Data Protection Law
Following Schrems II (in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) the European Data Protection Board (EDPB) has adopted a set of frequently asked questions and responses (FAQs) concerning the judgment. For more information about that decision read our blog.
The Schrems II judgement
The European Court of Justice (ECJ) has invalidated the EU Commission’s decision approving the EU-U.S. Privacy Shield because U.S. intelligence agencies can access personal data relating to EU residents in ways that are incompatible with EU personal data protection laws and EU residents lack proper enforcement rights.
In addition, the ECJ ruled that the controller-processor Standard Contractual Clauses (SCCs), another widely used mechanism for international data transfers, remain valid. However, data exporters and importers must assess, prior to any transfer, the laws of the third country to which data is transferred to determine if those laws ensure an adequate level of protection of personal data.
The judgment was welcomed by the EDPB because it highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. In response to the ECJ’s ruling that the adequacy decision for the EU-US Privacy Shield is invalid, the EDPB invited the EU and US to work together and establish a complete and effective framework that guarantees the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU.
Schrems II: EDPB FAQs
Although the ECJ also determined in Schrems II that controller to processor standard contractual clauses (SCCs) remain valid as an adequate safeguard for data transfers, the EDPB commented that:
- No grace period – the ECJ ruling applies with immediate effect. There will be no grace period during which organisations can remedy their Privacy Shield-based data transfers. In contrast, when the US-EU Safe Harbor framework was invalidated in 2015, the Article 29 Working Party granted a grace period until an appropriate solution was found with the U.S. authorities. It did so via a statement dated 16 October 2015, stating no enforcement action would be taken until the end of January 2016. However, while there will be no EU-wide grace period, national supervisory authorities will still have discretion over when to take enforcement actions in their territory.
- The exporter and importer of the data being transferred must look beyond the protection provided by the terms of the SCCs and assess whether the country where the data is being transferred offers adequate protection, in the context of the non-exhaustive elements set out in Article 45(2) of the GDPR. If it is determined that the country of destination does not provide an essentially equivalent level of protection to the GDPR, the exporter may have to consider adopting further protective measures in addition to using SCCs. The EDPBis considering what those additional measures could include and will report in due course.
- The judgment highlights the importance of complying with the obligations included in the terms of the SCCs. If those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs, or to notify its competent supervisory authority if it intends to continue transferring data.
- Supervisory authorities (SAs) have a responsibility to suspend or prohibit a transfer of data to a third country pursuant to SCCs if those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means.
- Implication for other transfer mechanisms including BCRs. The threshold set by the ECJ applies to all appropriate transfer mechanisms under Article 46 GDPR. U.S. law referred to by the ECJ (i.e., the Foreign Intelligence Surveillance Act and the Executive Order 12333) applies to any transfer to the U.S. via electronic means, regardless of the transfer mechanism used for such transfer. In particular, the ECJ’s judgment applies in the context of binding corporate rules (BCRs), since U.S. law will also prevail over this cross-border data transfer mechanism. Similar to the SCCs, transfers taking place based on BCRs should be assessed and appropriate supplementary measures should be taken. The EDPB states that it will further assess the consequences of the judgment on transfer mechanisms other than SCCs and BCRs (e.g., approved codes of conduct or certification mechanisms).
- Companies can rely on the derogations set forth under Article 49 of the GDPR, provided that the conditions as interpreted by the EDPB in its guidance on Article 49 of the GDPR are met. When transferring personal data based on individuals’ consent, such consent should be explicit, specific to the particular data transfer(s) and informed, particularly regarding the risks of the transfer(s). In addition, transfers of personal data that are necessary for the performance of a contract should only take place occasionally. Further, in relation to transfers necessary for important reasons of public interest, the EDPB emphasises the need for an important public interest, as opposed to only focusing on the nature of the transferring organization. According to the EDPB, transfers based on the public interest derogation cannot become the rule and must be limited to specific situations and to a strict necessity test.
Schrems II: Further clarification expected
The EDPB is still assessing the judgment and will provide further clarification for stakeholders and guidance on transfer of personal data to third countries pursuant to the Schrems II judgment. Data exporters and importers should closely monitor upcoming developments and guidance of the EDBP and national supervisory authorities, assess their existing cross-border transfers and consider implementing supplementary legal, technical or organisational measures in order to ensure they can continue to transfer personal data to third countries lawfully. Whilst the judgement most obviously applies to data transfers with the US it also has wider implications for transfers to any country outside the EU (third countries).