Support Centre

EU: NOYB issues comments on EDPB's supplementary transfer tools recommendations following Schrems II

The None of your business–European Center for Digital Rights ('NOYB') issued, on 22 December 2020, its comments on the European Data Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data following the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Judgment').

In particular, NOYB noted that all transfer instruments such as Binding Corporate Rules ('BCRs'), Standard Contractual Clauses ('SCCs'), and adequacy decisions should lead to an essentially equivalent level of protection when compared to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and that there is no hierarchy between these forms of transfer instruments and all require some form of flexibility, whether it is in the negotiations with a third country, or in what contractual measures, like SCCs and BCRs, can reasonably achieve. Furthermore, NOYB highlighted that none of the mechanisms may 'undermine' the standards of the GDPR, and all of them must provide 'essentially equivalent' protection and, as confirmed by the EDPB, the same principles also apply for BCRs. Moreover, NOYB outlined that all principles of the GDPR should therefore be included in the BCRs, and should not be limited to the list of principles mentioned in Article 47(2) of the GDPR and that it therefore encourages the EDPB to review the relevant BCR working documents in this regard, and that the same should apply regarding other transfer tools, such as certification mechanisms or code of conduct, or ad hoc clauses.

In addition, NOYB stipulated that, in instances where an adequate level of protection cannot be guaranteed, the prohibition on starting a transfer, and the duty to suspend and terminate it, are not just options, but rather the clear obligation under the GDPR. Moreover, NOYB outlined that the EDPB makes clear that, when the controller considers that additional measures cannot guarantee that the data transferred will be granted a protection essentially equivalent to the one provided by the GDPR, they must suspend the transfer, without prejudice to their right to consult the supervisory authority regarding any additional safeguards that they could put in place to resume the transfer. Similarly, NOYB suggested that the EDPB should explicitly state that when the supervisory authority considers that the level of protection cannot be guaranteed once the data are transferred, it must suspend or end the transfer where the controller or a processor has not itself suspended or put an end to the transfer. Furthermore, NOYB noted that it urges the EDPB and supervisory authorities to fulfil their responsibilities when it comes to suspending data flows, instead of relying on self-reporting. It is important that the EDPB does not only highlight the duties of the controllers and processors, but also of the supervisory authorities, and that it further urged the EDPB and supervisory authorities to launch a coordinated action plan within the EDPB to identify transfers that are not compliant with the Schrems II Judgment, to investigate the cases, and adopt the appropriate measures.

NOYB further urges the EDPB to clarify that EU law requires third country laws that are also followed in practice. In addition, NOYB suggests that the EDPB should keep its position clear and that it should explicitly reaffirm, in its Recommendations, that it reasserts the statement of the Article 29 Working Party ('WP29') that a 'risk-based approach' cannot be followed in order to assess the compliance of a transfer.

Finally, NOYB added that most smaller organisations and data subjects will not profit from rather abstract and generic guidelines, as they would have to assess the law of, for example, the United States and that it would welcome if the EDPB, national supervisory authorities or the European Commission could either themselves provide neutral information on the laws of the most relevant third countries, or at least encourage neutral third parties to make such assessments publicly available. 

You can read the comments here.