German privacy authorities appreciate Microsoft’s supplemental clauses for data transfers

Microsoft’s decision to adopt supplemental clauses for data transfers was praised by German privacy authorities and might trigger a domino effect.

The supplemental clauses proposed by Microsoft for data transfers

The data protection authorities of Baden-Württemberg, Bavaria, and Hessen have issued press releases on the new supplementary contractual clauses proposed by Microsoft to handle transfers of personal data outside the EEA after the Schrems II decision, describing them as

valuable in the joint search for legal certainty for data transfers to the United States and to other states whose legal systems cannot sufficiently guarantee the standard of protection provided by the GDPR.

Microsoft’s initiative follows the recommendations published by the EDPB on supplementary measures to be adopted to deal with data transfers set out in this article, and, according to the German data protection authorities, is an example for all parties involved in the search for legally valid solutions regarding the appropriate protection measures to be guaranteed when transferring data internationally.

The proposal is aimed at strengthening users’ rights. In particular, it contains provisions on

• The management of data subjects’ information if the company is called upon by the government to release their data to the US security authorities;
• Microsoft’s obligation to take legal action to challenge the government’s order to disclose the data subject’s data; and
• The right to compensation for damages to data subjects who have suffered material or non-material damage as a result of the unlawful processing of their personal data;

My feedback on the current situation

The assessment carried out so far by the various data protection authorities reveals that supplemental clauses are not per se sufficient to completely solve the problem of data transfer to the United States.  The addition of obligations to those provided by the standard contractual clauses does not prevent access to data subjects’ data by American surveillance services, one of the most important critical points raised by the European Court of Justice in the famous Schrems II judgment.

The recommendations of the European Data Protection Board on transfers of personal data outside the EEA are not binding by their nature, but give guidance on the assessment of the transfer that privacy guarantors expect from companies.  To this end, we at DLA Piper have updated our methodology for assessing personal data transfers in the light of the recommendations, and you can read more about this in this article “Do you have a data transfer methodology based on the Schrems II decision?“.