Following the judgement of the Court of Justice of the European Union in the recent Schrems II case the European Data Protection Board (the EDPB) has now published a FAQ document to help provide clarification and guidance on the landmark decision.
The judgement in Schrems II earlier this month famously struck down the EU-US Privacy Shield, and in doing so called into question the validity of other data transfer mechanisms. The FAQ document has therefore come as a welcome relief to those currently trying to decipher the true impact of this unexpected judgement. We have commented on the main take-aways from the FAQ document below:
The use of the EU-US Privacy Shield is now unlawful
The EDPB has confirmed there is grace period for data exporters to continue to rely on the EU-US Privacy Shield to export data to the US. Transfers relying on the EU-US Privacy Shield are not compliant with data protection law and, by the strict letter of the law, should cease immediately. However, on a pragmatic level, it’s unlikely that any large scale enforcement action will be taken against organisations that continue to rely on the Privacy Shield in the short term, while seeking an alternative transfer mechanism. It is however, important that organisations take immediate action to identify any EU-US data transfers that relied on the Privacy Shield and consider how to address these now non-compliant data exports.
Organisations should check whether they can rely upon another data transfer mechanism available under GDPR
The EDPB has confirmed that organisations may rely on the appropriate safeguards available under GDPR to transfer data to the US. These include:
(a) Appropriate transfer safeguards under Article 46 of GDPR
The EDPB reinforced that post Schrems II, transfer mechanisms under Article 46 of GDPR, most commonly referred to as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), remain valid. However it was also reinforced that prior to transferring any data to the US (or any other third country) under a appropriate safeguard mechanism (such as SCCs or BCRs), an assessment must be conducted by the data exporter to confirm that the data importer can comply with the obligations imposed on the data importer under the new transfer arrangement. The data controller would be required to assess whether any of the country’s local laws or surveillance practices by public bodies would impact on the data importer’s ability to discharge their obligations under the transfer mechanism.
(b) Derogations under Article 49
The EDPB advised that organisations may be able to rely on one of the number of derogations provided under Article 49 of the General Data Protection Regulation (GDPR). These derogations permit the transfer of data to third countries, including the US, in certain situations including where a data subject has consented to the transfer and where the transfer is necessary for the performance of a contract between the data subject and the data controller. Consideration has to be given to the practical implications of relying on a derogation. For example, if a transfer is carried out under the lawful basis of consent, consent must be explicit and informed. Organisations relying on consent should acknowledge that there is a risk that consent can be withdrawn. Further, consent would not be appropriate where consent is sought from an employer by an employee as it might not be freely given, due to the imbalance of power between the two parties.
It should be noted that the requirement to assess the potential risks of transfers to third countries is not new. However, the Schrems II decision has reignited focus on this issue in relation to all transfers of data to any third country. Indeed, it’s likely that there will be a higher compliance threshold for these transfers and there will be more pressure on data controllers to demonstrate that they’ve carried out thorough due diligence to confirm that data importers can and will provide a level of data protection equivalent to that of the EU. The EDPB does not shine any light on how this should be achieved in practice but does ensure that they will provide further guidance on this.
Reliance on SCCs on a ‘case by case’ basis
In relation to the SCC’s, the EDPB advised that organisations transferring personal data on the basis of Standard Contractual Clauses ('SCCs') must take into account the circumstances of those transfers on a case by case basis and, where necessary, put in place supplementary measures to ensure a safe transfer. What this means in practice is that organisations seeking to rely on SCC’s to transfer personal data to the US and other third countries should review on a case by case basis whether SCCs can be relied upon to provide adequate protection, taking into account relevant aspects of the third countries legal system which may conflict with EU requirements. Data exporters would need to work with the data importer to ensure that it can address all the provisions within the SCCs, carry out due diligence of the legal system in the third country it will export data to, and understand to what extent the importer is bound by these laws. Similar to completing a data protection impact assessment, the due diligence would need to be documented to show how you have determined adequacy (or not) and to demonstrate accountability with GDPR.
No adequate transfer mechanism available
If no appropriate mechanism of transfer to the US (or another third country) is guaranteed, the EDPB advised that organisations would need to suspend or end the transfer of personal data. The EDPB has however confusingly, stated that should an organisation intend to keep transferring data despite a negative assessment of the data importers data protection compliance, it must notify the Supervising Authority, which in the UK’s case would be the ICO. The ICO has not yet indicated the action it would take in these circumstances but it has advised that it will continue to take a risk based and proportionate approach to regulatory enforcement.
Contracts must be amended to prohibit transfers outside of the EEA if data cannot adequately be protected
The EDPB has suggested that if an organisations has signed a contract with a processor in accordance with Article 28.3 of the GDPR, and that contract implies data may be transferred outwith the EEA, either to the US or another third country, then the contract would need to be reviewed. If the organisations is not able to ensure that the data transfers would comply with the guidance set up above then the organisations should negotiate with the processor to amend the contract to forbid the transfers and all processing should move to within the EEA.
Insight from Morgan O’Neill is Director of Data Protection Services. If you have any further queries, please contact Morgan or Loretta Maxfield on 03330 430350, or by emailing moneill@thorntons-law.co.uk or lmaxfield@thorntons-law.co.uk.