On 23 July 2020, the European Data Protection Board (EDPB) released a FAQ on the consequences of the CJEU’s judgment of 16 Juley 2020 (Schrems 2)
This judgment invalidates the Privacy Shield, an EU-US data transfer mechanism, and conditions the validity of the Standards contractual clauses (SCCs), another transfer mechanism, on the prior analysis of the level of protection provided by the third country recipient and the implementation of additional measures where necessary.
This FAQ provides a glimpse of the position of the Authorities following the CJEU Decision that calls into question the possibility to transfer personal data to the US. However, the EDPB remains relatively unspecific as it is currently working on more detailed guidance that should be released shortly.
As for now, the EDPB considers that:
- Organisations should suspend data transfers to the U.S. or notify their Supervisory Authority if they intend to keep on transferring the data, if it is not possible to either (i) provide supplementary measures to ensure that US law does not affect the effectiveness of the SCCs or BCRs (or code of conduct/certifications), or (ii) rely on derogations under Article 49 GDPR ;
- Organisations should also verify the legislation of the third country to which they intend to transfer personal data to check if it is compliant with the requirements of the Court. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.
We provides a summary of the FAQ below. For a full reading of the FAQ, click here
What did the Court rule in its judgment?
In its judgment, the Court first considered the European Commission’s Decision 2010/87/EC on SCCs valid. However, the Court upheld the SCCs ‘ decision only on the fact that it provides effective mechanisms enabling the suspension of the transfer where the data importer cannot comply with the SCCs. Therefore, even though it validates the use of SCCs to frame interndational data transfer, the Court does not necessarily authorise transfers of data to the US, based on SCCs.
The Court also declared the Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S.Privacy Shield) invalid for the following reasons:
- US laws, in particular intelligence programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S., are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law; and
- This legislation does not grant data subjects actionable rights before the courts against the U.S.authorities (see here for a full analysis of the decision).
What should organisations do if they were transferring data to US data recipients adherent to the Privacy Shield now?
Any transfer of data to the US on the basis of the Privacy Shield is now illegal with immediate effect. Organisations should find other transfer mechanisms on which to rely. (However, there is no clear response to this question yet, see below).
Can I still transfer data to the US on the basis of the SCCs or the BCRs?
The Court found that US law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.
This assessment applies to both SCCs and BCRs since U.S.law will also prevail over this tool.
According to the EDPB, if an organisation wishes to keep on transferring data to the US, it will need to check whether it can do so under the conditions laid down below.
- The data exporter must conduct an assessment of the level of protection provided by the third country recipient, taking into account the circumstances of the transfers, and supplementary measures that could be implemented; and
- The supplementary measures together with the SCCs or BCRs would have to ensure that US law does not impinge on the adequate level of protection they guarantee. However, we do not know what these measures could consist of as the EDPB is currently working on it.
If, as the result of the assessment, the data exporter concludes that it cannot implement appropriate safeguards, it is required to suspend or end the transfer of personal data. However, if the data exporter intends to keep on transferring data despite this conclusion, it must notify its competent supervisory authority.
Comments: In practice, we believe that as of now and unless the EDPB finds appropriate measures, most data transfers to the US are now illegal regardless of the transfer mechanisms used by the organisations except when a derogation under article 49 applies. However, it is difficult to take the decision to suspend transfers to the US as most EU companies rely on US tech companies (AWS, Microsoft, etc.) to run their business.
Can I continue to use SCCs or BCRs to transfer data to another third country than the US?
The SCCs can still be used to transfer data to a third country.
However, the threshold set by the Court for transfers to the U.S. applies to any other third country. The same applies to the BCRs. Therefore the response provided above for US transfers is also relevant here.
Organisations should, if not already done, identify to which countries they transfer data (remote access included) and verify for each country the level of protection they provide and the risk that their transfer mechanisms may not be effective.
Comments: From the assessment made by the CJEU regarding US law (see here), it may prove very difficult for an organisation other than judicial/public authorities to obtain the necessary information for conducting a proper assessment of the level of protection provided by a specific country.
Although there is no official position on this matter, we may presume that countries seen as functioning under an authoritative or non-democratic system have laws rendering the provisions of the SCCs or BCR ineffective (e.g. China, Russia, North Korea, etc.).
Can I rely on one of the derogations of Article 49 GDPR instead?
It is still possible to transfer data from the EEA to the U.S.on the basis of derogations provided for in Article 49 GDPR.
However, the EDPB recalls that data exporter should rely on derogations should only in specific situations and, each data exporter needs to ensure that the transfer meets the strict necessity test so that it does not become the rule.
The EDPB also recalls that even though the GDPR does not always explicitly requires the transfer to be occasional, controllers should not rely on derogations when the transfer takes place on a large scale and in a systematic manner.
Furthermore, relying on explicit consent entails that consent must be specific, informed, unambiguous, and freely given, and controllers must provide additional information about the risk.
Where the transfer is necessary for the performance of a contract, the transfer must be occasional and, it must objectively be necessary for the performance of the agreement between the data subject and the controller (i.e., it should not take place only because of the organisation of the Controllers).
What can I do to keep using the services of my processor if the contract signed in accordance with Article28.3 GDPR indicates that data may be transferred to the U.S.or to another third country?
If data may be transferred to the US and neither supplementary measures can be provided, nor derogations under Article 49 GDPR apply, organisations should negotiate an amendment to their service agreement to forbid transfers to the US. Data should not only be stored but also administered elsewhere than in the US.
If data may be transferred to another third country, organisations should verify the legislation of that third country to check if it is compliant with the requirements of the Court, and with the level of protection of personal data expected. If data exporter does find a suitable ground for transfers to a third country, such transfer (including remote access) should not take place.