July.29.2020
EDPB and data protection authorities' views and statements on the "Schrems II"- decision by the CJEU
On 16 July, 2020, the European Court of Justice ("CJEU") passed a decision invalidating the EU-US Privacy Shield and calling into question the Standard Contractual Clauses ("SCCs") (judgement C-311/18 – "Schrems II"). The shockwaves of the decision were felt worldwide and companies are now scrambling to make sense of sometimes conflicting guidance published by various EU supervisory authorities.
On 23 July, the European Data Protection Board, a body composed of representatives of the national data protection authorities, and the European Data Protection Supervisor, and tasked with ensuring the consistent application of the General Data Protection Regulation (“GDPR”)(“EDPB”) adopted FAQs on the decision that were published on 24 July. The EDPB stated that the FAQs “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB provided that the FAQs will be updated, and further guidance will be provided, as it continues to examine and assess the judgment of the CJEU. We summarize below the key guidance in the current FAQs and further guidance provided by other supervisory authorities and explain what action items to take. For more details on the Schrems II decision and our initial analysis, see our previous blog post.
Core findings of the Schrems II decision
The core findings of the Schrems II decision are:
Summary of the FAQs
Not surprisingly, the EDPB did not (yet) provide solutions for the transfer of personal data to countries outside the EU and instead presented its views on the interpretation and scope of the judgement. The FAQs provide the following guidance:
Initial reactions and views of supervisory authorities
The EU supervisory authorities had a wide range of initial reactions to the Schrems II decision.
While the CJEU clearly stated that the Privacy Shield is invalid with immediate effect, the UK Information Commissioner’s Office (“ICO”) for example initially recommended that companies continue using the Privacy Shield until further notice. The Data Protection Commissioner in Ireland found all data transfers to the U.S. to be questionable as did the supervisory authorities of Berlin, Hamburg and Rhineland-Palatinate in Germany. On 27 July, the ICO published an updated statement that now aligns with the EDPB’s FAQs. On 28 July 2020, the conference of the German data protection supervisory authorities, DSK, published a separate statement that largely follows the EDPB’s FAQs.
A representative from the Bavarian data protection authority provided specific and business-friendly guidance.
According to the Bavarian DPA representative, companies should immediately:
The Bavarian data protection authority also clarified that, as contractual obligations do not bind the foreign authorities, supplementary measures will likely have to be technical or organizational in nature (e.g., encryption).
The Bavarian DPA also indicated that, to the extent data transfers fall within the scope of Sec. 702 Foreign Intelligence Surveillance Act and/or E.O. 12333, it may be difficult to rely on an Art. 46 GDPR-mechanisms in general, which affects not only the SCC but also the binding corporate rules, so that any assessment regarding data transfers to the U.S. should consider the applicability of these laws.
While it is disputed amongst the supervisory authorities whether the Schrems II requirements also need to be observed for data transmissions under Art. 49 GDPR, the Bavarian DPA takes the view that there are good arguments that this is not the case.
What to expect and what to do
Companies should immediately identify relevant cross-border data transfers, carry out any necessary risk assessments and, if needed, adopt supplementary measures to help ensure the protection of personal data or consider stopping the transfers altogether.
While there is technically no grace period, if companies immediately commence risk assessments and remediate any identified shortfalls, regulators may take a favorable view of such actions in the context of any enforcement action.
A good starting point to assess whether the country of the recipient provides for an essentially equivalent level of data protection would be to request the service provider/counter party to fill out a questionnaire. The questionnaire should include questions aimed at identifying the extent to which data importers are (or could be) subject to security and other official access measures. The privacy organization of Max Schrems (noyb - European Center for Digital Rights) has already published a draft questionnaire that can be used as a starting point. The questionnaires can be found here (questionnaire for U.S.-based data importers) and here (questionnaire for EU providers with U.S. ties).
Companies should also be on the watch for further guidance by the competent supervisory authority and the EDPB.