Schrems II FAQs
Schrems II FAQs
The CJEU's decision in the Schrems II case was one of the biggest talking points of 2020, in these Schrems II FAQs we look to answer some of the frequently ask questions relating to the status of international data transfers to and from the European Union.
- We transfer data from the US to the EU under Privacy Shield, what should we do?
- Has the Switzerland-US Privacy Shield been affected?
- What do we do if our processor is transferring data onward to the US?
- What did the judgment say about Standard Contractual Clauses?
- What is an SCCs 'assessment'?
- Who is responsible for assessments?
- What forms of 'supplementary measures' could be used?
- What are the European Commission's Modernized SCCs?
- What mechanisms other than Privacy Shield are available?
- How have other mechanisms been affected?
- How have BCRs been affected?
- What do I need to consider in a third-country assessment?
- What is essential equivalence?
- What are the EDPB’s recommendations for supplementary measures?
- What are the EDPB’s recommendations on essential guarantees?
- When can we expect the EDPB’s final guidance on data transfers post-Schrems II?
While transfers from the EU to the US-based on the EU-US Privacy Shield became illegal on 16 July 2020, transfers from the US to the EU were not directly under consideration. An alternative mechanism must be in place for the transfers to continue between the EU and the US.
The Privacy Shield certification is, though, still being administered in the US and applicable organizations in the US are not relieved of their obligations. On 28 September 2020, the US Department of Commerce ('DoC') released a white paper analyzing US intelligence agency-related laws in order to assist organizations in making assessing whether transfers to the US can maintain adequate protection for personal data.
Following the CJEU Decision and a review, the Federal Data Protection and Information Commissioner ('FDPIC') has confirmed that the Swiss-US Privacy Shield "does not provide an adequate level of protection for data transfer from Switzerland to the US." The FDPIC notes, however, that the Privacy Shield continues to exist and can provide specific protection for data subject rights. Furthermore, the FDPIC noted that its assessment of the Swiss-US Privacy Shield is subject to deviating rulings by Swiss courts.
- FDPIC Press Release
- OneTrust DataGuidance Insight: Switzerland: FDPIC calls into question protection afforded by Swiss-US Privacy Shield
The EDPB emphasizes that vigilance should be maintained in monitoring whether a processor intends to, or currently, transfers data onward to the US. While authorization from the data controller must be sought for the use of a sub-processor in a third country, the EDPB notes that care should be taken in regard to such authorizations as transfers may only be implied.
The EDPB further clarifies: 'If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S.
If your data may be transferred to another third country, you should also verify the legislation of that third country to check if it is compliant with the requirements of the Court, and with the level of protection of personal data expected. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.'
The CJEU ruled that SCCs were valid, but that additional mechanisms may be required to ensure adequate protection of personal data.
The EDPB has described the decision on SCCs as follows in its FAQs: '[SCCs] validity, the Court added, depends on whether the 2010/87/EC Decision [on SCCs includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honor them.
In that regard, the Court points out, in particular, that the 2010/87/EC Decision imposes an obligation on a data exporter and the recipient of the data (the 'data importer') to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned, and that the 2010/87/EC Decision requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clauses, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.'
- OneTrust DataGuidance Insight: International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries
- OneTrust DataGuidance Insight: Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg
The CJEU decision clarified that SCCs on their own do not necessarily provide for adequate protection of personal data and, therefore, data exporters and importers are required to verify that such protection is maintained. The EDPB notes that organizations: 'must assess, where appropriate in collaboration with the importer, if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the Article 46 GDPR transfer tool you are relying on, in the context of your specific transfer. Where appropriate, your data importer should provide you with the relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer. [...] assessment should take into consideration all the actors participating in the transfer (e.g. controllers, processors, and sub-processors processing data in the third country), as identified in the mapping exercise of transfers. The more controllers, processors or importers involved, the more complex your assessment will be. You will also need to factor into this assessment any onward transfer that may occur. To this end, you will need to look into the characteristics of each of your transfers and determine how the domestic legal order of the country to which data is transferred (or onward transferred) applies to these transfers.'
The EDPB Recommendations on supplementary measures detail several factors to consider when conducting assessments and particularly emphasise the importance of ensuring that there is no potential to infringe rights and principles. In addition, the EDPB Recommendations on the European Essential Guarantees set out several factors to consider when assessing third countries.
- EDPB Recommendations on supplementary measures
- EDPB Recommendations on the European Essential Guarantees
The CJEU decision primarily refers to the responsibilities of both data exporters and importers. The EDPB clarifies: 'You can contact your data importer to verify the legislation of its country and collaborate for its assessment. Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers. In case you do not, you must notify your competent supervisory authority.
Although, as underlined by the Court, it is the primary responsibility of data exporters and data importers to assess themselves that the legislation of the third country of destination enables the data importer to comply with the standard data protection clauses or the BCRs, before transferring personal data to that third country, the SAs will also have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries.
As invited by the Court, in order to avoid divergent decisions, they will thus further work within the EDPB in order to ensure consistency, in particular, if transfers to third countries must be prohibited.'
