Background and Issue
On July 16, 2020, the CJEU invalidated the EU–U.S. Privacy Shield with immediate effect in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (called "Schrems II," see our previous Commentary on this case). The court upheld the EU Standard Contractual Clauses ("SCCs") for the transfer of personal data to processors outside the European Union/European Economic Area ("EU/EEA") under certain conditions, underscoring the need for companies to conduct an assessment of whether "supplementary measures" needed to be adopted to provide for an essentially equivalent level of data protection.
Lack of Practical Guidance from Authorities
Since then, various authorities on either side of the pond have commented on their understanding of the Schrems II judgment and its far-reaching implications, while companies have waited for practical suggestions. For instance, the Berlin Data Protection Commissioner called on all data exporters under its supervision to (re-)transfer personal data stored in the United States to the European Union, while explicitly pointing to "dissuasive" claims by data subjects for nonmaterial damages in cases of noncompliance. In its FAQs adopted a week after the CJEU's decision, the European Data Protection Board stated, among other things, that a grace period for enforcement cannot be guaranteed and that it will have to further look into what supplementary measures need to be adopted in addition to SCCs and Binding Corporate Rules ("BCRs").
U.S. Perspective on Schrems II
Two weeks after Schrems II, on July 31, 2020, the U.S. Department of Commerce updated its EU-U.S. Privacy Shield FAQs. In September this year, Deputy Assistant Secretary James Sullivan published a letter for the U.S. Department of Commerce accompanied by a White Paper on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II by the U.S. Department of Justice and the U.S. Director of National Intelligence. The White Paper states that U.S. privacy safeguards would "ensure that U.S. intelligence agencies' access to data was based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights." The EDPB did not comment on this White Paper.
EDPB Guidance
The landscape is clearing, at least slightly, with the EDPB's newly issued recommendations on supplementary measures ("Recommendations"). The Recommendations are open for public consultation until the end of November 2020. They contain a roadmap of next steps for companies exporting data from the EU/EEA to countries deemed not to provide adequate protection (so-called "Third Countries"). These steps are summarized below.
Summary of Steps Suggested by the EDPB
Know your transfers. Companies should start by identifying and mapping all transfers of personal data to Third Countries, including any transfers to data processors or subprocessors, as transfers may also be made by a party that is not the first recipient, such as in cases of onward transfers that happen in or between Third Countries. The EDPB confirms the view that remote access from a third country or the use of cloud storage is also considered to be a Third Country transfer.
Identify the transfer tools on which you are relying. Companies should use an appropriate transfer safeguard as required by the GDPR, such as the SCCs, BCRs, codes of conduct, certifications mechanisms, or ad hoc contractual clauses. Transfer safeguards must provide an essentially equivalent level of protection to the GDPR once implemented. A company may be able to rely on the derogations in Article 49 GDPR but only in occasional and nonrepetitive situations. If a company relies on an Adequacy Decision of the EU Commission for the intended destination country, no further steps are necessary, but the company must monitor the situation to confirm that the Adequacy Decision remains valid.
Assess whether the Article 46 GDPR transfer tool on which you are relying is effective in light of all circumstances of the transfer. Companies should evaluate each transfer to assess whether the laws of the Third Country apply to the data transferred, possibly with the assistance of the data importer (who should be more familiar with the relevant laws), and whether these laws impinge on the effectiveness of the appropriate safeguards being used. In particular, this assessment should focus on laws that require a disclosure of personal data to public authorities (e.g., criminal law enforcement, regulatory supervision, and national security agencies). To help determine whether such laws can be regarded as a justifiable interference that does not impinge on the transfer safeguards, the EDPB also published its Recommendations 02/2020 on the European Essential Guarantees for surveillance measures on the same day on which the Recommendations were published.
In this context, the Recommendations single out the case of a data importer falling under 702 FISA (which will be the case for many U.S.-based cloud providers) and introduce a new and high standard: the Recommendations provide that SCCs or other transfer tools "may only be relied upon for such transfer if additional supplementary technical measures make access to the data transferred impossible or ineffective" (emphasis added).
Adopt supplementary measures. If this "effectiveness test" fails, companies will need to adopt supplementary measures on a case-by-case basis. The EDPB specifies that contractual and organizational measures alone will generally not be sufficient and calls for technical measures that strengthen the overall level of protection of data.
Particular attention should be paid to the scenarios and use cases (see Annex 2 to the Recommendations) where the EDPB identified effective measures, mostly relating to encryption and key management. However, in certain scenarios (e.g., transfers to cloud services providers in Third Countries requiring access to data in clear form, or remote data access for business purposes), technical measures such as transport and data-at-rest encryption will not be considered to be an effective means. The EDPB recommends that further contractual and organizational measures should be taken in these circumstances but does not provide ready-to-use clauses (e.g., to supplement SCCs).
In any event, the EDPB stresses that the lists of examples are nonexhaustive. Companies may therefore take other supplementary measures if they meet the conditions to be effective.
Procedural steps if you have identified effective supplementary measures. Depending on the transfer safeguards a company is using or intending to use, it may need to take further procedural steps, such as contacting its competent data protection supervisory authority for approval. The EDPB has clarified that there is no need for an authorization from the supervisory authority when supplementary measures are applied in addition to SCCs, as long as they "do not contradict, directly or indirectly, the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined."
Re-evaluate at appropriate intervals. Companies should set up a process that allows for a re-evaluation of the level of data protection in the relevant Third Countries. These efforts also should be properly documented.
New Contractual Safeguards
Apart from the EDPB guidance summarized above, companies also need to be aware that the European Commission has published today (November 12) new draft SCCs, for which the feedback period will be running until December 10, 2020. This additional important development will help address the shortcomings identified in the Schrems II decision. While the draft SCCs will be useful, they do not fully remedy the broader issues identified in Schrems II.
Christopher Schmidt of the Frankfurt Office assisted in the preparation of this Commentary.
