Today, 24th July, the EDPB provided further "guidance" on Schrems II that was hoped to provide more clarity on how the judgment now needs to be implemented by companies that transfer personal data to countries outside the EEA. The EDPB addresses important questions but still appears to struggle with the consequences of the Court’s judgment. It is still in the process of analysing the kind of supplementary measures that may be provided in addition to SCCs or BCRs to provide a sufficient level of guarantees.
Further to its initial statement on the Schrems II case of the CJEU (Court of Justice of the European Union Judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland and Maximillian Schrems on 16th July 2020) the European Data Protection Board (“EDPB”), has now adopted further statements in form of FAQs (which can be accessed here). The EDPB stressed that the ruling is a 'living document', therefore not conclusive, and that further guidance will be provided. This is not surprising since the FAQs do not provide for real solutions.
What does the EDPB say?
The main takeaways are as follows:
- The EDPB confirmed that Standard Contractual Clauses (“SCCs”) remain a possible basis for data transfers outside the EU/EEA but emphasised again that a transfer to the US can only be justified via SCCs if additional measures are taken to ensure the same level of data protection equivalent to the level offered in the European Union. If data exporters intend to keep transferring data outside the EU/EEA, despite a negative result of the assessment, the EDPB re-iterates the CJEU stance (in line with the provisions in the SCCs themselves) that they are required to notify the competent DPA. The EDPB suggests that controllers - which are mainly responsible - should contact their data importer to verify the legislation of its country and collaborate for its assessment. However, this seems to merely dodge the problem for now and does not provide a long term solution.
- BCRs: The EDPB states that the CJEU’s assessment of the invalidity of the Privacy Shield also applies in the context of BCRs, since U.S. law (and other laws) will also have primacy over this tool. This means that a similar case-by-case assessment as that used for SCCs is required and the above requirements also apply for BCRs.
- Transfer Tools under Art. 46 GDPR: The EDPB will further assess the consequences of the judgment on transfer tools other than SCCs and BCRs (for example, codes of conduct). Stakeholders can expect further guidance on this point.
- Engagement of service providers outside the EU/EEA: Regrettably, the EDPB does not provide any helpful guidance on what measures need to be taken for transfers outside of the EEA, notably when companies rely on external service providers in the US or in another third country for processing data. This is the most disappointing part of the FAQ. The EDPB considers that it is up to companies to assess which supplementary measures they can put in place and if such supplementary measures - following a case by case analysis - can ensure that US law, or the law of another importing country, does not impinge on the adequate level of protection. The EDPB also underlines that in a case where the assessment reveals that such protection is not guaranteed, the company is required to stop or suspend the transfer. Companies and organizations are therefore required to find supplementary measures by themselves, pending future guidance from the EDPB. The EDPB, repeating the CJEU judgment, essentially requires companies to make an assessment when it can sometimes takes the Commission years. The EDPB states that it is still analysing which kind of supplementary measures could be provided in addition to SCCs or BCRs and it hopes to provide more guidance on this in the future.
- Would derogations set out by Art. 49 GDPR (such as consent or where transfer is necessary for the performance of a contract) work? In its initial statement of 17 July 2020 following the Schrems II ruling, the EDPB simply referred to its previous guidelines 2/2018 adopted on 25 May 2015 which provide that all these derogations can only be interpreted restrictively so that the exceptions do not become the rule. This time the EDPB appears to show a bit more flexibility on the use of consent as a basis for transfer. This would be in line with the CJEU ruling which expressly referred to Art. 49 to state that there is no legal vacuum even if an adequacy decision such as the Privacy Shield is annulled and when neither SCCs nor BCRs can be used. We recommend keeping a watching brief on the evolution of EDPB’s guidance on this point.
- No grace period: The EDPB clearly stated that any data transfer based on the Privacy Shield is illegal and there will be no 'grace period' for data processing on this framework since "the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU". The authority further highlighted that this "[…] assessment has to be taken into account for any transfer to the U.S.". Therefore, the EDPB takes the view that implementations shall be started without delay. When Safe Harbor was invalidated a couple of years ago, DPAs granted a grace period, which also provided time for a political solution. Whilst the invalidation of the Shield is immediate (in fact, has retrospective effect), many supervisory authorities will have discretion in the way they pursue their activities: it would be helpful if supervisory authorities made clear that, where possible, they will exercise discretion while companies promptly re-assess their data transfers. Some DPAs have made some unofficial comments that they will "cease fire" until alternatives are clear and have issued more lenient guidance on this whereas others seem to show less flexibility (like, for example, some recent statements of German DPAs seem to suggest). It is clear from the Guidelines, that the EDPB is itself finding it difficult to be certain how to approach some aspects of the judgment: recognition that this is also true for business would be welcome.
During the last week, there were statements from DPAs that suggested that data transfers on the basis of SCCs and BCRs are no longer possible to certain countries such as the US, Russia and China (or are at least questionable). DPAs are clearly struggling to find a way to overcome the obstacles that were set by the CJEU. This comes at a time when political and practical solutions are needed and companies must be able to rely on clear guidance of authorities (it also means that recent guidance, e.g. on Art. 49 GDPR and on consent, needs to be reassessed in light of the judgment). It can only be hoped that the EDPB will determine supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. Data exporters and importers should in any case closely monitor any further developments and announcements of the EDBP and local supervisory authorities and get a clear picture on their cross-border transfers and respective safeguards.
This note was prepared Friday, 24th July, 2020.