The data protection authority of Baden-Wuerttemberg has published a guideline on actions after Schrems II CJEU ruling (in German here). It gives practical tipps which supplementary measures are to take.
Law enforcement, secret service and other authorities
First topic in the guideline: exceptions for administrative authorities (e.g. law enforcement, intelligence services) as in Art. 2 section 2 GDPR only apply to authorities of member states of the European Union.
Recital 115 GDPR and Art. 48 GDPR cover this topic. In essence they say that any extraterritorial action by a judgment of a court or tribunal or of an authority of a third country (a country outside European Union) is not directly applicable and is therefore primarily blocked. Transferring personal data to such authority is only possible under the rules of GDPR. Therefore Art. 44 GDPR to Art. 50 GRPR applies. Recital 115 sentence 5 states that a transfer may take place “… where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.”
Therefore: if the controller is located in European Union and the processor is in USA and US authorities try to access personal data processed on behalf of the controller in EU, based on US law, this recital 115 sentence 5 do give us an additional test if a transfer of that personal data to the US authorities might be lawful.
This also applies to authorities to all other countries outside European Unions.
But it nevertheless, needs a manual test and decision. There is no automatism in case of extraterritorial reach of a law of a third country to transfer personal data from EU to that third country.
Additionally Art. 48 GDPR applies and says no different. Under this article a transfer of personal data required by a court judgment, a tribunal decision or an authority decision may only take place in case it is recognized or enforceable under an international treaty, like an international mutual assistance treaty between the respective state and European Union or respective member state of EU. Nevertheless the transfer might also by based on other legal grounds to be found in Art. 44 GDPR to Art. 50 GDPR.
As the data protection authority lays out, exceptions only apply to authorities of member states of EU and if covered by Art. 2 section 2.(a) / (b) / (d) GDPR.
In case an authority is asking for personal data, perform the following test:
(1) Am I processor or controller?
If I am processor:
– Am I obligated to inform the controller by contract?
In many cases the answer will be yes.
– Am I allowed to inform the controller by applicable law?
In many cases the answer to this will be “no”.
Act accordingly and in case obligated, support the controller in its actions against the transfer of personal data.
– Which risks I have violating the law and not obligating to the request?
This shall not lead to any violation of any applicable law, but it does give arguments in your organization and towards a controller. Risks can include penalties, reputation loss, imprisonment of acting persons or managers, but are not limited to this.
There are many conflicting laws where a state like to impose extraterritorial jurisdiction which is blocked by laws of the other country. In the moment there is no easy solution to it. It is a case by case decision to take.
(2) Is this from an authority of a member state of EU?
If yes: test the request by Art. 2 section 2 GDPR. If it is allowed under these rules, act accordingly.
If no: push back and check according to recital 115 sentence 5 and (!) Art. 48 GDPR. Do not transfer personal data, before all other steps are fulfilled.
(3) Check on the legal situation in receiving country in accordance to Schrems II ruling by CJEU.
Keep result as an argument in the discussion. The decision is not determined by this result, it is an additional tessera.
Open discussion in the moment: What to do, if transfer to the authority in the requesting country is not possible in the light of Schrems II ruling.
– If covered by a mutual assistance treaty, then Art. 48 GDPR allows such transfer.
– If there is no such mutual assistance treaty, check for other international treaties which cover the situation.
– If there are no such treaties: can you lay legal grounds by Art. 44 GDPR to Art. 50 GDPR?
– Is recital 115 sentence 5 in your specific case an argument?
Practical tip here: get in contact with your supervisory authority and discuss.