On July 17, 2020, the European Data Protection Board (‘EDPB’) published a statement on the outcome of the Schrems II judgment, passed by the Court of Justice of the European Union (‘CJEU’) the day before. The judgment invalidated the EU-U.S. Privacy Shield, and issued a number of clarifications and caveats on the use of Standard Contractual Clauses (SCCs).
In the statement, the EDPB acknowledged that the Privacy Shield is no longer available as a data transfer mechanism, and points out that the EU and the U.S. authorities should create a new legal framework to replace it.
The EDPB also provided some insight into how companies should approach SCCs going forward. In particular, the EDPB noted that:
- When considering whether to enter into SCCs, it is primarily the responsibility of the data exporter and importer to assess whether the countries to which personal data is sent offer adequate protection.
- When performing such prior assessment, the exporter of the personal data (if necessary, with the assistance of the importer) must take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country.
- The examination of the latter must be done in light of the non-exhaustive factors set out under Art 45(2) of the EU General Data Protection Regulation (‘GDPR’).
Article 45(2) of the GDPR sets out criteria which the European Commission must take into account when assessing whether the laws of countries outside of the EEA ensure an adequate level of protection, with a view to making a ‘decision of adequacy’. Since the system of adequacy decisions was introduced by Directive 95/46/EC – the GDPR’s predecessor – the European Commission has performed a handful of adequacy assessment only, and the process on average takes two to three years. It appears unrealistic to expect that data controllers in the EEA, and in particular SMEs, assess the adequacy of the laws in “foreign” countries with the same rigor and intensity as the European Commission. Therefore, further guidance from the EDPB on this topic is going to be essential.
The EDPB did not provide significant further guidance on use of the ‘derogations’ contained in Article 49 of the GDPR for transferring personal data outside of the EEA, which the CJEU appeared to propose as an alternative to the now-invalid Privacy Shield. Although the EDPB underlined that the derogations must be applied ‘on a case-by-case basis’, previous EDPB guidance emphasizes that the derogations can be relied on to cover occasional data transfers in exceptional circumstances only. Under the EDPB’s current guidance, regular, day-to-day transfers of personal data outside of the EEA cannot be justified on the basis of the derogations in Article 49 of the GDPR.