Uncertainties following Schrems II
Following the Schrems II judgment on 17 July (which we discussed here), the EU-US Privacy Shield has been invalidated and the CJEU has said that the Standard Contractual Clauses (SCCs) can only be relied on if data importers and exporters can ensure that the SCCs can be complied with in practice.
The judgment has since led to uncertainties in relation to the future of international data transfers, which are in urgent need of regulatory guidance, including:
- how businesses can carry out risk assessments in relation to the parties’ abilities to comply with the SCCs;
- whether businesses may have a grace period to implement such assessments; and
- whether transfers of personal data to the US can be made pursuant to SCCs at all, in light of the surveillance programmes the CJEU called out in Schrems II.
Updated EDPB Q&A on Schrems II
In response to questions received from Supervisory Authorities, the European Data Protection Board (the EDPB) has issued its updated Q&A clarifying a number of key points.
No grace period for existing transfers under the EU-US Privacy Shield
Contrary to the ICO’s position immediately following the judgment which suggested that organisations already transferring personal data to the US could continue to do so until further guidance was issued, the EDPB has announced that the Privacy Shield can no longer maintain its effects after Schrems II and that data transfers made on the basis of Privacy Shield are illegal. This includes transfers made before the judgment was handed down.
Alternative ways to transfer data to the US
Alternative ways to transfer data to the US and other third countries do exist, however each comes with its own limitations and conditions:
- SCCs and supplementary measures - We already know that SCCs may be relied on to transfer data if the importer and the exporter can ensure that the protection set out in the SCCs can be complied with in practice. Guidance on how to carry out such assessment remains high-level and we await further detailed guidance. The EDPB suggests that a data importer may be able to verify the legislation of its country, however it appears unlikely that a warranty without a thorough risk assessment is likely to satisfy the EDPB. The EDPB emphasised that, where the assessment result is that the SCCs entered into may not be complied in practice, the parties can consider supplementary measures to ensure an “equivalent level of protection” of personal data as provided in the EEA. The EDPB expects to provide further guidance on the detailed forms of such supplementary measures.
- Binding Corporate Rules (BCRs) – The principles of the Schrems II judgement will also apply to the BCRs. Businesses adopting BCRs to transfer personal data will need to carefully consider whether the terms of the BCRs can be complied with in relation to transfers to the US and whether it is possible to put effective supplementary measure in place.
- Common exemptions potentially available:
- data subjects’ explicit consent – The EDPB’s view is that if businesses were to rely on the derogation of explicit consent, data subjects must be informed of the possible risks of onward transfer to a third country which does not provide an adequate level of protection. Such consent should be explicit and specific to the transfer.
- necessary for the performance of a contract - Where businesses expect to rely on this exemption, the EDPB highlighted that they must ensure that the transfer is objectively necessary for the contract between the exporter and the data subjects. Such transfer should only be occasional, and assessment of the “occasional” nature of the transfer should be carried out on a case-by-case basis.
- necessary for important reasons of public interest – Whilst there is no requirement that such transfers should only be occasional, the EDPB re-emphasised that this derogation should not be relied on to justify large scale or systematic transfers.
- If no supplementary measures or derogations can be relied on – The EDPB has suggested that organisations seek to negotiate amendments to their contracts to prohibit transfers to the US.
- Onward transfers to sub-processors in the US – The EDPB Q&A also indicates that controllers’ obligations in relation to international transfers do not cease at the data processor level. Where a processor is likely to perform onward transfers to the US for the purpose of the contract between a processor and controller, the EDPB suggests that controllers review such onward transfers and take these into consideration when authorising processors to engage sub-processors.
The future of international transfers and practical steps to take
In the absence of further guidance on managing the impact of the Schrems II judgment, it is unfortunate that the EDPB has announced that no grace period applies to existing transfers made pursuant to the Privacy Shield. What is reassuring is that the EDPB confirmed it is working with all the Supervisory Authorities to ensure consistency of regulatory guidance across the EEA. In light of the ICO’s latest statement, it appears that the ICO has also endorsed the EDPB’s approach and is likely to continue to do so despite Brexit. The ICO has acknowledged that further guidance is expected and called on businesses to “take stock of the international transfers you make” and “react promptly” as guidance becomes available.
In light of the EDPB and the ICO’s current guidance, businesses may want to consider taking the following steps:
- Review existing data transfers and prioritise transfers that are business critical or relate to customer data or special categories of personal data.
- Identify international data transfers to the US made on the basis of Privacy Shield. Consider whether BCRs or SCCs can be put in place and complied with in practice, taking into account any supplementary measures that may be adopted. Note that in the absence of detailed guidance, businesses will need to consider all the elements mentioned in the Schrems II judgment.
- If the SCCs or BCRs cannot be complied with due to the laws of the importing country, consider whether any exemptions apply. Note that relying on exemptions should not be the norm. The decision-making process in relation to relying on exemptions should be recorded in detail.
- If data subjects’ explicit consent is to be relied on, revisit your privacy notice and consider how to obtain data subjects’ explicit and specific consent.
- Where data processors are located outside the US, query whether the processor is likely to perform onward transfers to the US and what steps have been taken to ensure compliance with the EDPB Q&A. Amend the contractual provisions in relation to the authorisation of sub-processors if necessary.
This blog post was written by Yunzhe Zhang.
The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.