On 16 July, 2020 the European Court of Justice (“CJEU”) published its decision invalidating the EU-U.S. Privacy Shield and setting out enhanced requirements for using the so-called Standard Contractual Clauses for Processors (Decision 2016/1250 – “SCCs”) (judgement C-311/18 – “Schrems II”). See our previous blog on the Schrems II decision for further details. Shortly thereafter, the European Data Protection Board (“EDPB”) adopted FAQs (see our follow-up blog post), which mainly focused on how to conduct the required risk assessment in connection with the SCCs.
Whereas the CJEU was very clear that companies need to act in order to remain in compliance with the GDPR’s requirements with respect to cross-border data transfer, companies found themselves scrambling to make sense of the rather abstract guidance provided by the CJEU and the EDPB.
On 24 August, the Data Protection Supervisory Authority for the State of Baden-Wuerttemberg (Landesbeauftragter für Datenschutz und Informationsfreiheit Baden Württemberg, “Supervisory Authority”), one of 17 German data protection supervisory authorities, issued more substantive guidance (“Guidance”) on how to conduct the necessary analysis and risk assessment. The Guidance is particularly noteworthy as it calls into question whether data transfers to the U.S. based on the SCCs can continue if they are not accompanied by additional measures such as encryption. In addition, the Supervisory Authority threatens companies with enforcement actions if they fail to take the required steps.
In this blog post, we summarize the Guidance, analyze the practicality of the recommendations and provide guidance on how companies should proceed.
What are the Key Features of the Guidance and What Should Companies Do?