Current developments in international data transfer - New guideline of the supervisory authorities & record fine against META

There have been new developments in international data transfer in the past few weeks. After a few months ago the Data Protection Conference had stated in a working report that a data protection compliant use of the Microsoft 365 is not possible at the moment and the EU Commission presented an initial draft of the new EU-US Privacy Shield 2.0 in the middle of December 2022 which should put future US data transfers on a new legal basis, since a few days ago there is now in particular an updated guideline from the Bavarian data protection authority in addition to the rec-ord fine against META.

New guideline for third-country transfers

After the discontinuation of the Privacy Shield in July 2020, companies in the European Union, in particular also in Germany, are uncertain whether they can make legally-compliant use of (in particular the Cloud) software from US providers such as Microsoft, Amazon, Google, Facebook or Salesforce, because even when using EU servers there is the risk of data transfer to US server (at the latest since the US Cloud Act as the legal basis for US authorities). According to Art. 44 et seq. GDPR this third-country transfer is subject to requirements that were tightened once again in the above ECJ ruling (Ref. C-311/18).

As early as in September 2021 the data protection supervisory authority in Baden-Württemberg had summarised the complicated requirements for companies using US software in a Guideline. In the meantime there was, however, a new Executive Order of the US President on monitoring of EU data by US authorities (see Article), the ruling of the Higher Regional Court of Karlsruhe which did not qualify the use of EU services of US providers as breach of privacy per se (see Article) and - in addition to the above Microsoft report of the DPC - the draft of a new adequacy decision (Privacy Shield 2.0) of the EU Commission (see Article).

A guideline was published last week by the Bavarian data protection supervisory authority dated 01/05/2023, which is currently the most up-to-date statement of opinion of the administration and a valuable implementation aid for companies when establishing GDPR compliance.  With 60 pages, the Guideline is very comprehensive and provides a detailed overview of the required technical and organisational measures which must be used in addition to the EU standard contractual clauses and risk assessment. Particularly interesting is the statement in the recital 27 where regarding the use of EU server of US providers it is clearly stated for the first time:

"However, so far as it cannot be excluded with certainty that the processor accesses data stored on the server or on other relevant IT systems, there is a third-country transfer since the processor is based in the third-country“

Translated this means: If the Cloud contract is concluded with the US parent company and not with the EU subsidiary, then it doesn't matter whether the specified server is located within the EU. Only the headquarters of the contracting partners leads to a third-country transfer, unless it can be demonstrated otherwise in individual cases on the part of the customer. That is why it is important to ensure that the contract is concluded with the EU subsidiary.

In respect of the individual verification steps the Guideline refers to the Recommendations 01/2020 of the European data protection supervisory authority (EDSA) on third-country transfer. The following 6 steps are required accordingly:

1. Determining the third-country transfer
2. Selecting a transfer instrument
3. Verifying the effectiveness of transfer instruments
4. Selecting additional measures
5. Introduction of formal procedural steps
6. Verification and reassessment of level of protection, if needed

As part of step (3), the Transfer Impact Assessment, i.e., a comprehensive, documented risk assessment, must also be carried out.

The conclusion of the Guideline in recital 69 is problematic: Here it is stated:

"Only in exceptional cases is the constellation described in No. 43.3 of the EDPB recommendations applicable: Accordingly, the data exporter may conclude in his assessment to proceed with the transfer without taking additional measures, although applicable statutory regulations might be problematic and may be applicable to the specific transfer. The requirement is that the data exporter has no reason to assume that these are applicable to his transferred data and/or to the data importer. He must justify and document this assumption by way of a comprehensive report regarding the legal assessment of the statutory regulations and the corresponding practice, whereby those involved in preparing the report, e.g. law firms, consultants or internal officials, must be named."

Again, translated this means:

If companies use US Cloud Software only and exclusively based on the EU standard contractual clauses, without taking additional technical and organisational measures (such as prior encryption of the data), then this must be justified thoroughly in the written risk assessment. Only in exceptional cases does this result in maintenance of the GDPR compliance.

The Guideline contains a variety of explanatory notes and official interpretations regarding the current legal situation. From our point of view, it must be worked through by every data protection officer and reconciled with own implementation measures. We would be glad to assist you, in particular in preparing the Transfer Impact Assessment.

New fine against META

Another new development from the past week regarding third-country transfer was the fine against META. The data protection supervisory authority in Ireland had set a fine amounting to EUR 1.2 billion. The sum equals 1% of the worldwide annual revenue (from 2022), so the Irish data protection supervisory authority remained within the options open to it (up to 4%). The reason for the fine was in particular META's refusal to also offer ad-free version of its software applications. In the past few years, META had integrated the consent in the use of personal data for advertising purposes in the general terms and conditions and claims that the use of its software has been possible only subject to permission for personalised advertising. However, the data protection authorities (except the Irish) saw this procedure as impermissible, since the use for advertising purposes requires a separate consent. META must, therefore, also provide an ad-free version of its software. The Irish data protection authority was overruled in a vote of the EU authorities and now had to initiate infringement proceedings (although it saw no need for this).

In that sense, the fine is considered quite controversial. The issuing authority would have gladly dispensed with the fine. In this respect it also cannot be excluded that the Irish courts (META has announced legal appeal) could conclude that the fine is excessive and should be significantly reduced. Such a decision, however, is to be expected only within a few years.

Conclusion

Something is happening to the law of international data transfer. Companies are well advised to follow the new Guideline of the Bavarian data protection authority and to adapt their own implementation measures accordingly. The fine against META, however, should not raise any concerns for EU companies, because nothing has changed in the basic situation regarding GDPR Compliance when using US Cloud Software. In this respect we do not expect a new fine levying practice by the German authorities. It is rather to be expected that by the end of the year the new Privacy Shield 2.0 will come into force and then (until the next ECJ ruling in a few years) a legally compliant US data transfer will once again be possible, which should provide reassurances when using Microsoft 365, Amazon AWS, Google Cloud or Salesforce. However, if the companies still do not have a risk assessment regarding the use of US Cloud Software, it is recommended to take this step as soon as possible.