One of the primary topics addressed by the FAQs was the finding of the court that personal data exporters are required to undertake an assessment of whether the data importer can provide adequate protections to the personal data, in light of the laws to which they are subject that govern law enforcement access to data. With respect to transfers to the United States under the European Commission Standard Contractual Clauses (SCCs), the FAQ explains:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data.
This makes clear that the authorities expect companies to undertake individualized assessments of their data transfers on a case-by-case basis. But importantly, it acknowledges that consistent with the Schrems II decision, there can be individualized assessments that can continue to justify transfers under the SCCs, even to the United States. To that end, organizations reliant on the SCCs for transfers should start to document their transfers and the assessments that justify those transfers.
Besides the points about individualized assessments, the FAQs contained a number of other key take-aways.
- Transfers reliant on Privacy Shield are viewed by the authorities as immediately unlawful. As when Safe Harbor was invalidated, transfers reliant on Privacy Shield were immediately rendered unlawful when the Schrems II decision was announced.
- There is no announced grace period for enforcement. One of the hopes was that the EDPB would announce a grace period from enforcement for organizations to have time to apply the decision to their existing data transfers. In October 2015, after the court invalidated Privacy Shield's predecessor, the EU-U.S. Safe Harbor framework, the European authorities issued a press release stating they would work towards alternatives until January 2016 before taking enforcement action.
No such grace period was announced here. The only reference to a grace period in the FAQs is a statement that there is no "grace period during which [organizations] can keep on transferring data to the U.S. without assessing [their] legal basis for the transfer." This does not specifically mean that authorities will start enforcing the decision right away against transfers invalidated by the opinion. However, the best way to avoid enforcement risk—and a clear implication from the FAQs—is to start taking steps to comply with the decision, such as by documenting data flows and assessing their lawfulness.
- If organizations do not undertake a satisfactory self-assessment of existing data flows to countries outside of Europe, the EDPB's expectation is for data exporters to strictly prohibit those transfers. Where, for existing relationships "the contract . . . indicates that data may be transferred to the U.S. or to another third country," the EDPB provides the following guidance: "If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S." Notably, ceasing transfers to the U.S. is not a requirement of the opinion. This emphasizes the need to undertake a nuanced assessment of the protections afforded to the transfers.
- Individualized assessments are required for BCRs, too. The FAQs expressly state that the individualized assessment needs to be done for Binding Corporate Rules and other transfer mechanisms used to justify the transfer of personal data outside of the EU, in addition to SCCs.
- Supplementary measures can help transfers, and further guidance is forthcoming. The FAQs expressly acknowledge that supplementary measures can help legitimize data transfers notwithstanding national security surveillance laws, although the EDPB left those for another day. After reiterating that it is the parties' responsibility to assess transfers, the FAQs state: "The EDPB is currently analysing the Court's judgment to determine the kind of supplementary measures that could be provided in addition to SCCs and BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance." While we will have to wait for this further guidance, companies can start to do their own assessments of how they can undertake supplementary measures to meet the standards of the opinion.
- Consent and other derogations can be used for cross-border transfers, but are not favored for systematic transfers. The FAQs discuss the derogations under Art. 49 of the GDPR that would allow transfers where there is not an existing adequacy mechanism. They clarified that the EDPB's existing guidance on these derogations holds, which in turn makes clear that the derogations should be used only in limited circumstances and not for systematic transfers. However, in the right circumstances, it might be worthwhile to look to some of these derogations for individual transfers, such as transfers pursuant to consent. The FAQ notes that where the consent derogation is used, the consent prompt should sufficiently inform data subjects about the possible risks of the transfer to the United States and other non-adequate jurisdictions.
In the weeks since the Schrems II decision, individual data protection authorities have also published views on the implications of the ruling. For reactions published by individual DPAs, see our summary here.
Authored by Bret Cohen