EU: What can be learnt from the EDPS' strategy on Schrems II
The European Data Protection Supervisor ('EDPS') issues a strategy1 for EU institutions ('EUIs') to comply with the Court of Justice of the European Union's ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Odia Kagan, Partner and Chair of GDPR Compliance and International Privacy at Fox Rothschild LLP, discusses the EDPS' strategy and looks at what are the key takeaways that non-EUIs need to consider.
Complete a mapping exercise of all processing operations and types of data
On 5 October 2020, the EDPS issued an order to EUIs to carry out an inventory of all ongoing processing operations and contracts involving transfers to third countries. Institutions were requested to complete a mapping exercise by the end of October 2020 to identify data transfers for ongoing contracts, procurement procedures, and other types of cooperation. The inventory should describe the processing operations, destinations, recipients, transfer tools used, types of personal data transferred, categories of data subjects affected, as well as information on onward transfers.
When doing this, it is important to consider not only transfers by the institutions themselves but also by their processors and sub-processors.
Report to the EPDS regarding risky transfers
EUIs are expected to report to the EDPS by 15 November 2020 at the latest, on specific risks and gaps they identified during this mapping exercise. Furthermore, they have to provide specific and transparent information to the EDPS on three main categories of transfers, which are likely to present higher risks for the rights and freedoms of individuals. These are:
- illegal transfers which are not based on any transfer tool;
- transfers that are based on a derogation; and
- 'high-risk transfers' to U.S. entities clearly subject to Section 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333, and involving either large scale processing operations or complex processing operations or processing of sensitive data or data of a highly personal nature.
Beware of new engagement with non-EU providers
With regard to the use of any new service providers and new processing operations carried out with appropriate safeguards and appropriate supplementary measures, the EDPS has requested EUIs to take a strong precautionary approach. The EDPS strongly encourages EUIs to ensure that any new processing operations or new contracts with any service providers do not involve transfers of personal data to the US.
Carry out a TIA
EUIs will be asked to carry out case-by-case Transfer Impact Assessments ('TIAs') to identify whether an essentially equivalent level of protection as provided in the EU/EEA is afforded in the third country of destination.
Implement supplementary measures
Following the expected European Data Protection Board ('EDPB') guidance on appropriate supplementary measures, the EDPS will provide a list of preliminary questions for EUI controllers to launch TIAs with data importers and determine whether and which supplementary measures are required or whether transfer under a derogation is possible.
Within the EDPB, the EDPS is working with the other data protection authorities in the EEA on developing further guidance and recommendations to assist controllers and processors in their duties to identify and implement appropriate supplementary measures to ensure an adequate level of protection when transferring data to third countries.
Report to EDPS regarding particular transfers
Depending on the outcome of the TIAs, EUIs will be asked to report to the EDPS in the course of spring 2021 on the following three categories of transfers:
- to a third country that does not ensure an essentially equivalent level of protection;
- that are suspended or terminated in line with Article 47(2) of the General Data Protection Regulation (Regulation (EU) 2016/679), if the EUI considers that the third country does not ensure an essentially equivalent level of protection; and
- based on derogations, categories of cases in which derogations has been applied.
Potential joint assessments
The EDPS will also start exploring the possibility of joint assessments of the level of protection of personal data afforded in third countries and how these could be coordinated between authorities, controllers, and other stakeholders to provide guidance and ensure compliance with the Schrems II Case judgment.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia