EDPB FAQs: what are your next steps for data transfers post-Privacy Shield?
On 16 July, the Court of Justice of the European Union (CJEU) announced that the Privacy Shield mechanism for transferring personal data to the United States is invalid.
The CJEU reached its decision on the basis that US national law (in particular Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (E.O. 12333)) require personal data to be shared with US public authorities in certain circumstances, overriding EU data protection law requirements. The lack of effective and enforceable rights and administrative and judicial means of redress for data subjects in the US was also an important factor in the judgment. The CJEU also announced that SCCs are a valid safeguard for exporting personal data, but it emphasised that those relying on SCCs to send data to outside of Europe and the UK must verify whether the recipient can protect the data to a standard that is essentially equivalent to the protections provided by EU law. If necessary, additional safeguards can be put in place and taken into account in such verification.
The decision means that, if personal data cannot be protected to an “essentially equivalent” standard to that applicable in the EU, it must not be exported to outside of the EEA or adequate jurisdictions. This will have a significant impact on transfers For further detail on the Schrems II decision, please see our previous update.
In the fortnight since the judgment, several pieces of guidance and statements have been issued, including FAQs from the European Data Protection Board (EDPB). So what are the latest key developments since the judgment and what should your organisation be doing now to safeguard its international personal data transfers?
Guidance from EDPB and ICO
The EDPB has confirmed in FAQs that:
(i) the Privacy Shield is invalid with immediate effect, with no grace period for enforcement action, and an alternative transfer mechanism should therefore be used immediately;
(ii) the judgment has implications for transfers to the United States using other transfer safeguards, including Standard Contractual Clauses and Binding Corporate Rules. This is because the US national laws that were considered to compromise the equivalence of the protection available to personal data being transferred under Privacy Shield also apply in relation to data transferred using alternative mechanisms;
(iii) SCCs are a potential safeguard for transfers of personal data to the United States, but the exporter must assess whether it can be protected to an “essentially equivalent” standard, taking into account the particular circumstances of each transfer. If the SCCs alone do not ensure essential equivalence then additional safeguards may be used to ensure that US law does not compromise protection of the data;
(iv) the same assessment as in (iii) above must be made for exports of personal data to any third country outside the European Economic Area (EEA) in reliance on the SCCs;
(v) when transferring data using Binding Corporate Rules (BCR) as a safeguard, the exporter must make the same “equivalence assessment” as they must for transfers using SCCs;
(vi) importers should help the exporter to verify the relevant provisions of its national law and collaborate in the equivalence assessment;
(vii) the same requirements apply to exports of personal data made by processors on behalf of their controllers - organisations should carry out the same assessments for transfers made by their processors to outside of the EEA. Where essential equivalence is not possible, they should instruct their processor to stop the transfer.
The ICO has also published a statement that confirms that the EDPB FAQs apply to UK controllers and processors. It urges organisations to “take stock of the international transfers you make and react promptly as guidance and advice becomes available”. It also notes the implications of the judgment for its own role in the oversight of international transfers, and says it is “taking the time to consider carefully what this means in practice” but that it will continue to apply a risk-based and proportionate approach in accordance with its Regulatory Action Policy. It stresses that it understands the many challenges UK businesses currently face.
What should you do now?
As your first steps in response to this judgment and the latest guidance, your organisation should be:
- Mapping your data flows to outside of the EEA (including onwards transfers, such as those made by European processors to third country sub-processors) and identifying the circumstances of, and safeguards used for, each transfer.
- For any transfer solely reliant on the Privacy Shield, prioritising putting in place an alternative transfer mechanism.
- For transfers reliant on BCRs or SCCs, obtaining input from the data receiver on their national laws and any safeguards they can offer you. This will assist you with the equivalence assessment that will need to be carried out and documented. You may even wish to discuss whether the receiver can offer you a solution that minimises data exports, although this will not always be feasible or desirable.
- If you are relying on BCRs to safeguard transfers, checking the provisions of the BCRs so that you can take them into account in your equivalence assessments. This is because the applicable rules may already provide for certain safeguards in the event that they conflict with the national law of the exporter.
- Considering whether any of the derogations under Article 49 of the GDPR may apply to any of your data exports. For example, a transfer may be necessary for the performance of a contract with the data subject, or the data subject may be able to give explicit consent to the transfer, after having been informed of the risks. These are intended for occasional transfers only and are subject to certain restrictions, so you will need to consider carefully whether they will apply to your transfers.
Guidance relevant to equivalence assessments is still evolving, so at this stage it may be difficult to carry out and rely on such an assessment with confidence. However, it is already clear that when an equivalence assessment is carried out, it must:
- consider the circumstances of the particular transfer;
- cover the national law of the recipient of the data, particularly the access it may allow to public authorities in the recipient’s country;
- take into account that national law requirements that do not go beyond what is necessary to ensure national interests such as security, defence and public safety do not contradict the SCCs;
- consider whether data subjects have enforceable rights and effective legal remedies available to them in the recipient country; and
- take into account the protection provided by the contractual protections in the SCCs and, if these are not sufficient by themselves, any additional safeguards that the parties may put in place.
The EDPB will also be publishing guidance on options for supplementary measures that may be used alongside the SCCs, where this is necessary in order to ensure essential equivalence.
We will continue to provide you with updates on the latest developments. In the meantime, please do not hesitate to ask your usual Stephenson Harwood contact, or a member of our data protection team, if you would like advice on your international transfers of personal data and how to respond to the Schrems II judgment.