EU: EDPB publishes FAQs following the Schrems judgment
The European Data Protection Board has published a set of Frequently Asked Questions (FAQs) to provide a preliminary assessment and some practical guidance on the transfer of personal data to third countries, including the U.S.
We provide an overview of the most relevant questions and consider how much clarity this provides for international data transfers.
The CJEU has invalidated the EU Commission’s decision approving the EU-U.S. Privacy Shield because U.S. intelligence agencies can access personal data relating to EU residents in ways that are incompatible with EU personal data protection laws and EU residents lack proper enforcement rights.
In addition, the CJEU ruled that the controller-processor Standard Contractual Clauses (SCCs), another widely used mechanism for international data transfers, remain valid. However, data exporters and importers must assess, prior to any transfer, the laws of the third country to which data is transferred to determine if those laws ensure an adequate level of protection of personal data (see The Schrems judgment – Transfer Impact Assessments for international data transfers?).
The EDPB has published its preliminary assessment and guidance related to this ruling through the FAQs. The document addresses a number of topics, including the implication of the judgment for other data transfer mechanisms, the immediate effect of the ruling and the absence of a grace period, the possibility to rely on other data transfer mechanisms, as well as practical recommendations to carry out transfers.
1. No grace period
The CJEU ruling applies with immediate effect. There will be no grace period during which organisations can remedy their Privacy Shield-based data transfers.
In contrast, when the US-EU Safe Harbor framework was invalidated in 2015, the Article 29 Working Party granted a grace period until an appropriate solution was found with the U.S. authorities. It did so via a statement dated 16 October 2015, stating no enforcement action would be taken until the end of January 2016. However, while there will be no EU-wide grace period, national supervisory authorities will still have discretion over when to take enforcement actions in their territory.
2. Transfer of personal data on the basis of SCCs to an importer in the U.S. requires prior assessment and supplementary measures
The FAQs do not preclude transfers to the U.S. Instead, they reflect the statements in the judgment that it may be possible to transfer personal data to the U.S. on the basis of SCCs being subject to a satisfactory prior assessment, taking into account the circumstances of the transfer and relevant supplementary measures.
The EDPB clarified that these supplementary measures would have to ensure that U.S. law does not impinge on the adequate level of protection guaranteed by the SCCs, following a case by-case analysis of the circumstances surrounding the transfer.
If the data exporter concludes that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, the transfer of personal data should be suspended or ended. If the data exporter decides to keep transferring data despite this conclusion, it will need to notify the competent supervisory authority.
3. Implication for other transfer mechanisms including BCRs
The threshold set by the CJEU applies to all appropriate transfer mechanisms under Article 46 GDPR. U.S. law referred to by the CJEU (i.e., the Foreign Intelligence Surveillance Act and the Executive Order 12333) applies to any transfer to the U.S. via electronic means, regardless of the transfer mechanism used for such transfer.
In particular, the CJEU’s judgment applies in the context of binding corporate rules (BCRs), since U.S. law will also prevail over this cross-border data transfer mechanism. Similar to the SCCs, transfers taking place based on BCRs should be assessed and appropriate supplementary measures should be taken.
The EDPB states that it will further assess the consequences of the judgment on transfer mechanisms other than SCCs and BCRs (e.g., approved codes of conduct or certification mechanisms).
4. Derogations of Article 49 GDPR to transfer data to the U.S.
It is still possible to transfer data from the EU to the U.S. on the basis of individual derogations listed in Article 49 GDPR, albeit they continue to only apply in limited and facts-specific cases. This includes:
- Consent. However, the consent must be explicit, specific for the particular transfer and informed.
- Necessity for the performance of a contract between the data subject and the controller, provided that such a transfer is occasional.
- Necessity for important reasons of public interest, as recognised under EU or Member States’ law.
5. SCCs or BCRs to transfer data to another third country than the U.S.
The EDPB confirms that SCCs may be used to transfer data to a third country. However, the requirements for transfers to the U.S. also apply to any third country transfers. The same goes for BCRs.
The data exporter and the data importer must assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, organisations should assess: (i) whether they can provide supplementary measures to ensure an “essentially equivalent” level of protection as provided in the EU; and (ii) if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.
6. Supplementary measures to be implemented when using SCCs or BCRs to transfer data to third countries
At this early stage, the FAQs do not provide concrete information on the supplementary measures to be provided but merely note they will need to be assessed on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country. The purpose is to determine whether that law ensures an adequate level of protection.
The EDPB indicates that it is looking further into what supplementary measures, whether legal, technical or organisational, could be implemented to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.
7. Processors transferring data to the U.S. or other third countries
Data processor agreements executed in accordance with Article 28(3) GDPR should already provide whether or not international transfers are authorised (including transfers to sub-processors).
The EDPB stated that, where the processor is transferring personal data to the U.S., if no supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection or no derogation under Article 49 GDPR can apply, the only solution is to negotiate a contractual amendment to forbid the processor transferring personal data to the U.S. The position is the same for transfers to other third countries.
The EDPB is expected to further develop and supplement these FAQs as it continues to examine and assess the CJEU ruling.
Data exporters and importers should closely monitor upcoming developments and guidance of the EDBP and national supervisory authorities, assess their existing cross-border transfers and consider implementing supplementary legal, technical or organisational measures in order to ensure they can continue to transfer personal data to third countries lawfully.
That being said, international data transfers will continue and organisations will no doubt take a risk-based approach to assessing the conditions under which these transfers occur. In that context, the principles set out in the judgment should be read in a balanced manner. One should distinguish the court’s findings in relation to transfers under the Privacy Shield, which relied on a general adequacy assessment covering any type of transfers, from the circumstances of a specific transfer relying upon the SCCs.
While doing nothing in response to the Schrems II decision is not an option, the judgment does leave organisations with some flexibility as to how they assess adequacy, in line with the accountability principle. This may include considering the nature, duration and purposes of transfers, the categories of data concerned and overall, being smart about implementing security and other measures to mitigate any risk identified in the destination country.
By Tanguy Van Overstraeten and Ceyhun N. Pehlivan