Inter­na­tio­nal data trans­fers: data pro­tec­tion aut­ho­ri­ties laun­ching inves­ti­ga­ti­ons and sen­ding out questionnaires

Thre­at of pro­hi­bi­ti­on orders and fines

Data pro­tec­tion aut­ho­ri­ties in seve­ral Ger­man Fede­ral Sta­tes have recent­ly announ­ced (only in Ger­man) that they will be inves­ti­ga­ting data trans­fers by com­pa­nies based in count­ries out­side the EU or the Euro­pean Eco­no­mic Area (third count­ries) as part of a coor­di­na­ted enforce­ment cam­paign. The aut­ho­ri­ties taking part in the­se inves­ti­ga­ti­ons, which will be con­duc­ted by means of ques­ti­on­n­aires, will include the data pro­tec­tion aut­ho­ri­ties in Bava­ria (PDF only in Ger­man), Baden-WuerttembergBer­linHam­burgLower Sax­o­nyRhineland-PalatinateBran­den­burg (only in Ger­man) and Saar­land. The inves­ti­ga­ti­ons will ser­ve to enforce com­pli­ance with the requi­re­ments estab­lished by the ECJ in its “Schrems II” decis­i­on  of 16 July 2020 (Case No. C‑311/18) for inter­na­tio­nal data transfers.

Back­ground: core state­ments of the “Schrems II” decision

In its “Schrems II” decis­i­on last sum­mer, the ECJ rai­sed the stan­dards for data trans­fers to third count­ries (par­ti­cu­lar­ly the US) con­sider­a­b­ly, ruling that the EU-US Pri­va­cy Shield is inva­lid as an ade­quacy decis­i­on for the exch­an­ge of data bet­ween the EU and the US and at the same time set­ting strict requi­re­ments for the use of stan­dard con­trac­tu­al clau­ses as the basis for data trans­fers to third count­ries. Under the ECJ’s ruling, con­trol­lers using stan­dard con­trac­tu­al clau­ses are requi­red to check in advan­ce in order to deter­mi­ne whe­ther tho­se clau­ses ensu­re an ade­qua­te level of data pro­tec­tion. The appli­ca­ble stan­dard for this assess­ment is Euro­pean law, and par­ti­cu­lar­ly the EU Char­ter of Fun­da­men­tal Rights. Con­trol­lers which are unable to ensu­re an ade­qua­te level of data pro­tec­tion are requi­red to crea­te addi­tio­nal safe­guards, which may be dif­fi­cult to accom­plish par­ti­cu­lar­ly for data trans­fers to the US, given the powers of the US secu­ri­ty aut­ho­ri­ties to access data.

Approach of the data pro­tec­tion authorities

The data pro­tec­tion aut­ho­ri­ties of the various Fede­ral Sta­tes will be approa­ching com­pa­nies based on joint ques­ti­on­n­aires (only in Ger­man) in order to deter­mi­ne whe­ther con­trol­lers are imple­men­ting the “Schrems II” decis­i­on. The ques­ti­on­n­aires which have been published to date focus on the fol­lo­wing areas:

But the indi­vi­du­al aut­ho­ri­ties also have the opti­on of taking an indi­vi­dua­li­zed approach. For exam­p­le, they can deci­de which are­as to focus their inves­ti­ga­ti­on on and how many of which ques­ti­on­n­aires they will send out to con­trol­lers. Nota­b­ly, howe­ver, the data pro­tec­tion aut­ho­ri­ties appar­ent­ly do not curr­ent­ly intend to con­duct an inves­ti­ga­ti­on spe­ci­fi­cal­ly devo­ted to third-country trans­fers in con­nec­tion with video con­fe­ren­cing ser­vices and other col­la­bo­ra­ti­on solu­ti­ons (only in Ger­man), pre­su­ma­b­ly in light of the coro­na­vi­rus pan­de­mic.

Moreo­ver, our ana­ly­sis of the ques­ti­on­n­aires indi­ca­tes that their sub­ject mat­ter will be limi­t­ed to deter­mi­ning whe­ther con­trol­lers are fol­lo­wing the recom­men­da­ti­ons of the data pro­tec­tion aut­ho­ri­ties with regard to imple­men­ta­ti­on of the “Schrems II” decis­i­on, like the ques­ti­on­n­aires recent­ly sent out by the Ham­burg data pro­tec­tion aut­ho­ri­ty con­cer­ning Office 365. Howe­ver, con­trol­lers should not take this as a reason to unde­re­sti­ma­te the questionnaires.

What con­se­quen­ces do com­pa­nies need to fear and what can they do now?

Pos­si­ble con­se­quen­ces of the inves­ti­ga­ti­ons which have recent­ly been initia­ted, as the data pro­tec­tion aut­ho­ri­ty of Rhineland-Palatinate has announ­ced, include pro­hi­bi­ti­on orders as well as other pos­si­ble pen­al­ties, such as e.g. fines . The ECJ’s “Schrems II” decis­i­on has estab­lished new prin­ci­ples for third-country trans­fers which affect near­ly every com­pa­ny, as almost every com­pa­ny enga­ges in the trans­fer of per­so­nal data to third count­ries, whe­ther kno­wing­ly or unknowingly.

Tho­se who recei­ve a ques­ti­on­n­aire are the­r­e­fo­re advi­sed as follows:

  • If the let­ter does not con­tain ins­truc­tions as to legal reme­dies (which is to be expec­ted based on what we now know), it is mere­ly a request for infor­ma­ti­on. In this case, the ques­ti­on­n­aire does not have the cha­rac­ter of an admi­nis­tra­ti­ve act and reci­pi­ents can­not be requi­red to respond under thre­at of pen­al­ties from the authorities.
  • The ques­ti­on­n­aires ser­ve to pro­vi­de an initi­al over­view. Howe­ver, it is high­ly likely that they will be fol­lo­wed by addi­tio­nal mea­su­res, par­ti­cu­lar­ly pro­hi­bi­ti­on orders. Accor­din­gly, com­pa­nies should take care at all times in respon­ding to the questionnaires.
  • Get help from an att­or­ney if you have had litt­le or no cont­act in the past with the com­pe­tent aut­ho­ri­ty or if you feel unsu­re about how to deal with the aut­ho­ri­ty. We have exten­si­ve expe­ri­ence deal­ing with Ger­man and Euro­pean super­vi­so­ry aut­ho­ri­ties and are eager to pro­vi­de any assis­tance you may need.
  • Given the thre­at of pro­hi­bi­ti­on orders and addi­tio­nal pen­al­ties, such as fines, even com­pa­nies which have not yet recei­ved ques­ti­on­n­aires would be well-advised to imme­dia­te­ly exami­ne their third-country trans­fers, if they have not alre­a­dy done so, as well as docu­men­ting the­se exami­na­ti­ons. If the aut­ho­ri­ties nevert­hel­ess find in the end that a vio­la­ti­on has taken place, this docu­men­ted exami­na­ti­on may have the effect of miti­ga­ting the penal­ty, as the aut­ho­ri­ties have express­ly stated.

If you have recei­ved a ques­ti­on­n­aire or requi­re legal assis­tance in con­nec­tion with data trans­fers to third count­ries, plea­se cont­act the Co-Head of our Digi­tal Busi­ness Unit, Att­or­ney Ste­fan Hessel.

More infor­ma­ti­on about the ECJ’s “Schrems II” decis­i­on and pos­si­ble actions by the data pro­tec­tion aut­ho­ri­ties can also be found in our artic­le titled “Data trans­fer to third count­ries? Imme­dia­te action urgen­tly advi­sed.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.