European Data Protection Board Provides FAQ on Schrems II Privacy Shield CaseJuly 24, 2020 – Alerts
The European Data Protection Board (EDPB) has issued its much anticipated FAQs on the Court of Justice of the European Union's (CJEU) Schrems II decision. This document does not yet contain the "supplementary measures" that need to be incorporated into transfer mechanisms into the U.S. and other countries whose data protection regimes are not deemed "essentially equivalent" by the European Union, but the EDPB does break down the judgment and provides some guidance on next steps. Key takeaways are below.
Privacy Shield, SCCs and BCRs
- The CJEU decision does not render the Standard Contract Clauses (SCCs) invalid just because they do not, given their contractual nature, bind the authorities of the third countries to which data may be transferred.
- The threshold set by the court also applies to cross-border transfer mechanisms under Article 46, including Binding Corporate Rules (BCRs). The EDPB will assess the consequences of the judgment on transfer tools other than SCCs and BCRs. Per the court, the standard for appropriate safeguards is that of "essential equivalence."
- There is no grace period for the enforcement of the court's decision. Privacy Shield is invalidated as a transfer mechanism effective immediately.
- In addition to the assessments to be conducted by data exporters and data importers (see below) the EU member state supervisory authorities will also have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries. As invited by the court, in order to avoid divergent decisions, they will thus further work within the EDPB in order to ensure consistency, in particular if transfers to third countries must be prohibited.
Assessments on Essential Equivalence Protection
- In order to use SCCs and/or BCRs as the cross-border transfer mechanism, each data exporter and data importer must first assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, they should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the European Economic Area (EEA), and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.
- Data exporters may contact their data importers to verify the legislation of their country and collaborate for its assessment.
- Whether or not you can transfer personal data on the basis of SCCs or BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers and supplementary measures you could put in place. The supplementary measures along with SCCs or BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
- Should the data exporter or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, the data exporter should immediately suspend the transfers. If the data exporter does not, they must notify their competent supervisory authority.
- Measures would need to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country.
- The EDPB is currently analyzing the court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organizational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.
- The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance
Controller Processor Agreements
- Data exporters should review their Article 28 data processing addenda (DPAs) with their processors to determine which/whether cross-border data transfers are permitted.
- You need to see whether authorization is provided to processors to entrust sub-processors to transfer data to third countries. Check those. You should pay attention and be careful, because a large variety of computing solutions may imply the transfer of personal data to a third country (e.g., for storage or maintenance purposes)
- Even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer.
- If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S.
- If your data may be transferred to another third country, you should also verify the legislation of that third country to check if it is compliant with the requirements of the court, and with the level of protection of personal data expected. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.
It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 of GDPR, provided the conditions set forth in this article apply. To that end, see the EDPB guidance on the derogations. Specifically:
- the derogations set out in Art 49 of GDPR should not become "the rule" in practice but need to be restricted to the specific situation. Each data exporter needs to ensure that the transfer meets the strict necessity test.
- When transfers are based on the consent of the data subject, it should be:
- Specific for the particular data transfer or set of transfers (meaning that the data exporter must make sure to obtain specific consent before the transfer is put in place even if this occurs after the collection of the data has been made), and
- Informed, particularly as to the possible risks of the transfer (meaning the data subject should also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented).
- For transfers which are necessary for the performance of a contract: personal data may only be transferred when the transfer is objectively necessary for the performance of a contract and occasional (occasional to be determined on a case-by-case basis).
- For transfers necessary for important reasons of public interest: they depend on the interest being important and recognized in EU or member state law and not on the nature of the organization transferring. While these transfers don't have to be occasional this doesn't mean that they can take place in large scale and in a systematic manner.
Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with Privacy Shield and EU-.U.S. data transfer issues, she can be reached at [email protected] or 215.444.7313.