The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the judgment could mean, and will be continuing to update this page to bring together all the resources needed.
How Does OneTrust Help with Schrems II Challenges?
The Schrems II ruling poses a new set of challenges, as organizations must now find alternative transfer mechanisms. But don’t worry, OneTrust is here to help! With our new free Schrems II Solutions, controllers can leverage OneTrust Vendor Risk Management, Vendorpedia Exchange, Data Mapping, and DataGuidance to identify and validate data transfers.
OneTrust’s Schrems II Solutions support organizations operationalize a range of changes, including:
- OneTrust Data Mapping: Identify data transfers and the mechanisms they rely upon
- OneTrust Vendor Risk Management: Assess vendors that rely on SCCs with pre-built validation templates and manage contract updates as well as vendor on-boarding and off-boarding
- OneTrust Vendorpedia Exchange: Leverage pre-completed vendor assessments and chasing services
- OneTrust DataGuidance Regulatory Research: Stay up to date on the latest Schrems II guidance
Processors can also find the support that they need to operationalize the Schrems II decision. OneTrust Schrems II Solutions help processors implement holistic privacy programs, allowing them to track the relevant guidance and implement compensating controls for GDPR equivalency.
- Access the Judgment here
- Access the CJEU press release here
- Access the first NOYB statement here
- FAQs and model requests issued by NOYB here
- FAQs issued by the European Data Protection Board here
Key resources from OneTrust DataGuidance
- For further jurisdiction-specific resources and Guidance Notes on data transfers, access our Data Transfers Comparison
- The Resource Page collates resources and data protection authority reactions regarding the Schrems II Case.
- Access our news coverage here
- Access our webinar and key takeaways from the Advocate General's opinion in the Schrems II Case here
- Eduardo Ustaran, Partner at Hogan Lovells, provides his thoughts in this article, 'Choppy waters'
- Dr. Carlo Piltz, Partner at reuschlaw Legal Consultants, analyses considerations for organisations in this article, 'What will companies have to consider in future when transferring data internationally?'
- Odia Kagan, Partner at Fox Rothschild LLP, looks at what Schrems II means for exporters and importers of personal data from the EU to third countries
- David S. Greber, Principal at Offit Kurman, P.A., examines the impact for US organisations in this article, 'Privacy earthquake - GDPR compliance for US companies post-Schrems II'
- OneTrust DataGuidance Schrems II Infographic: What It Means for Common Data Transfer Mechanisms:
Live reaction to the key landmark decision on the future of international data transfers
We hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.
- William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
- Caroline Louveaux - Chief Privacy Officer, MasterCard
- Lee Parker - Director Data Privacy EU+, Biogen
- Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
- Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
- Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
- David Longford - Global Offering Manager, OneTrust DataGuidance
Is the US 'Essentially Equivalent' with the EU?: Schrems II Legal Analysis
Join us for a webinar as we react to the ruling and discuss what it means in correlation to privacy programs and other global regulations.
Schrems II - Third Country Assessment
- Applicable Law
- Human rights law
- Authority access law
- Legal bases for access
- Other limits on access
- Authority Functions
- Oversight mechanisms
- Legal remedies data subjects
- Legal remedies organisations
- Overseas subjects
- International commitments
- Further information
To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform
Mechanisms for Data Transfers under the GDPR:
The European Commission describes adequacy decisions as follows:
'The European Commission has the power to determine, on the basis of Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision involves:
- a proposal from the European Commission;
- an opinion of the European Data Protection Board;
- an approval from representatives of EU countries; and
- the adoption of the decision by the European Commission.
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.
The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.'
The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):
- Canada (commercial organisations)
- Faroe Islands
- Isle of Man
- Japan (private sector)
- New Zealand
- Switzerland (under review)
Adequacy talks with South Korea are also currently ongoing.
For further information see the EU Adequacy Tab in the Data Transfers Portal.
Appropriate safeguards include standard contractual clauses ('SCCs') adopted by the Commission and SCCs adopted by a supervisory authority and approved by the Commission (Article 46(2)(c) and (d) of the GDPR). These SCCs may be included in a contract with another party as a means of providing protection for personal data. While the CJEU Decision ruled that SCCs were valid, it also noted that they do not on their own necessarily provide an adequate level of protection. This means that an assessment of the transfer should be made and that supplementary measures may need to be utilised alongside standard SCCs in order to ensure there is adequate ongoing protection.
The assessment is the responsibility of the exporter and importer and should determine whether the third country provides adequate protection. Since the CJEU Decision emphasised surveillance laws and public authority access to personal data in the US, guidance on assessments has tended to similarly highlight public authority access to data. Supplementary measures may involve amendments to the standard SCCs, or technical/organisational security measures such as encryption, however further guidance on this matter is expected from the EDPB and supervisory authorities.
Prior to the CJEU Decision, the Commission issued the following decisions on EU controller to non-EU or EEA controller and EU controller to non-EU or EEA processor SCCs:
The Commission outlined, in its Communication to the European Parliament and the Council of the European Union on Data Protection as a Pillar of Citizens' Empowerment and the EU's Approach to the Digital Transition - Two Years of Application of the GDPR, that it had been working on SCCs between controllers and processors, building on the ongoing work on the modernisation of the SCCs for international transfers.
It is expected that supervisory authorities will issue guidance on SCCs in the short to medium term.
Binding corporate rules ('BCRs') are considered an appropriate safeguard under Article 46 of the GDPR.
BCRs are approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR, provided that they (Article 47(1) of the GDPR):
- are legally binding and apply to and are enforced by every member concerned in the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
- expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
- fulfil the requirements laid down in Article 47(2) of the GDPR.
Processes for approving BCRs can be time consuming, however they have proved to be a popular mechanism for large multinational organisations and are becoming more common around the world.
Article 47(2) of the GDPR establishes information a BCR must specify, see EU - GDPR - Data Transfers.
The CJEU Decision, however, impacts BCRs in a similar manner to SCCs. BCRs are required to meet the same threshold for the ongoing adequate protection of personal data as SCCs. Therefore, the EDPB has noted that jurisdiction assessments and supplementary measures may be required for BCRs in the same fashion as they are for SCCs.
For further general BCR information see the following procedural documents endorsed by the EDPB:
- Recommendation on the Standard Application form for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data | WP 264 rev.01 (18 April 2018)
- Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data | WP 265 rev.01 (18 April 2018)
- Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules | WP 256 rev.01 (9 February 2018)
- Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules | WP 257 rev.01 (9 February 2018)
The Commission provides an overview list of certain companies for which the EU BCR cooperation procedures is closed, last updated on 25 May 2018, and the EDPB provides a register of selected BCRs since 2019.
Article 40 of the GDPR sets out provisions for codes of conduct. Codes of conduct are voluntary tools developed by associations or other representative bodies that cover certain data protection issues and tend to apply within sectors. International data transfers is one of the topics that a code of conduct as recognised under the GDPR can cover. Codes of conduct must be approved by a supervisory authority, and supervisory authorities are also tasked with generally encouraging the use of codes of conduct.
There are several requirements for the information contained in a code of conduct, including that a mechnism is established for monitoring compliance. Article 41 of the GDPR details how a body may be accredited by a supervisory authority to monitor compliance with a code conduct. Organisations do not need to be subject to the GDPR in order to be an adherent to a code of conduct.
A code of conduct for international data transfers will need to ensure that relevant provisions on cross-border transfers, such as ongoing adequate protection of personal data, are complied with. Similarly to BCRs, the CJEU Decision impacts codes of conduct used for cross-border transfers as it sets a new threshold for what should be considered in assessing adequate protection.
For further information on codes of conduct, see the General Data Protection Regulation Portal.
Article 42 of the GDPR establishes processes for certification. Certification functions in a similar manner to codes of conduct, in that it too is a voluntary system that is monitored or regulated through an accredited body and is used by organisations as a means of demonstrating compliance. Article 43 of the GDPR sets out provisions for accreditation of certification bodies. Certification must be renewed at least every 3 years, and all certification mechanisms and data protection seals and marks are collected in a register by the European Data Protection Board ('EDPB'). Supervisory authorities within Member States as well as the EDPB have been steadily issuing guidance, opionions, and decisions on certification (see here).
Similarly to BCRs and codes of conduct, the CJEU Decision impacts certification mechanisms by setting a new threshold for cross-border data transfers.
For further information on certification mechanisms see:
- Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation - version adopted after public consultation
- Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) - version adopted after public consultation
- EDPB Document on the procedure for the approval of certification criteria by the EDPB resulting in a common certification, the European Data Protection Seal
Article 49 of the GDPR establishes that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 46, including BCRs, SCCs, codes of conduct or certification, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
The EDPB has noted that, 'derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule.'
The EDPB also stresses that the derogations under Article 49 are for specific situations and should be 'occasional' and 'not repetitive'. As such, Article 49 derogations should not be utilised as a mechanism for recurring international data transfers.
In regard to consent, the EDPB has further specified that consent must be:
- explicit (see Guidelines 05/2020 on consent under Regulation 2016/679 for further information);
- specific for the particular data transfer/set of transfers; and
- informed, particularly as to the possible risks of the transfer.
In relation to other derogations, the EDPB emphasises the importance of a 'necessity test' and the complexities of assessing whether a transfer can be considered necessary. In general terms, the EDPB strongly encourages the use of other mechanisms than Article 49 derogations wherever possible.
Following the CJEU Decision, several EU Member State supervisory authorities noted that transfers to the US, or to other third countries deemed not to provide adequate protection, were still possible under Article 49 derogations, at least on a temporary basis. However, these authorities also tend to note that Article 49 should not be relied upon for repeating or regular transfers.
For further information on Article 49, see the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.