In July 2020 the Court of Justice of the European Union (CJEU) delivered its judgement in the Schrems II case where the CJEU declared that the Privacy Shield mechanism, enabling a legal transfer of personal data from the EEA to the US, is invalid. This mainly because US laws, not following the principle of proportionality included in the GDPR, allow excessive access and use by US surveillance authorities to personal data. Also, there is no remedy available to EU data subjects to ensure protection of their personal data after it has been transferred to the US. Organizations that have relied on the Privacy Shield mechanism must post Schrems II have alternative transfer mechanisms in place in order to be able to legally transfer personal data from the EEA to the US. Such alternative transfer mechanisms may, amongst others, include Standard Contractual Clauses (SCC).
For international data transfers SCCs are commonly used, especially when the receiving country has not been recognized as providing an adequate level of data protection by the EU Commission. In the Schrems II case the CJEU confirmed that SCCs remain valid but organizations relying on SCCs must, however, ensure that the SCCs provide a sufficient level of protection for the data subjects that is essentially equivalent to that guaranteed by the GDPR, read in the light of the Charter of Fundamental Rights of the European Union. In practice this means the following:
- Prior to any transfer the level of protection of the personal data must be verified by the exporter together with the data importer. This entails, amongst other things, that the laws of the destination third country to which data is transferred must allow compliance with the GDPR.
- If the destination third country does not provide for a sufficient level of protection, organizations may still legally transfer the personal data if the exporter implements supplementary measures that brings the protection of personal data in the destination third country up to an essentially equivalent level of data protection as provided by the GDPR (the CJEU did however not in its Schrems II judgement specify what these “supplementary measures” could be).
- Competent supervisory authority must suspend or prohibit a transfer of personal data outside of the EEA if the SCCs are not or cannot be complied with in the destination third country and the data subject to the transfer cannot be protected by other means.
Recommendation on “supplementary measures” to ensure compliance with the EU level of protection of personal data
Since the CJEU Schrems II judgement lacks guidance on how possible gaps in the level of protection of personal data provided by the GDPR are to be filled in and what any supplementary measures to be implemented could be, the European Data Protection Board has in November 2020 adopted its recommendation in the matter, comprising of two documents:
- Recommendation 01/2020 on measures that supplement transfer tools (such as the SCCs) to ensure compliance with the EU level of protection of personal data. The recommendation contains a six-step road map for assessing transfers to destination third countries deemed not to provide adequate protection.
- Recommendation 02/2020 on the European essential guarantees for surveillance measures. The recommendation assists data exporters with the assessment of foreign laws (their compliance with the GDPR) and provides guidance on whether interference by public authorities, in the destination third country, allowing access to personal data for criminal law enforcement or national security purposes impinges on the effectiveness of, for example, SCCs and whether this can be regarded as a justifiable interference or not.
The above recommendations are quite long and complex but in short what all organizations should do is to map non-EEA recipients of personal data and the transfer mechanism relied on. If SCCs have been used, a due diligence on whether the destination third country provides for a required level of protection should be carried out together with the importer of the data. If the outcome of the assessment is that further supplementary measures must be put in place, these must be identified and implemented (the recommendation 01/2020 contains examples of technical, contractual and organizational supplementary measures that organizations may adopt). Post Schrems II supplementary measures are needed if SCCs are used for the transfer of personal data from the EEA to the US (since the CJEU has confirmed that the level of data protection in the US is not essentially equivalent to that of the EU and the GDPR).
The EU Commission has published draft new SCCs and once approved organizations have 12 months from the date the new SCCs enter into force to replace any existing SCCs currently being relied upon. The new SCCs contain specific sets of clauses for processor-to-processor and processor-to-controller personal data transfers (SCCs currently in force only cover controller-to-controller and controller-to-processor transfers) and allow new parties (data exporter/importer) to, at any time, accede to the SCCs by executing a specific annex to that effect. While the new SCCs will address some of the issues raised by Schrems II it is still the responsibility of the data exporter (controller or processor) to see to that personal data is adequately protected as discussed above.
A feedback period on the draft SCCs will run until 10 December – the new SCCs are likely to be published in final form in early 2021.
Brexit – transfer of personal data to the UK after end of transitional period 31.12.2020
Following the end of the Brexit transitional period 31 December 2020, the GDPR will not apply to the UK and the UK will be regarded as a third country from a GDPR perspective. At the moment the UK is seeking an adequacy decision from the EU Commission which, if granted, will automatically enable personal data transfers from the EEA to the UK. Should the adequacy decision not be granted, then any transfer of personal data from the EEA to the UK must be done by using the transfer tools (such as the SCCs) provided by the GDPR.