European Data Protection Supervisor Issues Schrems II Guidelines

Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Supervisor, tasked with overseeing compliance with EU data protection laws by the EU institutions (“EUIs” and “EDPS”), issued guidance on 29 October 2020 on how EU institutions should comply with the Schrems II ruling (“EDPS Guidance”).  In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program and potentially required additional protections to be implemented when Standard Contractual Clauses are used.  Both are key legal mechanisms used to enable transfers of personal data outside the EU.

Although the EDPS acts as the EUIs’ supervisory authority, and, as opposed to the EDPB, is not officially tasked with guiding private actors on compliance with EU data protection law, it works closely with the EDPB and national data protection authorities (“DPAs”).  Its guidance is therefore expected to impact and align with further EDPB and DPA guidance.  The EDPS Guidance includes both short- and medium-term compliance and enforcement action for transfers carried out by EUIs or on their behalf, in a controller-to-processor and processor-to-subprocessor context.

Below is a summary of the key takeaways of the EDPS Guidance:

    1. Focus on personal data transfers to the U.S.: The EDPS confirms that its priority focus will be on data transfers “towards the United States”.  In addition, the EDPS “strongly encourages” EUIs that engage in new processing operations or new contracts to “avoid processing activities that involve transfers of personal data to the United States.”  Since there are a multitude of personal data transfers flowing to and from the U.S. to Europe every day, this affects a large number of EUIs who will have to reconsider their transfer options.
    2. Mapping exercise: On 5 October 2020, the EDPS already ordered EUIs to perform a mapping exercise to identify which activities involve personal data transfers.  By 15 November 2020, EUIs must report transfers to the EDPS which are (i) not based on a transfer mechanism where such is required (e., transfers which are currently illegal), (ii) based on a derogation (e.g., the individual’s explicit consent), and (iii) considered high-risk transfers to the U.S. because data importers are “clearly subject” to Section 702 FISA or E.O. 12333 (the U.S. surveillance laws) and the transfer involves a large scale, complex or sensitive data processing operation.
    3. Transfer Impact Assessments (“TIAS”): The EDPS will issue guidance and pursue enforcement action for transfers to the U.S. and other third countries on a case-by-case basis.  EUIs will be asked to perform Transfer Impact Assessments (“TIAs”) which allow them to identify for each data transfer whether a level of data protection, essentially equivalent to the EU/EEA’s level of protection, exists in the third country and, based on this assessment, whether they may continue the transfer or should implement additional supplementary protection measures or safeguards.  Following this TIA, EUIs will need to report specific categories of transfers to the EDPS in the course of Spring 2021.  The EDPS Guidance indicates that the EDPS will provide a list of preliminary questions to help EUIs launch TIAs with their data importers following EDPB guidance on supplementary protection measures in Schrems II (expected shortly).  This TIA aligns with the assessment proposed by the EDPB in its FAQs following the Schrems II
    4. Joint assessments of the level of protection afforded in third countries: The EDPS indicates it will start exploring whether it can assist in performing joint assessments of the level of protection of personal data in the recipient third country and coordinate such assessments between authorities, controllers and other stakeholder.  Based on their current guidance, both the EDPB and EDPS put the onus on controllers (e., private companies and EUIs) to perform a self-assessment and then determine for themselves whether it is appropriate to put in place supplementary protection measures.  The EDPS’ intention of exploring joint assessments is welcomed to ease the burden on controllers, but it remains to be seen when this process will be initiated.  In the meantime, data exporters and importers should consider how to comply with the Schrems II ruling, including by performing these assessments themselves.
    5. Compliance and enforcement action: Based on the EDPS Guidance, the EDPS may take enforcement action and suspend data transfers by EUIs for non-compliance with the short- and medium-term actions outlined above. The EDPS will also communicate and establish its long-term compliance priorities for 2021 in due course.  As indicated, the EDPS does not regulate private actors, but its enforcement priorities and actions are expected to reflect on the EDPB and national DPA guidance to come.

To read the full CJEU Schrems II judgment, please click here. You can find our previous blog posts entitled “Swiss Data Protection Authority Concludes Swiss-US Privacy Shield No Longer Valid for Swiss-US Transfers” here and “EDPB Publishes FAQs on Recent Schrems II Judgment” here.