On July 24, 2020, the European Data Protection Board (the “EDPB”) published a set of Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid, but it struck down the EU-U.S. Privacy Shield framework. With its FAQs, the EDPB sought to provide responses to some of the many questions organizations are asking in the aftermath of the Schrems II ruling.
The key takeaways from the FAQs are:
- The CJEU’s assessment of U.S. law must be taken into account for any transfers of personal data to the U.S., irrespective of the transfer mechanism used. Accordingly, when transferring personal data to the U.S. based on SCCs or Binding Corporate Rules, a transfer adequacy assessment must be conducted to determine whether appropriate safeguards can be ensured, taking into account the circumstances of the transfers and supplementary measures that can be put in place. If the conclusion of the transfer adequacy assessment is that appropriate safeguards cannot be ensured when transferring the data, companies must suspend or end the transfers. Companies that, despite the conclusion of the assessment, intend to continue transferring data must notify their competent supervisory authority (“SAs”).
- There is no grace period for companies that relied on the EU-U.S. Privacy Shield framework during which they can continue transferring data to the U.S. without assessing the legal basis relied on for those transfers. Transfers based on the EU-U.S. Privacy Shield framework are now, according to the EDPB, illegal.
- The EDPB will evaluate the impact of the CJEU’s judgment on alternative transfer mechanisms available under Article 46 of the EU General Data Protection Regulation (the “GDPR”), such as approved codes of conduct and certification mechanisms.
- Companies can rely on the derogations set forth under Article 49 of the GDPR, provided that the conditions as interpreted by the EDPB in its guidance on Article 49 of the GDPR are met. When transferring personal data based on individuals’ consent, such consent should be explicit, specific to the particular data transfer(s) and informed, particularly regarding the risks of the transfer(s). In addition, transfers of personal data that are necessary for the performance of a contract should only take place occasionally. Further, in relation to transfers necessary for important reasons of public interest, the EDPB emphasizes the need for an important public interest, as opposed to only focusing on the nature of the transferring organization. According to the EDPB, transfers based on the public interest derogation cannot become the rule and must be limited to specific situations and to a strict necessity test.
- With respect to transfers of personal data to a country other than the U.S. based on SCCs or BCRs, the EDPB stated that the threshold set by the CJEU for transfers to the U.S. also applies (i.e., it is the data exporter’s and data importer’s responsibility to assess whether the level of protection of a country of destination meets the level required by EU law and that the laws of such country enable the data importer to comply with the SCCs or BCRs). If that is not the case, supplementary measures must be taken to ensure an essentially equivalent level of protection as provided under the GDPR. The EDPB indicated that it will work with SAs in order to ensure consistency, in particular, in their decisions to prohibit transfers to third countries.
- The type(s) of supplementary measures (whether legal, technical or organizational) companies should envisage putting in place when using SCCs or BCRs to transfer personal data to third countries should be assessed on a case-by-case basis, taking into account all the circumstances of the transfer and in light of an assessment of the country of destination’s law. The EDPB underscored the fact that it is the obligation of the data exporter and data importer to undertake this assessment, but indicated that it will provide further guidance on this point.
- Companies should verify whether the processors they use (and their respective sub-processors) transfer data to the U.S. If that is the case and such transfers are not considered adequate (because supplementary measures cannot be provided or because no derogations under Article 49 of the GDPR apply), companies must re-negotiate their contracts to forbid transfers to the U.S. The same applies to transfers to processors located in other third countries that do not meet the requirements set forth in the Schrems II ruling.