On July 23, 2020, the European Data Protection Board (the “EDPB”) published a set of important responses to a set of 12 frequently asked questions put forward to supervisory authorities regarding the recent Court of Justice of the European Union (“CJEU”) decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) (“FAQs”).
Below is a summary of the key take-aways from the EDPB’s FAQs, which is intended to address a range of topics including the lack of a grace period following the decision and the conditions surrounding the use of certain data transfer mechanisms:
1. The CJEU invalidated the EU-US Privacy Shield but upheld the use of Standard Contractual Clauses (“SCCs”) to transfer personal data to the U.S.: Although the CJEU confirmed SCCs to be a valid transfer mechanism, the EDPB confirms the CJEU’s position that SCCs may only be relied upon where the relevant third country is able to comply with the terms of the SCCs in practice (i.e., to ensure compliance with a level of protection “essentially equivalent” to that guaranteed within the EU by the GDPR). Where the laws in a third country make it impossible for the data importer to comply, transfers of personal data from the EU pursuant to SCCs must be suspended or prohibited.
Prior to any transfer, the CJEU determined that data exporters and data importers are obligated to verify, taking into account the circumstances of the transfer, whether the required level of protection is respected in the relevant third country. The onus rests on the data importer to notify the relevant data exporter of any inability on behalf of the data importer to comply with the SCCs (or any supplementary measures implemented), following which the data exporter must suspend transfers of personal data to, or terminate the contract with, the relevant data importer.
The EDPB reaffirms the CJEU’s decision to invalidate the EU-US Privacy Shield on the basis that U.S. domestic law, in particular the ability for U.S. public authorities to access personal data transferred from the EU to the U.S. for national security purposes, encroaches on the protections on personal data provided by EU law and rights of data subjects.
2. CJEU’s judgment applies to all “appropriate safeguards” used to transfer data to third countries: The EDPB confirms the CJEU’s position that, generally, the threshold set in Schrems II applies to all “appropriate safeguards” under Article 46 of the GDPR used to transfer personal data from the European Economic Area (“EEA”) to any third country. Appropriate safeguards under Article 46 include, for example, BCRs, SCCs and approved Codes of Conduct etc.
3. No grace period following the Schrems II decision: The CJEU invalidated the EU-US Privacy Shield as a transfer mechanism, with immediate effect.
4. Transfers based on the EU-US Privacy Shield are illegal: EEA-based organisations relying on a U.S. organisation’s EU-US Privacy Shield certification to transfer personal data to the U.S. must look to rely upon an alternative transfer mechanism.
5. Organisations using SCCs to transfer personal data to the U.S. will need to assess, taking account the circumstances of the transfer, whether they need to implement supplementary measures: Organisations will need to carry out a case-by-case assessment on whether or not they can transfer personal data to a data importer in a third country on the basis of SCCs. In making this assessment, organisations will need to, taking into account the circumstances of the transfers and determine whether any supplementary measures are required to be implemented to ensure that U.S. law does not impinge on the level of protection guaranteed by the SCCs. Where such assessment reveals that appropriate safeguards would not be ensured, organisations are required to suspend transfers of personal data or notify the relevant supervisory authority that it wishes to continue transferring data.
6. Similar assessment required when transferring to the U.S. based on Binding Corporate Rules (“BCRs”): The EDPB emphasises that the CJEU’s assessment in respect of the EU-US Privacy Shield also applies when transferring personal data to an U.S. organisation on the basis of an organisation’s BCRs. In these circumstances, a similar assessment to the assessment required when relying upon SCCs (detailed above in FAQ 5) must be carried out. Article 46 needs to be read in light of Article 44 that “all provisions [in Chapter V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by the [GDPR] is not undermined”.
7. EDPB will assess consequences of the judgment on transfer mechanisms other than SCCs and BCRs: In making its assessment, the EDPB will consider the CJEU’s ruling that the standard for “appropriate safeguards” in Article 46 of the GDPR is that of “essential equivalence”.
8. Organisations can still rely upon one of the Article 49 derogations to transfer data to the U.S.: Where transfers are based on the consent derogation, the EDPB reiterates the requirement to obtain explicit, specific and informed consent of the data subject. The EDPB also reaffirms that transfers of personal data necessary for the performance of a contract between the data subject and the controller may only occur when the transfer is “occasional” and only where the transfer is objectively necessary for the performance of the contract. In relation to transfers necessary for important reasons of public interest (which must be recognised in EU or Member State law), this derogation can only be relied upon where there is a finding of an “important public interest” irrespective of the nature of an organisation and should not take place on a large scale and in a systematic manner.
9. SCCs and BCRs can still be used to transfer data to other third countries provided that the thresholds set by the CJEU for transfers to the U.S. are complied with: The EDPB emphasises that it is the primary responsibility of data exporters and data importers to assess whether the level of protection as required by EU law is respected in the relevant third country in order to determine whether the guarantees provided by the SCCs or the BCRs (as relevant) can be complied with in practice. Where the outcome of such assessment reveals that such guarantees cannot be complied with, organisations are required to assess whether they can provide supplementary measures to ensure an “essentially equivalent” level of protection as provided in the EEA, and whether the third country laws are likely to impinge on the effectiveness of any such supplementary measures. The EDPB comments that exporters can contact their data importer to verify the legislation of its country and collaborate for its assessment. The EDPB also clarified the CJEU’s position that supervisory authorities will work with the EDPB to ensure consistency when issuing decisions on transfers to third countries.
10. Supplementary measures required to be implemented when using SCCs and BCRs to be determined on a case-by-case: According to the EDPB’s FAQs, the supplementary measures to implemented by organisations will need to assessed on a case-by-case basis, taking into account all of the circumstances of the transfer and an assessment of the laws in the relevant third country to determine whether it ensures an adequate level of protection. The EDPB is currently considering the kind of supplementary measures that could be provided.
11. Controllers to determine whether processor transfers of personal data to the U.S. or another third country in data processing agreements are permitted: The EDPB emphasises the importance for controllers using processors to ensure that agreements with such processors contemplate whether a controller authorises international transfers made by processors or a sub-processor. The EDPB notes that merely providing access to data from a third country will amount to a “transfer” of personal data to that third country.
12. Where supplementary measures cannot be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA and no derogations under Article 49 of the GDPR apply, “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the US”: Where data is transferred to a third country (other than the U.S.), the EDPB clarifies that organisations should verify the legislation of that third country to assess whether it provides an “essentially equivalent” level of protection to that guaranteed in the EU. To the extent that no suitable grounds for transfers to a third country can be found, the EDPB confirms that personal data should not be transferred outside of the EEA.
To read the full CJEU Schrems II judgment, please click here. You can find our previous blog post entitled “The EU’s Highest Court Announces Significant Decision Regarding Cross-Border Data Flows: Invalidates EU-US Privacy Shield Program and Upholds Standard Contractual Clauses” here.