EDPB issues initial guidance for cross-border data transfers in wake of Schrems II judgment
No grace period
28 July 2020
The much-awaited new Schrems decision was rendered by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18)
Pursuant to the court's decision, personal data can no longer be lawfully transferred to the USA based on the EU-US Privacy Shield programme. Moreover, although other legal instruments (such as the commonly used Standard Contractual Clauses (SCCs)) can still be used for the needs of international data transfers, additional burdensome constraints seem to have emerged (see below).
Pending data protection authorities' precise guidance on the consequences of this decision, concrete actions to be taken may appear to be relatively uncertain for a number of operators. To avoid keeping them in the dark for a too long period, a first set of responses was published by the European Data Protection Board (EDPB) in the form of FAQs.
The Key takeaways are summarised below:
Immediate actions to be taken:
Stop / suspend all transfers made on the basis of the Privacy Shield.
There is no grace period authorizing further transfer of data to the U.S. on the basis of the Privacy Shield. Concretely, all transfers based on the Privacy Shield must be immediately stopped / suspended. Should you wish to keep on transferring data to the U.S., you will need to use one of another safeguards identified under article 46 of the GDPR such as the SCCs.
Re transfers based on the SCCs or Binding Corporate Rules (BCRs)
Conduct a preliminary assessment to determine whether an adequate level of protection is met in the third country concerned or if the law of the third country impinges on the effectiveness of the concerned legal instruments (e.g. SCCs / BCRs). This assessment should in principle take place on a case-by-case basis prior to any transfer (but also to existing transfer if such assessment has not already been done).
If the result of this assessment is that appropriate safeguards would not be ensured, the operators will be required to suspend or end the transfer of personal data. If operators are intending to keep transferring data despite this conclusion, the competent supervisory authority must be notified.
Re transfers based on the derogations of article 49 of the GDPR
Make sure that that the transfers strictly meet a series of specific conditions. For instance, when the transfer is:
- based on the individual’s consent, such consent must be explicit, specific, and informed (particularly as to the possible risks of the transfer).
- necessary for the performance of a contract between the individual and the controller, the transfer should be occasional.
- necessary for important reasons of public interest, the EDPB recalls that the essential requirement of this derogation is the important public interest (not the nature of the organisation).
More generally, transfers based on article 49 of the GDPR must be restricted to specific situations and meet the strict necessity test.
Re transfers made for the purpose of agreements entered into with a data processor in accordance with Article 28.3 of the GDPR:
If the transfer of data is subject to the controller's prior consent, the controller must conduct the assessment described in point 2. above before accepting such transfer.
If the contract signed in accordance with Article 28.3 GDPR indicates that data may be transferred to the U.S. or another non-EEA country, and neither supplementary measures can be provided to ensure that local law does not impinge on the "essentially equivalent" level of protection as provided by the transfer tools, nor derogations under Article 49 GDPR apply, the EDPB indicates that the only solution is to negotiate an amendment or supplementary clause to forbid transfers to the U.S. Data should be then processed elsewhere than in the U.S or in the third country.
Upcoming guidance of the EDPB and data protection authorities
The EDPB indicates that it will further analyse the decision of the CJEU:
- to assess the consequences of CJEU's decision on transfer tools other than SCCs and BCRs;
- to identify supplementary measures that could be provided in addition to SCCs or BCRs (e.g. legal, technical or organisational measures) to transfer data to third countries where SCCs or BCRs would not provide the sufficient level of guarantees on their own.
The EDPB underlines the fact that data protection authorities have a key role in enforcing the GDPR, in particular when issuing further decisions on transfers to third countries. Accordingly, as invited by the CJEU, the data protection authorities will work within the EDPB to ensure consistency, in particular when transfers to third countries must be prohibited.
It is to be hoped that the forthcoming guidance provided by the EDPB will enable companies to take practical steps as they are already subject, as per the GDPR, to strong accountability obligations and preliminary assessment requirements (e.g. balancing test, compatibility test, data protection impact assessment).