- OneTrust DataGuidance Insight: International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries
In general terms, typical additional security measures may include anonymization, encryption, further binding contractual clauses, and similar. However, the applicability of any of these measures would need to be considered on a case-by-case basis. The EDPB recommendations on supplementary measures for data transfers discusses several potential additional measures as well as how to assess their effectiveness. These include:
- Contractual obligations for technical measures, transparency, specific actions, or data subject rights
- Internal governance policies, especially within enterprise groups
- Accountability measures
- Data minimization methods
- Adoption of standards and best practices
- Regular reviews
- Data importer commitments
- OneTrust DataGuidance Key Takeaways: Key Takeaways: Is the US 'essentially equivalent' with Schrems II?
In June 2021, the European Commission adopted two sets of new SCCs for use between Controllers and Processors and another for the transfer of personal data to third countries. The new SCCs are said to reflect the challenges of modern data transfers while offering flexibility and greater legal predictability for organizations using the mechanism.
On the adoption, Vice-President for Values and Transparency of the European Commission, Vera Jourová said: “In Europe, we want to remain open and allow data to flow, provided that the protection flows with it. The modernized Standard Contractual Clauses will help to achieve this objective: they offer businesses a useful tool to ensure they comply with data protection laws, both for their activities within the EU and for international transfers. This is a needed solution in the interconnected digital world where transferring data takes a click or two.”
In its press release, the European Commission highlighted that an 18-month transition period is available for controllers and processors that are using previous sets of standard contractual clauses.
OneTrust Blog: European Commission Adopts New Standard Contractual Clauses (SCCs)
European Commission Press Release: European Commission adopts new tools for safe exchanges of personal data
The GDPR provides for several alternative mechanisms that enable data transfers including SCCs, BCRs, and codes of conduct, or other certification mechanisms. However, the CJEU decision applies to any of these mechanisms, and thus the data exporter and importer may need to ensure adequate protection through additional measures.
A select set of jurisdictions have also been established as providing adequate protection. In addition, the GDPR sets out derogations under Article 49 that may be used to enable transfers, including explicit consent and for certain contractual purposes.
- OneTrust DataGuidance Guidance Note: EU - GDPR - Data Transfers
The CJEU decision establishes an essential limit for the invalidation of a transfer mechanism. This limit applies to transfers to the US through other mechanisms and may also impact transfers to other third countries. The EDPB has suggested: 'In general, for third countries, the threshold set by the Court also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country. U.S. law referred to by the Court (i.e., Section 702 FISA and EO 12333) applies to any transfer to the U.S. via electronic means that falls under the scope of this legislation, regardless of the transfer tool used for the transfer.'
The EDPB further noted that it 'will assess the consequences of the judgment on transfer tools other than SCCs and BCRs. The judgment clarifies that the standard for appropriate safeguards in Article 46 GDPR is that of "essential equivalence".'
The CJEU decision sets a threshold for data transfers to third countries that also applies to BCRs. The EDPB has explained: 'Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.
Whether or not you can transfer personal data on the basis of BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These supplementary measures along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.'
In the EDPB’s recommendations on supplementary measures for data transfers they state, “Your assessment should be primarily focused on third-country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection.” In particular, the EDPB highlights considerations of third-country legislation regarding access to data by public authorities for surveillance purposes.
In absence of specific legislation relating to access to data by public authorities, other “relevant and objective factors” should be considered. These could include commitments to data subject rights can continue to be effectively applied and the safeguards of an Article 46 transfer tool can be effectively applied, including a right of redress for data subjects in case of access to their data by public authorities in the third country.
- OneTrust DataGuidance:
Organizations transferring data to or from a third country must assess whether the safeguards used (e.g. SCCs or BCRs) offer a level of protection that is equivalent to that which is offered under EU law before the transfer takes place. Supplementary measures can be adopted to ensure that the appropriate safeguards and transfer mechanisms used to transfer data are ‘essentially equivalent’ to the level of protection offered under EU law.
- OneTrust DataGuidance Webinar: Schrems II Fallout - Understanding Essential Equivalence and What Businesses Should Do Now
The EDPB published a six-step roadmap for applying the accountability principles to data transfers as well as to assist with third-country assessments. The six steps outlined by the EDPB are;
- Know your transfers
- Identify the transfer tools you are relying on
- Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
- Adopt supplementary measures
- Take procedural steps if you have identified effective supplementary measures
- Re-evaluate at appropriate intervals
In separate guidance, the EDPB outlined four European Essential Guarantees that constitute a set of standard referentials for organizations to consider ensuring that national surveillance measures would not impact the protection of personal data during data transfers. The four European Essential Guarantees are;
- Guarantee A - Processing should be based on clear, precise, and accessible rules
- Guarantee B - Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- Guarantee C - An independent oversight mechanism should exist
- Guarantee D - Effective remedies need to be available to the individual
The EDPB stressed that the European Essential Guarantees do not constitute a complete list of what is necessary to demonstrate essential equivalence in a jurisdiction.
With the consultation on the EDPB's guidance on data transfers post-Schrems II closed on 21 December 2020, it is currently unknown when the EDPB will release the finalized version of the same. However, the item did feature on the agenda for the EDPB's 48th plenary meeting in April 2021 as something under the EDPB's current focus.
- OneTrust DataGuidance Guidance Note: USA - Privacy Shield
Further Schrems II Resources:
- OneTrust DataGuidance Blog: The Definitive Guide to Understanding Schrems II
- OneTrust Webinar: Schrems II Live Q&A: Your Questions Answered
- OneTrust DataGuidance Webinar: The New Order: UK Adequacy, Privacy Shield, and International Data Transfers