International: Schrems II FAQs
This Schrems II FAQ is designed to provide answers and key resources following the judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Please see the Schrems II Resource Page for further information or an additional set of FAQs relating to Schrems II.
What did the judgment say about Privacy Shield?
The CJEU ruled the EU-US Privacy Shield invalid.
The EDPB has described the decision on Privacy Shield as follows in its FAQs: 'The Court considered that the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities. As a consequence of such a degree of interference with the fundamental rights of persons whose data are transferred to that third country, the Court declared the Privacy Shield adequacy Decision invalid.'
We transfer data from US to EU under Privacy Shield, what should we do?
While transfers from the EU to the US based on the EU-US Privacy Shield became illegal on 16 July 2020, transfers from the US to the EU were not directly under consideration. An alternative mechanism (as specified below) must be in place for the transfers to continue between the EU and US.
The Privacy Shield certification is, though, still being administered in the US and applicable organisations in the US are not relieved of their obligations. On 28 September 2020, the US Department of Commerce ('DoC') released a white paper analysing US intelligence agency related laws in order to assist organisations in making assessing whether transfers to the US can maintain an adequate protection for personal data.
Has the Switzerland-US Privacy Shield been affected?
Following the CJEU Decision and a review, the Federal Data Protection and Information Commissioner ('FDPIC') has confirmed that the Swiss-US Privacy Shield 'does not provide an adequate level of protection for data transfer from Switzerland to the US'. The FDPIC notes, however, that the Privacy Shield continues to exist and can provide specific protection for data subject rights. Furthermore, the FDPIC noted that its assessment of the Swiss-US Privacy Shield is subject to deviating rulings by Swiss courts.
Further information: FDPIC press release and Switzerland: FDPIC calls into question protection afforded by Swiss-US Privacy Shield
What do we do if our processor is transferring data onward to the US?
The EDPB emphasises that vigilance should be maintained in monitoring whether a processor intends to, or currently, transfers data onward to the US. While authorisation from the data controller must be sought for the use of a subprocessor in a third country, the EDPB notes that care should be taken in regard to such authorisations as transfers may only be implied.
The EDPB further clarifies: 'If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S.
If your data may be transferred to another third country, you should also verify the legislation of that third country to check if it is compliant with the requirements of the Court, and with the level of protection of personal data expected. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.'
What did the judgment say about Standard Contractual Clauses ('SCCs')?
The CJEU ruled that SCCs were valid, but that additional mechanisms may be required to ensure adequate protection of personal data.
The EDPB has described the decision on SCCs as follows in its FAQs: '[SCCs] validity, the Court added, depends on whether the 2010/87/EC Decision [on SCCs includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honour them.
In that regard, the Court points out, in particular, that the 2010/87/EC Decision imposes an obligation on a data exporter and the recipient of the data (the 'data importer') to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned, and that the 2010/87/EC Decision requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.'
Further information: International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries, 2010/87/EC Decision, and Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg
What is an SCCs 'assessment'?
The CJEU decision clarified that SCCs on their own do not necessarily provide for adequate protection of personal data and, therefore, data exporters and importers are required to verify that such protection is maintained. The EDPB clarifies: 'the Court points out, in particular, that the 2010/87/EC Decision imposes an obligation on a data exporter and the recipient of the data (the "data importer") to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned, and that the 2010/87/EC Decision requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.'
The EDPB further notes that: 'The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.'
Further information: 2010/87/EC Decision, and Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg
Who is responsible for assessments?
The CJEU decision primarily refers to the responsibilities of both data exporters and importers. The EDPB clarifies: 'You can contact your data importer to verify the legislation of its country and collaborate for its assessment. Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers. In case you do not, you must notify your competent supervisory authority.
Although, as underlined by the Court, it is the primary responsibility of data exporters and data importers to assess themselves that the legislation of the third country of destination enables the data importer to comply with the standard data protection clauses or the BCRs, before transferring personal data to that third country, the SAs will also have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries.
As invited by the Court, in order to avoid divergent decisions, they will thus further work within the EDPB in order to ensure consistency, in particular if transfers to third countries must be prohibited.'
