The European Data Protection Board (“EDPB”) adopted a Statement on the Court of Justice of the European Union (“CJEU”) Judgment in Case C-311/18 (“Schrems II”), on 17 July 2020. The EDPB also issued a FAQ Document on said judgment on 23 July 2020.
As a quick recap, in Schrems II the CJEU, inter alia, invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considered the Commission Decision 2010/87 on Standard Contractual Clauses (“SCCs”) for the transfer of personal data to processors established in third countries valid.
In its Statement and FAQ Document the EDPB provides guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment. Below we provide some of the most significant answers given by the EDPB.
Data transfers based on the Privacy Shield are illegal effective immediately
The EDPB points out that there is no grace period during which companies can continue transferring data to the US within the Privacy Shield framework.
In its Statement the EDPB further notes that the EU and the US should achieve an effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that within the EU. The EDPB intends to play a constructive part in securing such framework. The Statement, however, does not take a stand on when a framework replacing the Privacy Shield could be expected. In the meantime, companies must rely on other legal bases for data transfers to the US.
The judgment also has implications on transfer tools other than the Privacy Shield
The threshold set by the CJEU also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country. The EDPB notes that the US law referred to by the Court (i.e., Section 702 FISA and EO 12333) applies to any transfer to the US via electronic means that falls under the scope of this legislation, regardless of the transfer tool used.
The implications on transferring data with SCCs and BCRs
The Privacy Shield was also designed to bring guarantees to data transferred with other tools such as Binding Corporate Rules (“BCRs”) and SCCs. As the CJEU found that US law does not ensure an essentially equivalent level of protection, whether one can transfer personal data to the US on the basis of SCCs or BCRs will depend on whether or not they can provide equivalent protection. Supplementary measures may have to be put in place.
The supplementary measures along with the SCCs or BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, must ensure that US law does not impinge on the adequate level of protection they guarantee. If appropriate safeguards cannot be ensured, the transfer of personal data must be suspended or ended. If the transferring of data is continued despite this conclusion, the competent SA must be notified.
A similar assessment must be done regarding each third country without an adequacy decision. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with. If the country of the importer does not provide an equivalent level of protection, the exporter may have to consider putting in place additional measures.
According to the EDPB, the supplementary measures will have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer, and following the assessment of the law of the third country. The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical, or organisational. Further guidance in this regard is expected from the EDPB. Before the EDPB provides further guidance effective judicial remedies, surveillance programs, context specific proportional limitations and case-by-case selected mechanisms, like encryption, may be the basis for acceptable solutions.
The implications for other transfer tools under Article 46
The EDPB will assess the consequences of the judgment on transfer tools other than SCCs and BCRs later.
Derogations of Article 49 can still be relied on
It is still possible to transfer data to the US on the basis of derogations pursuant to Article 49 GDPR provided the conditions set forth in this Article apply. The EDPB has written guidelines on this which can be found here.
The EDPB highlights in particular the following:
1. Transfers based on the consent of the data subject should be explicit, consent should be specific for the particular data transfer or set of transfers and the data subject should be informed, particularly as to the possible risks of the transfer.
2. Transfers necessary for the performance of a contract between the data subject and the controller may occur only when the transfer is occasional and objectively necessary.
3. Transfers necessary for important reasons of public interest may occur when an important public interest is found, the nature of the organisation not being relevant. Although this derogation is not limited to data transfers that are “occasional”, transfers cannot take place on a large scale and in a systematic manner.
The responsibility of a controller
A controller must know if their processor transfers data to the US or to another third country. The contract between the controller and the processor must address whether transfers are authorised or not. Also, it should be borne in mind that even providing access to data from a third country, for instance for administration purposes, also amounts to a transfer.
Authorization must also be provided concerning processors to entrust sub-processors to transfer data to third countries. Controllers should pay attention and be careful, because a large variety of computing solutions may involve the transfer of personal data to a third country (e.g., for storage or maintenance purposes).
If data may be transferred to the US and supplementary measures cannot be provided to ensure that US law does not impinge on essentially equivalent levels of protection, and derogations under Article 49 GDPR do not apply, the only solution is to negotiate an amendment or supplementary clause to the contract to forbid transfers to the US. Data should not only be stored but also administered elsewhere than in the US.
If data may be transferred to another third country, the controller should also verify the legislation of that third country to check whether it is compliant with the requirements of the Court, and with the expected level of protection of personal data. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.
A checklist for anyone transferring data from the EEA to the US
On the basis of the answers given by the EDPB, we recommend the following checklist that those transferring data from the EEA to the US may use to make sure they remain in compliance with the GDPR:
1. Make sure you no longer transfer data to the US on the basis of the Privacy Shield framework. All such transfers must be suspended until an alternative legal basis can be found.
2. If you are transferring data on the basis of SCCs or BCRs, you must assess whether or not they can provide equivalent protection. Supplementary measures may need to be put in place. If appropriate safeguards cannot be ensured according to the assessment, the transfer of personal data must be suspended or ended. If the transfer of data is continued despite this conclusion, the competent SA must be notified.
3. The EDPB will assess the consequences of the judgment on transfer tools other than SCCs and BCRs later.
4. It is still possible to transfer data to the US on the basis of derogations pursuant to Article 4GDPR provided the conditions set forth in that Article apply.
5. The controller is responsible for knowing if the processor transfers data to the US. If unsure, you should carefully examine the contract between you and the processor to check whether the processor can transfer data to the US. If possible, and supplementary measures cannot be provided to ensure equivalent protection, and derogations under Article 49 GDPR do not apply, you must amend the contract to forbid transfers to the US.