Following the CJEU’s Schrems II ruling (case C-311/18 of July 16, 2020), transfers of personal data to the US are coming under close scrutiny by the German data protection authorities. Some German data protection authorities have announced that they will be taking a stricter approach against companies that fail to comply with the Schrems II requirements. The Hamburg data protection authority which is leading a working group focusing on cloud providers is reported to be considering regulatory sanctions should companies not be able to explain the legal grounds on which they rely to transfer personal data to the US. The Baden-Württemberg authority has gone further and expressed that EU companies transferring personal data to the US are subject to a “material risk” of fines, should they not put in place adequate security measures such as encryption.
Furthermore, according to recently published minutes of a meeting, the German Datenschutzkonferenz (which is the joint body of the German data protection authorities) is considering sending out random compliance questionnaires to data exporters on how they comply with requirements on US data transfers.
Schrems II still leads to legal uncertainty
In spite of the legal uncertainties that the Schrems II ruling has brought for companies, there is still little reliable guidance on US data transfers. However, there is a great deal of discussions between market participants and institutions such as the European Data Protection Board (EDPB). The Berlin authority had already announced in November that it would obtain an expert opinion on the legal framework in the US to develop a joint approach with the other German data protection authorities on how to take action after the Schrems II ruling. However, no further details have been yet been published.
Our take
Companies with headquarters in Germany or with affiliates operating from Germany should be aware that they might receive a questionnaire from their regulator. They should prepare for how they might respond.
Compliance with, or at least taking steps towards complying with, the EDPB draft Recommendations, published on 12 November 2020, will be expected.
The new developments in Germany signal a movement towards the first enforcement of the Schrems II judgment. However, we do not expect any substantial orders or fines to be made before the EDPB finalises the Recommendations or the EU Commission finalises the new Standard Contractual Clauses.