On 24 July 2020 the European Data Protection Board (the “EDPB”) released its FAQs on the judgement of the Court of Justice of the European Union in Schrems II. For our commentary on Schrems II please see here.
The judgment in Schrems surprised many people and has the potential to upset international transfers around the world and not just from the EEA to the US. Whilst some regulators (e.g. the Berlin data regulator) had in the aftermath of the judgment made sweeping statements about data transfers to the US being no longer permitted and other commentators had raised valid concerns about the width of the logic of Schrems II (e.g. it must apply to Binding Corporate Rules (“BCRs”) too), many regulators had taken a measured tone and kept their powder dry, recognising the difficulties in the decision for business. Most notably the ICO even suggested it was “currently reviewing our Privacy Shield guidance after the judgement issued by the European Court of Justice on Thursday 16 July 2020" and that "if you are currently using Privacy Shield please continue to do so until new guidance becomes available” (albeit the ICO did also say “please do not start to use Privacy Shield during this period”).
The EDPB said on Friday 17 July 2020, the day after the judgement, that “the EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law”.
Hopes were therefore high the EDPB might release practical, pragmatic and reasonable guidance in relation to Schrems – possibly even with a recognition that businesses will need time (6-12 months) to adjust to the impact of Schrems II, and possibly even confirming a moratorium on any regulatory action.
Instead the EDPBs FAQs make the following points (in very short summary and collating a number of points – please do read the FAQs for the full picture):
- The threshold for valid transfers to third countries applies: (1) not just to EEA to US transfers but to all transfers to third countries and (2) applies to all transfer mechanisms under Article 46 not just SCCs (i.e. Binding Corporate Rules (“BCRs”) as well).
- There is no grace period for any transfers to the US based on Privacy Shield (“Transfer on the basis of this legal framework are illegal”) and bearing in mind the rest of the FAQs one has to assume this must also apply not just to EEA to US transfers under Privacy Shield but all transfers to third countries and to all transfer mechanisms under Article 46 which do not satisfy the Schrems II tests.
- Highlighted that the use of Article 49 derogations (E.g. explicit consent of data subject re the transfer or necessary for the performance of a contract) must be occasional and are not to be utilised for bulk and regular transfers.
- Mentioned that “supplemental measures” might be needed if using SCCs or BCRs but then provided no other information other than “The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance”.
Essentially the EDPB has taken some strongly indicated, yet still hypothetical, conclusions from Schrems II and made them the confirmed position of all the regulators in the EU (theoretically including the ICO).
It must be noted that the ICO is no longer an active member of the EDPB and only acts as an observer. We do not know if they had any input on the EDPB FAQs.
What do we need to do now?
As we said in our note on Schrems II (please see here), and even despite the EDPB FAQs, we do not believe there is any need to panic. Whilst the Schrems II judgement and the approach of the EDPB is very surprising, we still retain hope that most regulators will retain a sense of pragmatism and commercial reality and that this should be echoed within the halls of the European Commission.
That said controllers and processors (or indeed just any exporters and importers) need to think about the following:
- Understanding your extra-EEA data flows and on what mechanisms you rely
- Begin to think about the third countries to which you export data and develop an understanding of governmental access to your EU and UK personal data with focus on types of companies to which the laws apply, any rules around proportionality, any “effective” remedy for data subjects etc. (in which countries, and for which companies is this a major issue?)
- How to document all this thinking so as to keep a governance trail
- From a contractual perspective both controllers and processors (or indeed just exporters and importers) will need think about the following in their Article 28 agreements:
- Warranties that SCCs work;
- Promises to implement further “supplementary measures” as required (and as guidance is forthcoming);
- Notification requirements from a processor/importer to the exporter if approached by a government for access to data; and
- Agreement from a processor/importer to challenge any government requests
- Security measures need to be reviewed (e.g. do we need to encrypt to a greater level to “de-fang” any governmental requests)
- What changes need to be made to due diligence processes with processors/importers (e.g. new questions about impact of security laws on processors/importers and have they ever received a request from government? Etc. )
In addition, we are holding our webinar on ‘Implications of the CJEU’s decision in Schrems II’ on Thursday 30 July at 4pm with an expert panel of speakers. To register for the event, sign up here.