Schrems II Update
07 June 2021
New SCCs, EDPS investigations into cloud contracts, German DPAs inquiry into international data transfers, CNIL’s review of research collaboration tools and FTC report on Privacy Shield.
In the past weeks, there have been a number of developments related to the consequences of the European Union Court of Justice (CJEU) decision in Schrems II. The most noteworthy developments are summarised below:
- On 4 June 2021, the European Commission issued the final version of the modernised standard contractual clauses (SCCs) for international data transfers to third countries. The final SCCs take into account the outcomes of Schrems II and provide contractual safeguards for personal data that exporters and importers will need to agree if the SCCs are relied upon for transfers to countries without adequacy status, as well as obligations on data importers to cooperate and put into place any further supplementary measures necessary to comply with the GDPR in light of Schrems II decision.
- On 27 May 2021, the European Data Protection Supervisor (EDPS) announced that it had launched two investigations into compliance of cloud-based services with the Schrems II judgement. The investigations will look into the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by EU institutions and into compliance by the European Commission with the use of Microsoft Office 365 by the European Commission. View the EDPS press release here.
- On 1 June 2021, the Germany’s supervisory authorities announced a coordinated action to inspect how data controllers comply with the requirements to international data transfers to third countries following the Schrems II judgment. The participating supervisory authorities will ask companies to complete detailed questionnaires, each of which seeks to address data transfer aspects of online portals, intra-group data transfers, web tracking (including by tracking tools or pixels embedded in company websites), email services and webhosting. The press release of Berlin DPA is available here, and the questionnaires are available here (all documents only in German).
- On 27 May 2021, the France’s supervisory authority (CNIL) announced that, following a review of collaborative tools and cloud services used for education and research purposes on compliance with requirements of the GDPR and Schrems II judgement, it concluded that the risk of unlawful data access by the US authorities is high, must be mitigated and recommended educational institutions to seek alternative solutions. The CNIL considered the large number of users of the tools and vast amount of data (including sensitive data, research data and data of minors) as important factors. The CNIL also noted that as the final EDPB guidance on supplementary measures if not adopted yet, it will provide educational institutions with unspecified transitional period and will assist them in finding a compliant solution. View the CNIL press release here.
- On 25 May 2021, the US Federal Trade Commission (FTC) published its 2020 Privacy and Data Security Update. Among other issues, the FTC refers to action taken in relation to international data transfer mechanisms, in particular in respect of misrepresenting of participation in and compliance with the EU-U.S. Privacy Shield Framework. The FTC reiterates that although the Privacy Shield Framework is no longer recognised as providing adequate protection for transfers from the EU or Switzerland following Schrems II judgement, this does not relieve participants of their obligations under either the EU-U.S. Privacy Shield or the Swiss-U.S. Privacy Shield frameworks under US laws and from compliance with FTC decisions and orders. It encourages companies to continue to follow robust privacy principles, such as those underlying the framework, and to review privacy policies to ensure that they reflect their practices. View the FTC press release here.