How to Comply with International Transfers – The Regulatory Guidance Overview on the “Schrems II” Decision

EDPB and data protection authorities’ views and statements on the “Schrems II”- decision by the CJEU

 On 16 July, 2020, the European Court of Justice (“CJEU“) passed a decision invalidating the EU-US Privacy Shield and calling into question the Standard Contractual Clauses (“SCCs“) (judgement C-311/18 – “Schrems II“). The shockwaves of the decision were felt worldwide and companies are now scrambling to make sense of sometimes conflicting guidance published by various EU supervisory authorities.

On 23 July, the European Data Protection Board, a body composed of representatives of the national data protection authorities, and the European Data Protection Supervisor, and tasked with ensuring the consistent application of the General Data Protection Regulation (“GDPR”)(“EDPB”)adopted FAQs on the decision that were published on 24 July. The EDPB stated that the FAQs “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB provided that the FAQs will be updated, and further guidance will be provided, as it continues to examine and assess the judgment of the CJEU. We summarize below the key guidance in the current FAQs and further guidance provided by other supervisory authorities and explain what action items to take. For more details on the Schrems II decision and our initial analysis, see our previous blog post.

Core findings of the Schrems II decision

The core findings of the Schrems II decision are:

  • The Privacy Shield is invalid with immediate effect and there is no grace period.
  • The SCCs remain valid. However, when relying on the SCC, the data exporter and data importer must ensure a level of protection essentially equivalent to that guaranteed by the GDPR. This means that – in addition to concluding the SCCs – it is now necessary to conduct an assessment of the risk the personal data may face when being transferred outside the EU based on the SCCs. Following such a risk assessment, it may be necessary to implement supplementary measures to protect the data and/or to cease transferring the data.

Summary of the FAQs

Not surprisingly, the EDPB did not (yet) provide solutions for the transfer of personal data to countries outside the EU and instead presented its views on the interpretation and scope of the judgement. The FAQs provide the following guidance:

  • There is no grace period for companies to continue to rely on the Privacy Shield. Before continuing data transfers to the United States, companies must assess whether or not an essentially equivalent level of protection is ensured.
  • The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not a transfer of personal data to the U.S. based on the SCCs is permitted therefore depends on the result of an assessment as to whether or not an essentially equivalent level of protection is ensured, taking into account the specific circumstances of each data transfer and any supplementary measures put in place. This assessment has to be taken into account for any transfer of personal data to the United States.
  • If an essentially equivalent level of protection taking into account any possible supplementary measures cannot be guaranteed for a transfer of personal data to the U.S. and the data transfer cannot be justified on basis of derogations under Art. 49 GDPR, the data transfer must be immediately suspended or ended. If a service provider located in the U.S. is used, the data exporter must forbid the transfer of personal data to the U.S.
  • If a data transfer to the U.S. will be continued regardless of a negative risk assessment, the competent supervisory authority must be notified.
  • The EDPB’s guidelines on data transfers on the basis of Art. 49 remains applicable. The EDPB emphasized that data transfers for the performance of a contract must be occasional and can therefore not be used to legitimize regular data transfers when, for example, a company in the US regularly collects data from individuals in the EU.
  • The threshold of “essential equivalence” set by the CJEU also applies to other safeguards under Art. 46 GDPR, namely the binding corporate rules (BCR).
  • The EDPB is still analyzing what kinds of supplementary measures could be provided in addition to the SCCs and the binding corporate rules, whether legal, technical or organizations, and will provide further guidance. However, the EDPB also emphasized that it is the primary responsibility of the data exporter and data importer to comply with the requirements set by the CJEU.
  • The requirements set by the CJEU for data transfers to the U.S. also apply to data transfers to other third countries.
  • Companies will need to revisit data processing agreements with service providers to check whether sub-processors located in third countries are involved in processing and, if so, analyze the circumstances of the transfers and the supplementary measures that can be put into place

Initial reactions and views of supervisory authorities

The EU supervisory authorities had a wide range of initial reactions to the Schrems II decision.

While the CJEU clearly stated that the Privacy Shield is invalid with immediate effect, the UK Information Commissioner’s Office (“ICO”) for example initially recommended that companies continue using the Privacy Shield until further notice. The Data Protection Commissioner in Ireland found all data transfers to the U.S. to be questionable as did the supervisory authorities of Berlin, Hamburg and Rhineland-Palatinate in Germany. On 27 July, the ICO published an updated statement that now aligns with the EDPB’s FAQs. On 28 July 2020, the conference of the German data protection supervisory authorities, DSK, published a separate statement that largely follows the EDPB’s FAQs.

A representative from the Bavarian data protection authority provided specific and business-friendly guidance.

According to the Bavarian DPA representative, companies should immediately:

  • Identify international data transfers; and
  • Assess whether the laws and regulations in the country of the data recipient provide for an essentially equivalent level of data protection. The Bavarian DPA indicated that if data was physically stored in Europe and only remotely accessed by a third-country service provider, this could lead to a different assessment as if the data were permanently stored in that country.

The Bavarian data protection authority also clarified that, as contractual obligations do not bind the foreign authorities, supplementary measures will likely have to be technical or organizational in nature (e.g., encryption).

The Bavarian DPA also indicated that, to the extent data transfers fall within the scope of Sec. 702 Foreign Intelligence Surveillance Act and/or E.O. 12333, it may be difficult to rely on an Art. 46 GDPR-mechanisms in general, which affects not only the SCC but also the binding corporate rules, so that any assessment regarding data transfers to the U.S. should consider the applicability of these laws.

While it is disputed amongst the supervisory authorities whether the Schrems II requirements also need to be observed for data transmissions under Art. 49 GDPR, the Bavarian DPA takes the view that there are good arguments that this is not the case.

What to expect and what to do

 Companies should immediately identify relevant cross-border data transfers, carry out any necessary risk assessments and, if needed, adopt supplementary measures to help ensure the protection of personal data or consider stopping the transfers altogether.

While there is technically no grace period, if companies immediately commence risk assessments and remediate any identified shortfalls, regulators may take a favorable view of such actions in the context of any enforcement action.

A good starting point to assess whether the country of the recipient provides for an essentially equivalent level of data protection would be to request the service provider/counter party to fill out a questionnaire. The questionnaire should include questions aimed at identifying the extent to which data importers are (or could be) subject to security and other official access measures. The privacy organization of Max Schrems (noyb – European Center for Digital Rights) has already published a draft questionnaire that can be used as a starting point. The questionnaires can be found here (questionnaire for U.S.-based data importers) and here (questionnaire for EU providers with U.S. ties).

Companies should also be on the watch for further guidance by the competent supervisory authority and the EDPB.