What forms of 'supplementary measures' could be used?
The EDPB has noted that it is 'looking further into what these supplementary measures could consist of and will provide more guidance.' The EDPB also specifies that it is the responsibility of the data exporter and importer to provide such measures.
In general terms, typical additional security measures may include anonymisation, encryption, further binding contractual clauses, and similar. However, the applicability of any of these measures would need to be considered on a case-by-case basis.
Further information: Is the US 'essentially equivalent' with Schrems II? Legal analysis (webinar and key takeaways), and Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg
BCRs and Other Mechanisms
What mechanisms other than Privacy Shield are available?
The GDPR provides for several alternative mechanisms that enable data transfers including SCCs, BCRs, and codes of conduct or other certification mechanism. However, the CJEU decision applies to any of these mechanisms, and thus the data exporter and importer may need to ensure adequate protection through additional measures.
A select set of jurisdictions have also been established as providing adequate protection. In addition, the GDPR sets out derogations under Article 49 that may be used to enable transfers, including explicit consent and for certain contractual purposes.
How have other mechanisms been affected?
The CJEU decision establishes an essential limit for the invalidation of a transfer mechanism. This limit applies to transfers to the US through other mechanisms, and may also impact transfers to other third countries. The EDPB has suggested: 'In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country. U.S. law referred to by the Court (i.e., Section 702 FISA and EO 12333) applies to any transfer to the U.S. via electronic means that falls under the scope of this legislation, regardless of the transfer tool used for the transfer.'
The EDPB further noted that it 'will assess the consequences of the judgment on transfer tools other than SCCs and BCRs. The judgement clarifies that the standard for appropriate safeguards in Article 46 GDPR is that of "essential equivalence".'
How have BCRs been affected?
The CJEU decision sets a threshold for data transfers to third countries that also applies to BCRs. The EDPB has explained: 'Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.
Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.'
We're a US company, what do we need to know?
If your organisation transfers data from the EU, please consult the Schrems II Portal contains the latest information and guidance. Key resource: International: Privacy earthquake - GDPR compliance for US companies post-Schrems II
We're an EU company, what do we need to know?
If your organisation transfers data outside the EU, please consult the Schrems II Portal for the latest information and guidance. Key resource: International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries
How do we approach this decision? What, practically, should we be doing?
Ultimately, the strategy taken will depend on the organisation. However, you may find the following resources to be of particular use:
- EU: Practical steps post-Schrems II - Reconciling theory with reality
- International: Privacy earthquake - GDPR compliance for US companies post-Schrems II
- Is the US 'essentially equivalent' with Schrems II? Legal analysis (webinar and key takeaways)
- International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries
- International: Future international data transfer considerations
- Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg
What have supervisory authorities been saying?
How have NOYB and Max Schrems responded?
None of your business ('NOYB') published, on 20 July 2020, its two model request texts and frequently asked questions ('the FAQs') on EU-US data transfers following the CJEU decision. In particular, the first of NOYB's model request texts, which is for data transfers to US data importers still using SCCs, can be sent to any US partner or any EU partner with US ties ('the SCCs Model Text'), and the other model request text is for providers that process data in the EU/EEA but have US ties ('the US Ties Model Text'). In particular, NOYB highlighted that the SCCs Model Text attempts to highlight the elements that any EU controller or processor should request from any US controller or processor when continuing to use SCCs, and the US Ties Model Text attempts to highlight the elements that any EU controller or processor should request from any EU controller or processor with ties to the US, such as an EU provider with a US parent company. NOYB published, on 28 July 2020, an exchange of letters in which Maximilian Schrems asks the Irish Data Protection Commissioner ('DPC') to take action with regards to his complaint. NOYB announced, on 17 August, that it had filed 101 complaints related to EU-US data transfers following the CJEU decision.
On 9 September 2020, NOYB published a further set of Letters exchanged with the DPC and Facebook Ireland, highlighting that NOYB was calling on the DPC to, among other things, investigate Facebook's transfers based on other legal bases such as Article 49 of the GDPR.