Schrems II: EDPB FAQs response
27 July 2020
Further to last week’s landmark decision by the Court of Justice of the European Union (CJEU) in Case -311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II) invalidating the EU-US Privacy Shield data transfer mechanism, European data protection regulators have been discussing their response and EU data exporters have been waiting.
Are we further forward, you may ask?
Initial reaction from national Supervisory Authorities
Well - we have now heard the initial reaction from a number of individual supervisory authorities. Many re-iterated the key message of Schrems II – i.e. that Privacy Shield is now not available as an EU-US data transfer mechanism. The UK Information Commissioner’s Office (ICO) was typically pragmatic, suggesting that those using Privacy Shield should continue to do so pending further guidance. The Irish Data Protection Commission (DPC) clearly felt very vindicated in its analysis (and that of the Irish High Court). Not surprisingly as the origin of the Schrems II case was based on the use of Standard Contractual Clauses (SCC) as a transfer mechanism for EU-US data transfers, the DPC has called into question the use of SCC as well as Privacy Shield. German regulators have been forthright – for instance, the Berlin supervisory authority has requested transfers of data to the US to be stopped and a number of other supervisory authorities have referred to the co-ordinated reaction through the European Data Protection Board (EDPB). We have summarised their responses in our weekly Data Privacy and Cybersecurity Update (please let me know if you would like to receive this).
And on Friday 24 July 2020, we received the much anticipated FAQs from the EDPB. The EDPB has emphasised that Privacy Shield is defunct; no grace period applies; unflinchingly they state “transfers on the basis of this legal framework are illegal”. They are also clear that the issues raised in the Schrems II judgment as to the underlying “interference with the fundamental rights of persons whose data are transferred” apply equally to other data transfer mechanisms. Accordingly, as many have suggested, the fact that US law is not “essentially equivalent” to EU law requirements is a problem not just for Privacy Shield, it may also undermine SCC and other mechanisms such as Binding Corporate Rules (BCRs).
That said – the EDPB clearly states that these other mechanisms may still be used for cross-border transfers (including to the US), but that there is an onus on data exporters and importers to assess each transfer and its circumstances, and consider the supplementary measures alluded to (but not articulated) in the Schrems II judgment which could be put in place to ensure that an adequate level of protection is available for the transfer. Logically, then, it appears that the EDPB does think that there may be some supplementary measures which would do the trick. Frustratingly, though, again, there is no articulation of the supplementary measures that the EDPB considers could assist parties exporting data to the US or any other non-adequate jurisdiction. This is promised in further guidance. Given the clarification in the Schrems II judgment that the SCC cannot, having regard to their very nature, provide guarantees beyond a “contractual obligation to ensure compliance with the level of protection required under EU law”, which the judgment also points out does “not bind the authorities of third countries”, it may be that they are thinking more of technical/organisational than contractual measures.
If parties consider that adequate protection cannot be ensured, the exporter should terminate or suspend the transfer but if the exporter intends to continue the transfer despite that conclusion, the EDPB states that the exporter should notify its Supervisory Authority. This follows the requirement in the SCCs, but it seems somewhat counter-intuitive that a non-compliant data exporter would notify the EDPB of the breach.
The EDPB has also affirmed its view articulated in previous guidance of the limited nature of the derogations to the cross-border transfer prohibition contained in Article 49 of the GDPR. In general, these are not suitable for long term/systematic data transfers or are set at such a high threshold that it is difficult to rely on them (e.g. explicit consent) and are really suitable only for occasional use.
How to square the circle
The guidance from the EDPB is in many ways unsurprising. Clearly the CJEU decision has to be respected and upheld. Supervisory Authorities were reminded on a number of occasions in the Schrems II judgment that they had a duty to monitor and enforce the GDPR per Article 57 of GDPR. While we understand informally (and indeed from the ICO statement) that there may be little proactive enforcement against data controllers in respect of transfers to Privacy Shield recipients and perhaps even less in respect of SCC transfers, privacy activists are likely to complain where they can; obviously most likely in respect of prominent social media or other large organisations and on receiving those complaints, Supervisory Authorities will be bound to respond. (We note that various commercial and not-for-profit organisations are publicising draft letters that may be used by consumers to write to organisations to request information about their cross-border data transfers/complain to Supervisory Authorities.)
The FAQs do however leave a number of open questions and data exporters may feel rather exposed. We suggest that while we all await further guidance from the EDPB, the following measures should be considered:
- Identify your cross-border transfers – these should be evident from your records under Article 30 GDPR
- Identify relevant cross-border transfer mechanisms (and related contract terms) which apply to your transfers to recipients in the US and other jurisdictions without adequacy status from the European Commission
- For transfers to the US – consider the circumstances of the transfers and whether/what supplementary legal, technical or organisational measures could be put in place to accompany transfer mechanisms such as SCCs (e.g. encryption/limiting access/data minimisation/data retention)
- In particular, prioritise a review of transfers that are made to Privacy Shield certified recipients and if practicable move these to SCC, alongside supplementary measures that will make a meaningful difference (but see further commentary on this below)
- For transfers to other jurisdictions without adequacy status – assess the legal framework in those countries to determine whether there are likely to be issues akin to those in the US which would undermine compliance with the SCC/BCRs that you are relying on and take similar measures to those identified above for US recipients
- Work with your counterparty importers whose reaction (and your underlying contract) will also practically impact what you will be able to achieve. Identify whether any of your contract terms with counterparty importers allow them to on-transfer data to the US or other jurisdictions without and adequacy status and undertake the same analysis/mitigation steps as set out above
Does putting in place an alternative mechanism, such as SCC, make sense?
You may ask – is it worth moving from Privacy Shield to SCCs, especially when they may be equally flawed? We appreciate that this may not be especially attractive, particularly as the SCCs are due to be replaced with new contractual clauses that the European Commission is currently working on. And, of course, as mentioned, SCCs were the subject of the Max Schrems’ complaint at the start of this particular case so individual enforcement action by Supervisory Authorities may well follow (we are watching closely for the Irish DPC’s further decision on the Facebook SCCs).
Depending on the number of recipients involved, putting in place SCCs may be expensive, administratively complex and make little practical difference to the protection achieved. They may only really delay rather than eradicate the risk of enforcement. However, as on the face of the EDPB guidance it is clearly stated that transfers on the basis of Privacy Shield are “illegal” and there is no grace period, it would be sensible to actively consider this option. Many will feel that the language the EDPB has used leaves them with little option (other than looking at suspending or terminating transfers which may not be feasible). This is likely to be especially the case for those controllers that are likely targets for complaints, where the transfers are, by their nature or nature of data, higher risk and where you can add meaningful protections to those in place. Further – you should be prepared to adapt your precautionary supplementary measures as new guidance becomes available. If you have a good audit trail of your response and your considered views on the transfers you undertake, this should go a long way towards evidencing a good intention were there to be a regulatory investigation at a later stage.
Looking further ahead
Finally – will this result in a return of data to the EU? We can foresee that some companies will want to take that view. However, even if data is ported back to EU-based data centres, many companies will continue to need to access data from all round the world, so although helpful in reducing the level of cross-border transfers undertaken, even this more drastic solution will not be a full answer to the issues that have been raised by Schrems II.