On the 23 July 2020, the European Data Protection Board (EDPB) adopted FAQs on the Schrems II judgment. The FAQs provide answers to questions received by EU data protection authorities (DPAs) and will be developed and complemented by the EDPB in due course.
In brief, the EDPB clarifies:
No grace period – The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield with immediate effect. The judgment does not provide any grace period during which companies can keep transferring personal data to the US without assessing the legal basis for the transfer.
Use of SCCs for EEA-US transfers – US law (i.e. Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data to the US based on the Standard Contractual Clauses (SCCs) will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures, along with SCCs, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.
Supplementary measures – The EDPB is analysing the CJEU’s judgment to determine the kind of supplementary measures that could be provided, whether legal, technical, or organisational, to transfer data to third countries, where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB will provide guidance on these supplementary measures in due course.
Use of Binding Corporate Rules (BCRs) for EEA-US transfers – The threshold set by the CJEU in respect of SCCs applies to all appropriate safeguards under Article 46 GDPR, including the BCRs. Accordingly, whether or not you can transfer personal data to the US on the basis of the BCRs will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
Duty to notify DPAs – If the controller intends to keep transferring personal data, despite concluding that the SCCs or BCRs, and any possible supplementary measures, do not provide a level of protection essentially equivalent to that guaranteed within the EEA, it must notify the competent DPA.
Use of SCCs or BCRs for transfers to other third countries – SCCs as a rule can still be used to transfer data to a third country, and the threshold set by the CJEU for transfers to the U.S. applies for any third country. The same goes for BCRs.
Article 49 Derogations – It is still possible to transfer data from the EEA to the US on the basis of the derogations in Article 49 GDPR, provided the conditions therein apply. However, use of the derogations should be the exception rather than the rule; restricted to specific situations, and the transfer must meet the ‘necessity test’ (when relying on the derogations in Article 49 (1)(b)-(f)).
Responsibilities of data exporters/importers and DPAs – It is the primary responsibility of data exporters and importers to assess themselves that the legislation of the third country of destination enables the importer to comply with the SCCs or BCRs, before transferring personal data to that third country. However, the DPAs will also have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries. As invited by the CJEU, in order to avoid divergent decisions, the DPAs will work further within the EDPB “in order to ensure consistency, in particular if transfers to third countries must be prohibited”.
Renegotiation of controller/processor agreements signed under Article 28 GDPR – Controller/processor contracts concluded in accordance with Article 28.3 GDPR must provide whether transfers to third countries are authorised or not. The EDPB highlight that, if data is being transferred to a third country, and the transfer tools and supplementary measures cannot ensure that the third country’s laws do not impinge on the essentially equivalent level of protection afforded in the EEA, and the Article 49 derogations do not apply, then controllers may need to negotiate an amendment or supplementary clause to their contracts with processors to forbid transfers to that third country.