Roughly a week after the Court of Justice of the European Union’s (CJEU or Court) Schrems II decision was released, the European Data Protection Board (EDPB) published Guidance addressing some frequently asked questions received by Data Protection Authorities (DPAs). Key points from the EDPB’s Guidance include the following:
Implications on Other Transfer Mechanisms. The threshold set by the Court, requiring data exporters and data importers to verify, prior to any transfer, and taking into consideration the circumstances of the transfer, whether the level of protection afforded under the third country’s laws is essentially equivalent to that guaranteed within the EU, also applies to all legal cross-border transfer mechanisms under Article 46 of the GDPR. Additionally, the U.S. laws referenced by the Court, FISA Section 702 and Executive Order 12333, applies to any transfer to the U.S. via electronic means that falls under the scope of such laws, regardless of the transfer tool used for the transfer.
No Grace Period. There is no grace period during which EU companies may continue transferring data to the U.S. under the Privacy Shield. Transfers made on the basis of the Privacy Shield framework are now illegal.
Transfers Based on SCCs or BCRs. Whether a company can transfer data on the basis of Standard Contractual Clauses (SCCs) will depend on the result of the company’s assessment, taking into account the circumstances of the transfers and supplementary measures that can be put in place. The SCCs, together with any supplementary measures, must ensure that U.S. law does not impinge on the adequate level of protection that the SCCs and supplementary measures guarantee. If the assessment concludes that an adequate level of protection cannot be achieved, the transfer of data must end or be suspended. However, if the company intends to continue transferring data despite this conclusion, it must notify its competent DPA. A similar assessment should also be conducted relating to data transferred on the basis of Binding Corporate Rules (BCRs).
Article 49 Derogations. It is still possible to transfer data from the EU to the U.S. on the basis of derogations set forth under Article 49 of the GDPR. The Guidance specifically discusses the following derogations:
- Consent. Transfers based on the consent of the data subject should be (1) explicit; (2) specific for the particular data transfer or set of transfers; and (3) informed, particularly as to the possible risks of the transfer. The data subject should be informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented.
- Necessary for Contract Performance. The derogation allowing for transfers of data necessary for the performance of a contract between the data subject and the controller is limited to transfers that are occasional. It should be evaluated on a case-by-case basis whether data transfers are “occasional” or “non-occasional.”
- Necessary for Important Reasons of Public Interest. The essential requirement for the applicability of this derogation is the finding of an important public interest that is recognized in EU or Member State law. Although this derogation is not limited to data transfers that are “occasional,” this does not mean that data transfers under this derogation can take place on a large scale and in a systematic manner. Companies must comply with the general principle that Article 49 derogations should not become “the rule” in practice, but must be restricted to specific situations, and each data exporter must ensure that the transfer meets the strict necessity test.
Impact on Third Countries Other Than the U.S. SCCs as a rule can still be used to transfer data to a third country other than the U.S.; however, the threshold set by the Court for transfers of data to the U.S. also applies for transfers to any other third country. DPAs will have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries. In order to avoid divergent decisions, DPAs will further work within the EDPB to ensure consistency, in particular regarding whether transfers to specific third countries must be prohibited.
Supplementary Measures. The EDPB is currently analyzing the Court’s judgment to determine the kind of supplementary measures, whether legal, technical, or organizational measures, that may be provided in addition to SCCs or BCRs in order to ensure that an adequate level of protection is provided. The EDPB will continue looking into what such supplementary measures may consist of and will provide guidance in the future.
Processors that may Transfer Data to the U.S. Under the GDPR, the contract between a data exporter and a data importer (often a processor) must specifically assert whether transfers to third countries are authorized or not. Additionally, the data exporter must provide authorization for processors to use sub-processors to transfer data to third countries. If the Article 49 derogations don’t apply and supplementary measures are found to be insufficient, the only solution is to negotiate an amendment or supplementary clause to the contract to forbid transfers to the U.S.
For a deeper analysis of the Court’s reasoning in the Schrems II case see our previous blog post, which includes next steps for organizations. Fey, LLC will continue to monitor developments in the wake of the Schrems II decision. To ensure you do not miss any of our articles or alerts, you can follow our LinkedIn page here.
Eleazar Rundus, a third-year law student at the University of Kansas School of Law, contributed to this post. Mr. Rundus is a law clerk with Fey LLC.