Since the Schrems II decision of the Court of Justice of the European Union (CJEU) last year (see our alert here), companies in the European Union found themselves between a rock and a hard place, as many still rely on U.S.-based online service providers in one capacity or another, and the CJEU, in addition to totally invalidating the Privacy Shield framework, mandated additional requirements over the Standard Contractual Clauses (SCCs), the most widely used lawful transfer mechanisms.

Following this CJEU decision, the Bavarian Data Protection Authority (Bayerisches Landesamt für Datenschutzaufsicht) has now effectively barred a European online magazine from using the popular U.S.-based newsletter delivery service, Mailchimp.

Companies using Mailchimp to route their newsletters must generally transfer personal data (e.g., the recipients’ email addresses) to Mailchimp’s servers in the United States. Previously certified under the late EU-U.S. Privacy Shield framework, Mailchimp had to pivot to offer its European customers an alternative transfer mechanism, i.e. the SCCs. While their general validity was left untouched by the Schrems II decision, the CJEU argued that it may be required for companies relying on the SCCs to assess whether additional safeguards should be implemented on top of the SCCs in order to effectively protect personal data.

As expressly mentioned in the Schrems II decision, transfers to cloud service providers in the United States would require such additional safeguards, due to the broad investigative powers of U.S. authorities, e.g., under Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

Until now, it had seemed that the EU supervisory authorities had granted companies an unofficial grace period to adjust to the amended legal situation, especially as new templates for SCCs taking into consideration the Schrems II decision are expected to be finalized in the coming weeks.

The action of the Bavarian Data Protection Authority shows that this restraint might have come to an end. In a recent press release concerning this investigation, the authority commented that the case was exemplary for their enforcement of the requirements of the Schrems II decision, which had already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions. 

The Bavarian Data Protection Authority based its action expressly on the fact that the European company has not assessed whether additional safeguards for transferring personal data to Mailchimp were required, in particular as Mailchimp may be subject to the Cloud Services Act. While no fine was imposed in this case and the Bavarian Data Protection Authority did not issue a formal decision, the authority still informed the company that their use of Mailchimp was (in their view) not in line with General Data Protection Regulation (GDPR) requirements. The company also promised to cease using Mailchimp in the future.

However, it should be noted that the official reason for not imposing a fine was on the one hand, the low sensitivity of the data transferred (email addresses only) and, on the other hand, the limited scope of the transmission (only two newsletters were sent). The details of the case being leaked and officially commented on by the supervisory authority could be considered as a warning to other EU companies transferring data to U.S. cloud service providers, which should probably expect less leniency from the supervisory authorities from now on. 

The current case was rather clear, as the European company in question has apparently taken no steps at all to establish and document whether additional safeguards were required and were already (because of this omission) in breach of their statutory obligations under GDPR. Future cases will probably not be as easy to decide, in particular when an EU company has documented a respective assessment or even implemented additional safeguards, and supervisory authorities and ultimately courts will have to assess what is really required to ensure adequate security of personal data in countries outside the European Union. 

Following the decision of the Bavarian Data Protection Authority, EU companies using U.S. online service providers, especially cloud services, are therefore encouraged to check the basis of their data transfers to the United States and, if necessary, adapt them to the new legal situation in order to avoid facing potentially high fines. 

K&L Gates’ global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

First Publication: K&L Gates with Thomas Nietsch & Martin Fokken

The European Union (EU) and the United Kingdom (UK) finally came to an agreement on 24 December 2020 (EU-UK Trade and Cooperation Agreement, the Agreement), less than ten days after the European Data Protection Board (EDPB) published a statement on the consequences a no-deal situation would have on the flows of personal data between the EU and the UK (for previous coverage of General Data Protection Regulation (GDPR) and Brexit, please see our alert here). This statement has since been updated on 13 January 2021.

(more…)

As of 1 January 2021, the Brexit transition period (Transition Period) ended, and the United Kingdom (UK) officially finalized its exit from the European Union (EU) and the 11th-hour commercial agreement (Agreement) should allow for a smoother transition on the data protection front as the General Data Protection Regulation (GDPR) stops being directly applicable to the UK. It also provided the UK with a six-month grace period to hope for an adequacy decision that would allow for the free transfer of personal data from the EU to the UK.

