Insights / 17-11-2020

The judgment handed down by the Court of Justice of the EU (CJEU) on 16 July 2020 in Schrems II ¹ had significant implications for the transfer of personal data outside of the European Economic Area (EEA).

Overview

Schrems II concerned the transfer of personal data to recipients in the US using the European Commission’s standard contractual clauses (SCCs) along with other safeguarding measures used to lawfully transfer personal data to third countries and questioned the validity of the EU-US Privacy Shield (Privacy Shield). The ruling therefore affected transfers of personal data from the EU/EEA to the US and/or countries outside the EU/EEA.

The judgment put an immediate end to the Privacy Shield as an adequate safeguard when transferring personal data outside the EU/EEA to the US (because the CJEU considered disproportionate the US Government’s use of personal data in surveillance programmes) and held that SCCs may be an adequate personal data transfer arrangement to jurisdictions outside the EU/EEA only if:

• in practice they guarantee the same level of protection for personal data as required by EU/EEA law; and
   
• the clauses are sufficient to protect personal data transfers where the law of the third country allows its security services to access such data.

The CJEU’s decision made clear that reliance on SCCs without further diligence would not be an acceptable approach. Since the ruling data exporters have needed to consider the law and practice of the country to which personal data will be transferred on a case-by-case basis, especially if public authorities may have access to the data.

Guidance

In light of the Schrems II decision, the European Data Protection Board (EDPB) recently adopted draft ‘Recommendations’² which aim to guide data exporters (controllers and processors) with their obligation to, where required, apply proper supplementary measures, to ensure an equivalent level of protection for the personal data they transfer to third countries. The Recommendations are due to be formalised after the consultation period is closed at the end of this month. Commentary suggests that significant changes are not likely so companies can start to incorporate them. The approach suggested by the EDPB is:

• Step 1: Identify your international data transfers
   
• Step 2: Identify the transfer mechanisms you are relying on
   
• Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer (i.e. assess the law in the third country)
   
• Step 4: If necessary, adopt supplementary measures to bring the level of protection up to EU/EEA standard
   
• Step 5: Take the procedural steps necessary to give effect to supplementary measures
   
• Step 6: Re-evaluate this process at appropriate intervals.

The European Commission has also been working on modernising the SCCs and such changes will take account of the requirements set out in Schrems II. The new SCCs are expected towards the end of this year.

What should businesses do?

• Work through the detailed EDPB guidance.
   
• Keep an eye out for further guidance from the ICO, other supervisory authorities, the EDPB and the European Commission.

The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the GDPR. Should you have any queries, please do not hesitate to contact the authors of this article or your usual contact at Ince.

______________________

¹ Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (Schrems II). The judgment is available here.

² European Data Protection Board Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data Adopted on 10 November 2020. Available here.