Much has been made of the Schrems II judgment and the impact it has on the international transfer of data. It is clear significant due diligence is necessary when transferring data outside the UK or EU/EEA, particularly around considering surveillance regimes in the recipient country. The European Data Protection Board’s (EDPB) recommendations from November 2020 aim to give clarity to what is required under the GDPR, however, within a week we had a court ruling from France holding transfers to the US were legal and a Data Protection Authority (DPA) in Germany holding transfers to the US were illegal. As ever each case turns on its facts...
Bavarian Data Protection Authority decision
Starting with the more recent decision from Germany, the Bavarian DPA investigated when a data subject complained about their data being transferred to the US, as they did not believe it was adequately protected. The controller, a Bavarian publisher, used mailchimp, a US e-mail marketing service, to provide e-mail newsletter services to subscribers. The controller relied on the EU’s standard contractual clauses (SCCs) for the transfer of the email addresses from Germany to the US, so that mailchimp could provide the services directed to German customers on its behalf.
In this particular instance it was held that the transfer was impermissible as there were insufficient safeguards in place in relation to the transfer of email addresses to mailchimp in the US. In other words the controller had failed to assess the risk and implement supplementary measures as required by the Schrems II judgment.
The Bavarian DPA reached this decision as they found that mailchimp could qualify as an “electronic communication service provider” under US surveillance law, i.e. Foreign Intelligence Surveillance Act 702, and therefore the transfer required not only SCCs but the relevant supplementary measures, “if possible and sufficient to remediate the problem”, i.e. to prevent or mitigate access to the data by surveillance agencies. They therefore held the transfer of the data was unlawful.
However, no fine was imposed as:
- the final version of the EDPB’s recommendations on supplementary measures had not been issued (at the date of the complaint);
- the controller had only used mailchimp twice, and therefore the use was limited, and the type of personal data involved (email addresses) was considered low in sensitivity; and
- the controller co-operated with the investigation and committed to stop using mailchimp’s services immediately.
It is important to note that the Bavarian DPA did not find using mailchimp in itself unlawful, rather the lack of assessment and therefore the lack of supplementary measures were the problem in this matter.
Conseil d’Etat judgment
Meanwhile the highest administrative court in France, the Conseil d’Etat, held that personal data on a platform used to book Covid-19 vaccinations was sufficiently protected under GDPR. Although sensitive health data was involved, the processor was a subsidiary of a US company, and the data was held in France and Germany by a company established in Luxembourg, the key difference here was the parties had put in place sufficient legal and technical safeguards, including those to specifically deal with the situation of an access request by a US authority.
In this case although no transfer of data to the US was ever intended, the court held it was right to assess the risk of access by US authorities as although the processor was based in the EU, and the data was to be held there, the processor was a subsidiary of a US company.
So what does this mean?
Although different conclusions were reached in different countries, it is clear that when transferring personal data outside the UK or EU/EEA controllers will need to be able to demonstrate they have undertaken the necessary due diligence. In particular, the controller should be able to show they have assessed the surveillance laws of the recipient processor’s country (or that of any sub-processors), and where they are incompatible with UK or EU law demonstrate which appropriate supplementary measures they have put in place to ensure the protection of the personal data being transferred.
Many businesses use US based technology companies or their EU subsidiaries for data processing activities and these cases emphasise the importance continental courts and DPAs will place on this risk assessment and any mitigations. Practically, there is a greater onus on processors to assist controllers by providing information when they are assessing the potential risk and possible supplementary measures that can be implemented to address it. Processors who are proactive in their approach may find they have a competitive advantage over those who do not engage with such an assessment.
"The European Data Protection Board’s (EDPB) recommendations from November 2020 aim to give clarity to what is required under the GDPR, however, within a week we had a court ruling from France holding transfers to the US were legal and a Data Protection Authority (DPA) in Germany holding transfers to the US were illegal. As ever each case turns on its facts..."