As the European Data Protection Board (EDPB) amended on 13 January 2021 its Brexit communications² further to the Agreement (Communications), it only addresses:

  • The issue of data transfers from the EU to the UK;
  • The end of the One-Stop-Shop (OSS) mechanism for the UK; and
  • The need for UK entities that would be subject to GDPR to appoint a representative further to Art. 27 GDPR.

However, aside from enacting the end of the OSS and commenting that “the EDPB has been liaising with the ICO [Information Commissioner’s Office, the UK’s Supervisory Authority] over the past months in order to enable a smooth shift to this new situation by ensuring that the EEA authorities follow a shared and efficient approach in handling the existing complaints and cross-border cases involving the ICO, whilst minimizing delays and possible inconveniences to affected complainants[,]” the EDPB did not comment on how such collaboration will effectively play out for companies whose lead Supervisory Authority was the ICO.

Read the full article on Radar First blog.

  1. Adoption of the minutes and of the agenda, Information given by the Chair
    1. Minutes of the 40th EDPB meeting
    2. Draft agenda of the 41st EDPB meeting
  2. Current Focus of the EDPB Members
    1. Art. 65 ongoing procedure
    2. Draft Art. 65 Decision
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Recommendation on measures that supplement transfer instruments to ensure compliance with the EU level of protection of personal data
    2. Update of the European Essential Guarantees recommendations

With the Brexit transition period ending on 31 December 2020, and no deal in sight, the future of cross-border data transfers between the European Economic Area (the EEA) and the United Kingdom remains unclear. On 1 January 2021, the United Kingdom will be considered as a “third country” and, unless a Brexit deal is proposed dealing with data protection and how data transfers between the EEA and the United Kingdom are to be treated, it could be significantly more difficult for European Union (EU)-based entities to transfer personal data to the United Kingdom.

(more…)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

The judgment C-311/18 can be found here, and the press release of the Court may be found here.

(more…)
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 35th EDPB meeting
    2. Draft agenda of the 36th EDPB meeting
  2. Current Focus of the EDPB Members
    1. FAQ regarding clarifications of the consequences of the Schrems II judgement
    2. Decision making under art. 65 – Role of the Secretariat 2.3. Update by SA
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. Secretariat
      1. September plenary meeting
      2. Legal studies
    2. Coordinators ESG
      1. Focus of the ESG until spring 2021
  4. Any other business
  1. Adoption of the minutes and of the agenda
    1. Minutes of the 34th EDPB meeting
    2. Draft agenda of the 35th EDPB meeting
  2. Current Focus of the EDPB Members
    1. Decision-making under Art. 65 GDPR
  3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat
    1. International Transfers ESG
      1. Impact of Brexit on BCRs and management of ICO-led BCRs
    2. RoP drafting team
      1. Transparency of EDPB minutes
    3. Secretariat
      1. Legal studies
  4. Any other business

The long awaited Schrems II decision was published by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II) and while it has already been summarized as the death blow to the Privacy Shield framework and the confirmation of the validity of the Standard Contractual Clauses (SCCs) by many, it may only be a Pyrrhic victory for the latter, as far as transfers to the US are concerned.

(more…)

With the recent decision from the Court of Justice of the European Union (CJEU) invalidating the Privacy Shield framework (Court of Justice of the European Union – Grand Chamber – 16 July 2020 – C-311/18 – Schrems II – see our alert here) and subjecting the Standard Contractual Clauses (SCCs) to higher standard of enforcement, global companies with the need to transfer data across the world, and especially across the Atlantic, are now required to re-assess their data transfer mechanisms.

While both Privacy Shield and the SCCs predates the General Data Protection Regulation 2016/79 dated 27 April 2016, which enter into force on 25 May 2018 (GDPR) , the new regulation aimed at providing stakeholders with additional tools to self-regulate and safeguard the privacy of individuals in the European Union

Among them, and while still confidential, the implementation of codes of conduct is encouraged under Art. 40 GDPR and by the dedicated Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/79 dated 04 June 2019 of the European Data Protection Board (EDPB). As a matter of fact, the advantages of such codes of conducts go beyond the mere facilitation of data transfers, and provide data controllers and data processors alike with a complete sectorial framework for GDPR compliance.

(more…)