(This blog post summarizes Wim Nauwelaerts’ (Alston & Bird), Early EDPB Guidance in the Wake of Schrems II – Where E.U.-U.S. Data Transfers Are Headed, Cybersecurity Law Report, Aug. 5, 2020)
On July 23, 2020, the European Data Protection Board (EDPB) adopted its first set of guidelines on the Schrems II judgment of the Court of Justice of the European Union (CJEU).
In Schrems II, the CJEU analyzed two data transfer “mechanisms” to transfer personal data from the E.U. to third countries or international organizations.
The CJEU decided to invalidate the European Commission’s decision based on which the E.U.-U.S. Privacy Shield regime was created in 2016. Via that decision, the European Commission allowed personal data to be transferred to businesses in the U.S. that certified to the Privacy Shield and committed to protect that data in accordance with the Privacy Shield principles.
On the other hand, the CJEU found that there was no reason to call into question the validity of the Standard Contractual Clauses (SCCs). However, the CJEU added that organizations relying on SCCs must ensure that data subjects whose personal data are transferred to a third country pursuant to the SCCs are afforded a level of protection essentially equivalent to that guaranteed within the E.U. by the GDPR. To that end, those organizations must assess the level of protection afforded in the context of such a transfer. In particular, they must consider both the parties’ contractual obligations under the SCCs and, with regard to any access by public authorities in the country of the ‘data importer,’ the relevant aspects of the legal system of that country.
Scope of the Guidance
The EDPB Guidance addresses businesses’ most urgent issues by way of frequently asked questions (FAQs). In doing so, the EDPB has favored speed over substance, although it has committed to further developing and complementing the guidance in the (near) future.
The FAQs focus on E.U.-U.S. data transfers and how these are affected going forward in light of the CJEU’s ruling in Schrems II. They primarily discuss the ruling’s implications for data transfers based on the E.U.-U.S. Privacy Shield and the European Commission’s SCCs. In addition, the EDPB provides insight on what the CJEU judgment means for the use of other data transfer tools and the so-called “derogations” in Article 49 of the GDPR.
Highlight: Data Transfer Assessments
The EDPB reiterates that the parties to the SCCs have to assess, on a case-by-case basis and taking the specific data transfer into account, whether the contractual safeguards and the level of data protection that they provide are respected in the third country of destination. The data importer must inform the data exporter of any inability to comply with the SCCs and any supplementary measures that the parties have implemented in support of the SCCs’ safeguards.
The EDPB takes the view that the supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that the law of the country of destination does not impinge on the adequate level of protection that the SCCs guarantee.
The EDPB indicates that it is looking further into what these supplementary measures could entail and that more guidance on this will follow. It is expected that companies will consider whether additional legal (i.e., contractual), technical or organizational measures are needed to transfer data to third countries where SCCs on their own will not provide a sufficient level of guarantee. Among the technical measures to be considered, encryption of data in transit and/or at rest as well as anonymization may be able to mitigate concerns about unrestricted access to personal data transferred from the E.U.
The EDPB further clarifies that when data exporters – with the help of their data importers – reach the conclusion that the SCCs’ appropriate safeguards would not be ensured, the transfer of personal data outside of the E.U. must be suspended or ended. If they intend to keep transferring the data, they must notify the relevant data protection authority.
The EDPB has indicated that its guidance is dynamic, and that it intends to publish updates and supplemental guidelines in the weeks and months to come. Although the current guidance leaves many open questions, it is clear that the EDPB is urging all data transferring businesses to carefully consider their legal position as well as the need for any additional compliance steps. For companies that relied on the Privacy Shield, switching to an alternative data transfer tool may be inevitable. Businesses that want to continue using the SCCs for transferring personal data outside of the E.U. will be well advised to conduct data transfer assessments in accordance with the criteria determined by the CJEU and, where needed, adopt supplementary measures in support of the SCCs’ safeguards.