On 23 July 2020, the European Data Protection Board ("EDPB") released a set of questions (the "FAQ") posed by European supervisory authorities regarding the implications of Case C-311/18, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems ("Schrems II ") ruled on 16 July 2020 by the Court of Justice of the European Union ("CJEU").
What happened previously ?
In the Schrems II ruling, the CJEU invalidated the EU-U.S. Privacy Shield Framework, which allowed personal data transfers to more than 5,000 data recipients located in the United States of America ("U.S."). The CJEU ruled that the Privacy Shield did not provide data protection standards essentially equivalent to those required under EU law, in particular under the General Data Protection Regulation (EU) 2016/679 ("GDPR"). ( click here to see our publication)
The CJEU also confirmed that the EU standard contractual clauses ("SCCs"), which are in practice commonly used for transferring personal data outside of the European Economic Area ("EEA"), are valid per se. However, that validity depends on whether the requirements of the data recipient's domestic law results in limitation of personal data protection, which must remain compatible with EU law. As regards the U.S. law in particular, the CJUE considered that surveillance programmes enabling the U.S. authorities to access personal data for national security purposes contravene the principle of necessity and proportionality under EU law as such programmes do not provide for any limitations to the power of U.S. authorities. U.S. law also does not grant data subjects with actionable rights against the US authorities as under the EU law.
What are the key takeaways?
While the U.S. Department of Commerce and the EU Commission have initiated discussions on the possibility to enhance the Privacy Shield to comply with the CJUE judgment, the EDPB is currently assessing the impact on personal data transfers to the U.S. and the alternative solutions in the light of EU law. Meanwhile, the FAQ is intended to provide some clarity on the most pressing questions in relation to this matter:
- Data transfers based on the EU-U.S. Privacy Shield. Because of the invalidity of the EU-U.S. Privacy Shield, the latter is no longer a valid mechanism for the transfer of personal data to the U.S. in accordance with EU law. Accordingly, EEA data exporters and importers must opt for an alternative transfer mechanism.
- No grace period. The EDPB also clarified that the Schrems II ruling does not provide for any grace period. Data transfers operated via the EU-U.S. Privacy Shield are considered non-compliant with existing data protection law with immediate effect. In practice, however, it is expected that the EU supervisory authorities remain provisionally flexible as regards the validity of the legal bases used for personal data transfers to the U.S., but there is no common position as of today between the different supervisory authorities on this matter.
- The responsibility of the data exporters and data importers when using SCCs. With the invalidation of the EU-U.S.-Privacy Shield, the CJUE found that existing data protection standards in the U.S. are not sufficient to be considered as essentially equivalent to those of UE law. As a consequence, each data exporter and data importer should collaborate to operate an assessment, taking into account the circumstances of the personal data transfers, the requirements of the U.S. law and any supplementary measures that they could put in place on a case-by-case basis to ensure that U.S. law does not impinge on the adequate level of protection guaranteed by the SCCs. In the event that the result from such an assessment is that an adequate level of data protection cannot be ensured, the data transfers should immediately be suspended or notified to the competent supervisory authority (i.e. in Luxembourg, the CNPD).
- The nature of the supplementary measures. The EDPB underlined that it is currently assessing the type of supplementary measures that could be implemented in addition to SCCs, whether legal, technical or organisational measures, where the SCCs will not provide a sufficient level of data protection on their own. The EDPB should provide further guidance in this respect.
- EEA to U.S. data transfers on the basis of derogations foreseen in Article 49 GDPR. As the EDPB underlines, another existing legal basis for personal data transfers to the U.S. consist in the derogations listed under Article 49 GDPR, which are of restrictive interpretation and may be considered only in the absence of adequacy decision and other appropriate safeguards. Such derogations may be relied on if the conditions set forth in this Article apply and in accordance with the interpretation of the EDPB issued in this respect (see here ). However, such derogations do not constitute appropriate legal bases for personal data transfers taking place on a large scale and in a systematic manner. In particular, where relying on the necessity of the transfer for the performance of a contract, any such transfer must remain occasional. As regards the consent of the data subjects, this consent should be explicit, specific for each data transfer and adequately informed.
- Data transfers to third countries other than the U.S. The CJEU ruling specifically addressed personal data transfers to the U.S. However, the rules set out by the CJEU apply to the same extent to any other third country. Data exporters and importers are required to assess whether the domestic law of the recipient countries allow them to comply in practice with EU law when implementing the SCCs. If not, any supplementary measures, which are not impinged upon by the recipient's domestic law in practice, should be considered as ensuring an essentially equivalent level of data protection as provided in the EEA.
Further points of attention
In conclusion, there is currently no real alternative to the use of the EU-U.S. Privacy Shield and SCCs for transferring personal data to the U.S., unless appropriate supplementary measures could be combined with the SCCs to ensure an essentially equivalent level of data protection. However, there is no guidance as to the consistence of such supplementary measures. Relying on the derogations listed under Article 49 GDPR (i.e. consent, performance of a contract, public interest, etc.) is only appropriate in exceptional circumstances in accordance with the interpretation of the EDBP and cannot cover personal data transfers taking place on a large scale and in a systematic manner.
We will keep you posted about any further guidance or developments in this respect.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.