of Justice known as the "Schrems II" judgment affects nearly every company and every public authority, municipality, school, organization and medical practice. All of them engage in automated processing of personal data and the transfer of this data, often unknowingly, to countries outside of the European Union and/or the European Economic Area. As a result, they are on thin ice as far as data protection law is concerned. In the course of this year, it will be our task to investigate whether violations of data protection law are taking place and whether penalties will have to be imposed."

What can we expect now?

By sending out the questionnaires, as expected, the authorities will be intensifying their investigations while at the same time placing themselves in a position to issue prohibition orders and impose additional penalties. If you receive such a questionnaire, we would therefore advise you as follows:

  1. If the letter does not contain instructions as to legal remedies (which is very likely), it is merely a request for information. In this case, the questionnaire is not an administrative act by the authorities and recipients are not required to respond under threat of penalties from the authorities.
  2. The questionnaires are intended as a preliminary measure in order to provide the authorities with an initial overview to facilitate future investigations. However, it is highly likely that the questionnaires will be followed by additional measures, particularly prohibition orders in case of supposedly unlawful third-country transfers. Accordingly, companies should take care at all times in responding to the questionnaires.
  3. Get help from an attorney if you have had little or no contact in the past with the competent authority or if you feel unsure about how to deal with the authority. We have extensive experience dealing with German and European supervisory authorities and are eager to provide any assistance you may need.
  4. The extent to which we can expect prohibition orders and additional penalties such as fines is still unclear. But in order to prevent negative consequences, controllers should immediately examine their third-country transfers, if they have not already done so, as well as documenting these examinations. If the authorities nevertheless find in the end that a violation has taken place, this documented examination may have the effect of mitigating the penalty, as the authorities have expressly stated.

What happens now?

Unfortunately, we will have to wait and see how intensive the investigations will be and how the authorities will proceed based on the results of these investigations. Policymakers are not currently expected to adopt regulations which would provide greater clarity as to the legal situation anytime soon. Therefore, companies will have to think about restructuring their processes. In light of the uncertainty concerning data transfers between the US and the EU, Microsoft recently promised that, in the future, data from the EU will be processed only on servers in the EU.

[May 2021]