The EDPB casts a glimmer of light on the Schrems II judgement
After the filing of the Schrems II judgment (July 16, 2020), there has been a lot of speculation on how to manage relations with American suppliers.
The ruling states that:
- the Privacy Shield is invalid, as it is unable to guarantee a sufficient level of protection to European citizens whose data are processed in the United States, especially in relation to American public surveillance legislative instruments, which are excessive and disproportionate to the standards of EU law.
- The Standard Contractual Clauses (SCCs) - contained in the EU Commission Decision of 5 February 2010, amended in 2016 - although still valid, can only be used after a case-by-case assessment of the existence of adequate guarantees for the protection of personal data in the recipient's country and provide additional guarantees if those provided by the standard clauses are not deemed sufficient.
This rule - certainly not easy and immediate to apply - applies to all non-EU transfers, not only to data flowing to the US.
The CJEU judgement is a bombshell.
After a week's discussion on possible solutions, a glimmer of light comes from the EDPB's FAQ document “Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems” (so-called Schrems II).
What should a company that transfers data to the US under Standard Contractual Clauses (SCCs) do?
The EDPB notes that the Schrems judgment found that US law (i.e. Section 702 FISA and EO 12333) does not guarantee an essentially equivalent level of protection to the EU.
As a result, the EU company will only be able to transfer personal data on the basis of SCCs after it has carried out - on a case by case basis - an assessment of the legislation of the country of destination and the level of protection of the legislation itself. If the analysis shows that the level of protection is lower than the European level, the company can introduce additional guarantee measures.
If it is concluded that, despite the supplementary measures, the same level of protection cannot be guaranteed as in the EU, the company will have to suspend or terminate the transfer of personal data. If the company intends to continue the transfer, it must notify the competent Data Protection Authority.
What should a company that transfers data to the USA under Binding Corporate Rules (BCRs) do?
As American law is a stronger legal instrument than BCRs, it will also be necessary to assess on a case-by-case basis the need for supplementary measures (in addition to BCRs) to raise the level of protection.
As mentioned above, if it is concluded that, even with the supplementary measures, it is not possible to achieve a level of protection that is essentially equivalent to that required under EU law, the transfer will have to be suspended. If this is not possible, the Data Protection Authority will have to be informed.
Can a company use the additional tools provided for in Article 46 of the GDPR for data transfer?
Article 46 of the GDPR provides that data can also be transferred through other tools, including binding instruments between public authorities, codes of conduct, certification mechanisms.
These instruments were not the subject of analysis in the Schrems II judgment and can therefore be used (in principle).
Nevertheless, in view of the broad scope of the judgment, EDPB has stated that it is also examining the consequences of the judgment on such instruments.
Can a company transfer data using the conditions set out in art. 49 GDPR?
Article 49 of the GDPR states that when there is no adequacy decision or it is not possible to apply the provisions of Article 46, data may be transferred under certain specific conditions (consent, performance of a contract, reasons of public interest, exercise of legal claims, vital interests of the data subject, public register).
The EDPB notes that it is possible to transfer data on the basis of the derogations foreseen in Article 49, provided that the requirements of Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 are complied with strictly.
Can a company continue to use the CCSs or the BCRs to transfer data to third countries other than the USA?
The EDPB specifies that the principles of the Schrems II judgment apply to all transfers outside the EU.
Therefore, it will be for the EU company transferring the data and the non-EU company receiving the data to assess whether the legislation of the third country guarantees the same level of protection as the EU, in order to determine whether the guarantees provided by the SSCs or SCBs can be respected in the country where the data are transferred. If not, an assessment will have to be made as to whether additional measures can be provided.
Contact should therefore be made with the data importer to verify the substance of their country's legislation and make a joint assessment.
If the level is not adequate, the transfer should be suspended or it may continue provided that the Data Protection Authority is notified.
The EDPB also specifies that Data Protection Authorities will exchange views at international level in order to avoid divergent decisions.
What additional measures can companies use?
The supplementary measures that may be introduced should be decided on a case-by-case basis, taking into account all the circumstances of the transfer and following an assessment of the law of the third country.
While acknowledging that it is the primary responsibility of the data exporter and data importer to carry out this assessment and to provide the necessary supplementary measures, the EDPB is currently analysing the Court's judgment to determine the type of measures that could be provided in addition to SCCs or BCRs, be they contractual, technical or organisational measures.
In essence, the EDPB is examining what these additional measures could consist of and will provide further guidance.
If the company uses a Data Processor, how does the company know if the Data Processor transfers data to the USA?
In this case, the EDPB suggests that the contents of the contracts entered into with the Data Processors pursuant to Art. 28 of the GDPR should be carefully checked to see where the data are actually transferred.
It is also necessary to verify who the sub-processors are and whether they have been formally authorised to process the data. The EDPB draws attention to the fact that a wide variety of computing solutions may involve the transfer of personal data to a third country (e.g. for storage or maintenance purposes).
If a contract pursuant to Art. 28 GDPR foresees a transfer to the USA or another third country, what should the company do?
If data are transferred to the US and no additional measures can be provided to ensure a level of protection substantially equivalent to that guaranteed in the EU, nor derogations in Article 49 GDPR apply, the only solution is to negotiate an amendment or additional clause to the contract to block transfers to the US.
Similarly, if data are transferred to another third country, the adequacy of the third country's level of protection must be verified and, if that level is not adequate, the transfer must be terminated.