The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
- better align with the new SCCs recently adopted by the European Commission; and
- allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.
Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
Lawfare recently published “Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers*,” written by Sidley Partner Alan Charles Raul. This article was adapted from a longer article on our Data Matters blog, “Schrems II Concerns Regarding U.S. National Security Surveillance Do Not Apply to Most Companies Transferring Personal Data to the U.S. Under Standard Contractual Clauses.”
(*Note that this article was published by the Lawfare Institute in cooperation with Brookings.)
The thesis articulated in the article linked here is that (1) nearly all companies relying on standard contractual clauses for data transfers to the US under the EU General Data Protection Regulation are not electronic communications service providers for purposes of FISA 702 (i.e., only companies in the business of providing communications services would be covered) and (2) data transfers from Europe to the US under SCCs may not be targeted under FISA 702 and EO 12333 because they are (i) quintessential “US person communications” because either the data exporter is a U.S. person or the data importer is a U.S. person, or more likely, both are US persons and (ii) received by a person located in the U.S. Accordingly, the concerns expressed by the EU Court of Justice in Schrems II should not be problematic for nearly all U.S. companies relying on SCCs.
The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Board, tasked with overseeing compliance with the GDPR (“EDPB”), on 11 November 2020 issued its anticipated recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling. These recommendations are applicable immediately but are open for public consultation until November 30. Information on submitting public comments is accessible here.
In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program (“Privacy Shield”) and potentially required supplementary protections to be implemented when Standard Contractual Clauses (“SCCs”) are used to ensure an ‘essentially equivalent’ level of data protection. Under the GDPR, personal data transfers outside the EEA to jurisdictions which are not found to provide an ‘adequate level of protection’ to the data, are restricted unless appropriate safeguards are implemented. The Privacy Shield and SCCs were two key appropriate safeguard mechanisms used to legitimize transfers of personal data outside the EEA to ‘non-adequate’ recipient countries, referred to as “Third Countries.”
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (“Schrems II”), the European Data Protection Supervisor, tasked with overseeing compliance with EU data protection laws by the EU institutions (“EUIs” and “EDPS”), issued guidance on 29 October 2020 on how EU institutions should comply with the Schrems II ruling (“EDPS Guidance”). In Schrems II, the CJEU invalidated the EU-U.S. Privacy Shield program and potentially required additional protections to be implemented when Standard Contractual Clauses are used. Both are key legal mechanisms used to enable transfers of personal data outside the EU.
In the wake of the recent Court of Justice of the European Union’s decision in Schrems II, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs met in early September to discuss the long-awaited revision of Standard Contractual Clauses (SCCs). During the meeting, Commissioner for Justice Didier Reynders expressed hope that revised SCCs would be finalised by the end of 2020.
On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.