How to Comply with International Transfers – The Regulatory Guidance Overview on the “Schrems II” Decision

July.29.2020

EDPB and data protection authorities' views and statements on the "Schrems II"- decision by the CJEU

On 16 July, 2020, the European Court of Justice ("CJEU") passed a decision invalidating the EU-US Privacy Shield and calling into question the Standard Contractual Clauses ("SCCs") (judgement C-311/18 – "Schrems II"). The shockwaves of the decision were felt worldwide and companies are now scrambling to make sense of sometimes conflicting guidance published by various EU supervisory authorities.

On 23 July, the European Data Protection Board, a body composed of representatives of the national data protection authorities, and the European Data Protection Supervisor, and tasked with ensuring the consistent application of the General Data Protection Regulation (“GDPR”)(“EDPB”) adopted FAQs on the decision that were published on 24 July. The EDPB stated that the FAQs “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB provided that the FAQs will be updated, and further guidance will be provided, as it continues to examine and assess the judgment of the CJEU. We summarize below the key guidance in the current FAQs and further guidance provided by other supervisory authorities and explain what action items to take. For more details on the Schrems II decision and our initial analysis, see our previous blog post.

Core findings of the Schrems II decision

The core findings of the Schrems II decision are:

The Privacy Shield is invalid with immediate effect and there is no grace period.

The SCCs remain valid. However, when relying on the SCC, the data exporter and data importer must ensure a level of protection essentially equivalent to that guaranteed by the GDPR. This means that – in addition to concluding the SCCs – it is now necessary to conduct an assessment of the risk the personal data may face when being transferred outside the EU based on the SCCs. Following such a risk assessment, it may be necessary to implement supplementary measures to protect the data and/or to cease transferring the data.

Summary of the FAQs

Not surprisingly, the EDPB did not (yet) provide solutions for the transfer of personal data to countries outside the EU and instead presented its views on the interpretation and scope of the judgement. The FAQs provide the following guidance:

There is no grace period for companies to continue to rely on the Privacy Shield. Before continuing data transfers to the United States, companies must assess whether or not an essentially equivalent level of protection is ensured.

The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not a transfer of personal data to the U.S. based on the SCCs is permitted therefore depends on the result of an assessment as to whether or not an essentially equivalent level of protection is ensured, taking into account the specific circumstances of each data transfer and any supplementary measures put in place. This assessment has to be taken into account for any transfer of personal data to the United States.

If an essentially equivalent level of protection taking into account any possible supplementary measures cannot be guaranteed for a transfer of personal data to the U.S. and the data transfer cannot be justified on basis of derogations under Art. 49 GDPR, the data transfer must be immediately suspended or ended. If a service provider located in the U.S. is used, the data exporter must forbid the transfer of personal data to the U.S.

If a data transfer to the U.S. will be continued regardless of a negative risk assessment, the competent supervisory authority must be notified.

The EDPB’s guidelines on data transfers on the basis of Art. 49 remains applicable. The EDPB emphasized that data transfers for the performance of a contract must be occasional and can therefore not be used to legitimize regular data transfers when, for example, a company in the US regularly collects data from individuals in the EU.

The threshold of "essential equivalence" set by the CJEU also applies to other safeguards under Art. 46 GDPR, namely the binding corporate rules (BCR).

The EDPB is still analyzing what kinds of supplementary measures could be provided in addition to the SCCs and the binding corporate rules, whether legal, technical or organizations, and will provide further guidance. However, the EDPB also emphasized that it is the primary responsibility of the data exporter and data importer to comply with the requirements set by the CJEU.

The requirements set by the CJEU for data transfers to the U.S. also apply to data transfers to other third countries.

Companies will need to revisit data processing agreements with service providers to check whether sub-processors located in third countries are involved in processing and, if so, analyze the circumstances of the transfers and the supplementary measures that can be put into place

Initial reactions and views of supervisory authorities

The EU supervisory authorities had a wide range of initial reactions to the Schrems II decision.

While the CJEU clearly stated that the Privacy Shield is invalid with immediate effect, the UK Information Commissioner’s Office (“ICO”) for example initially recommended that companies continue using the Privacy Shield until further notice. The Data Protection Commissioner in Ireland found all data transfers to the U.S. to be questionable as did the supervisory authorities of Berlin, Hamburg and Rhineland-Palatinate in Germany. On 27 July, the ICO published an updated statement that now aligns with the EDPB’s FAQs. On 28 July 2020, the conference of the German data protection supervisory authorities, DSK, published a separate statement that largely follows the EDPB’s FAQs.

A representative from the Bavarian data protection authority provided specific and business-friendly guidance.

According to the Bavarian DPA representative, companies should immediately:

Identify international data transfers; and

Assess whether the laws and regulations in the country of the data recipient provide for an essentially equivalent level of data protection. The Bavarian DPA indicated that if data was physically stored in Europe and only remotely accessed by a third-country service provider, this could lead to a different assessment as if the data were permanently stored in that country.

The Bavarian data protection authority also clarified that, as contractual obligations do not bind the foreign authorities, supplementary measures will likely have to be technical or organizational in nature (e.g., encryption).

The Bavarian DPA also indicated that, to the extent data transfers fall within the scope of Sec. 702 Foreign Intelligence Surveillance Act and/or E.O. 12333, it may be difficult to rely on an Art. 46 GDPR-mechanisms in general, which affects not only the SCC but also the binding corporate rules, so that any assessment regarding data transfers to the U.S. should consider the applicability of these laws.

While it is disputed amongst the supervisory authorities whether the Schrems II requirements also need to be observed for data transmissions under Art. 49 GDPR, the Bavarian DPA takes the view that there are good arguments that this is not the case.

What to expect and what to do

Companies should immediately identify relevant cross-border data transfers, carry out any necessary risk assessments and, if needed, adopt supplementary measures to help ensure the protection of personal data or consider stopping the transfers altogether.

While there is technically no grace period, if companies immediately commence risk assessments and remediate any identified shortfalls, regulators may take a favorable view of such actions in the context of any enforcement action.

A good starting point to assess whether the country of the recipient provides for an essentially equivalent level of data protection would be to request the service provider/counter party to fill out a questionnaire. The questionnaire should include questions aimed at identifying the extent to which data importers are (or could be) subject to security and other official access measures. The privacy organization of Max Schrems (noyb - European Center for Digital Rights) has already published a draft questionnaire that can be used as a starting point. The questionnaires can be found here (questionnaire for U.S.-based data importers) and here (questionnaire for EU providers with U.S. ties).

Companies should also be on the watch for further guidance by the competent supervisory authority and the EDPB.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.