International data transfers: data protection authorities launching investigations and sending out questionnaires
Threat of prohibition orders and fines
Data protection authorities in several German Federal States have recently announced (only in German) that they will be investigating data transfers by companies based in countries outside the EU or the European Economic Area (third countries) as part of a coordinated enforcement campaign. The authorities taking part in these investigations, which will be conducted by means of questionnaires, will include the data protection authorities in Bavaria (PDF only in German), Baden-Wuerttemberg, Berlin, Hamburg, Lower Saxony, Rhineland-Palatinate, Brandenburg (only in German) and Saarland. The investigations will serve to enforce compliance with the requirements established by the ECJ in its "Schrems II" decision of 16 July 2020 (Case No. C-311/18) for international data transfers.
Background: core statements of the "Schrems II" decision
In its "Schrems II" decision last summer, the ECJ raised the standards for data transfers to third countries (particularly the US) considerably, ruling that the EU-US Privacy Shield is invalid as an adequacy decision for the exchange of data between the EU and the US and at the same time setting strict requirements for the use of standard contractual clauses as the basis for data transfers to third countries. Under the ECJ's ruling, controllers using standard contractual clauses are required to check in advance in order to determine whether those clauses ensure an adequate level of data protection. The applicable standard for this assessment is European law, and particularly the EU Charter of Fundamental Rights. Controllers which are unable to ensure an adequate level of data protection are required to create additional safeguards, which may be difficult to accomplish particularly for data transfers to the US, given the powers of the US security authorities to access data.
Approach of the data protection authorities
The data protection authorities of the various Federal States will be approaching companies based on joint questionnaires (only in German) in order to determine whether controllers are implementing the "Schrems II" decision. The questionnaires which have been published to date focus on the following areas:
- use of service providers for sending e-mails (PDF only in German);
- use of service providers for hosting websites (PDF only in German);
- use of web tracking (PDF only in German) ;
- use of service providers to manage data from job applicants (PDF only in German); and
- internal exchange of customer and employee data (PDF only in German).
But the individual authorities also have the option of taking an individualized approach. For example, they can decide which areas to focus their investigation on and how many of which questionnaires they will send out to controllers. Notably, however, the data protection authorities apparently do not currently intend to conduct an investigation specifically devoted to third-country transfers in connection with video conferencing services and other collaboration solutions (only in German), presumably in light of the coronavirus pandemic.
Moreover, our analysis of the questionnaires indicates that their subject matter will be limited to determining whether controllers are following the recommendations of the data protection authorities with regard to implementation of the "Schrems II" decision, like the questionnaires recently sent out by the Hamburg data protection authority concerning Office 365. However, controllers should not take this as a reason to underestimate the questionnaires.
What consequences do companies need to fear and what can they do now?
Possible consequences of the investigations which have recently been initiated, as the data protection authority of Rhineland-Palatinate has announced, include prohibition orders as well as other possible penalties, such as e.g. fines . The ECJ's "Schrems II" decision has established new principles for third-country transfers which affect nearly every company, as almost every company engages in the transfer of personal data to third countries, whether knowingly or unknowingly.
Those who receive a questionnaire are therefore advised as follows:
- If the letter does not contain instructions as to legal remedies (which is to be expected based on what we now know), it is merely a request for information. In this case, the questionnaire does not have the character of an administrative act and recipients cannot be required to respond under threat of penalties from the authorities.
- The questionnaires serve to provide an initial overview. However, it is highly likely that they will be followed by additional measures, particularly prohibition orders. Accordingly, companies should take care at all times in responding to the questionnaires.
- Get help from an attorney if you have had little or no contact in the past with the competent authority or if you feel unsure about how to deal with the authority. We have extensive experience dealing with German and European supervisory authorities and are eager to provide any assistance you may need.
- Given the threat of prohibition orders and additional penalties, such as fines, even companies which have not yet received questionnaires would be well-advised to immediately examine their third-country transfers, if they have not already done so, as well as documenting these examinations. If the authorities nevertheless find in the end that a violation has taken place, this documented examination may have the effect of mitigating the penalty, as the authorities have expressly stated.
If you have received a questionnaire or require legal assistance in connection with data transfers to third countries, please contact the Co-Head of our Digital Business Unit, Attorney Stefan Hessel.
More information about the ECJ's "Schrems II" decision and possible actions by the data protection authorities can also be found in our article titled "Data transfer to third countries? Immediate action urgently advised."