On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II decision (case C-311/18). In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU. At the same time, it struck down the EU-U.S. Privacy Shield framework.
The FAQ responds to some of the many questions the Schrems II ruling raises:
- The Schrems II decision allows for no grace period for companies that relied on the EU-U.S. Privacy Shield framework. According to the EDPB, transfers based on the EU-U.S. Privacy Shield framework are now unlawful.
- Any transfers of personal data to the U.S. must take into account the CJEU's assessment of U.S. law in all cases. Therefore, when a company transfers personal data to the U.S. based on SCCs or Binding Corporate Rules, the company must assess whether it can adequately protect the transferred data.
- Companies can rely on the exemptions articulated in Article 49 of the GDPR to transfer data to the U.S., provided they meet the conditions as interpreted by the EDPB in its guidance on Article 49 of the GDPR.
- As per the EDPB, when transferring personal data to a country other than the U.S. based on SCCs or BCRs, the threshold set by the CJEU for transfers to the U.S. also applies.. The data exporter and data importer are responsible for assessing whether the level of protection of a country of destination meets the level required by EU law and whether the laws of the destination country enable the data importer to comply with the SCCs or BCR.
- Supplemental measures companies should implement when using SCCs or BCRs should be assessed on a case-by-case basis. The EDPB will provide further guidance on what supplemental measures may be appropriate.
- Companies should verify whether the processors they use to transfer data to the U.S. If they do, and such transfers are not considered adequate, companies must re-negotiate their contracts to forbid transfers to the U.S. Further, the same applies to transfers to processors located in other third countries that do not meet the requirements set forth in the Schrems II ruling.
Schrems II Ruling for Your Company’s Data Transfer Practices
The Schrems II ruling changes the regulatory climate, heightens scrutiny, and alters how you comply with GDPR when making data transfers. To assist you in sorting through the implications of the Schrems II ruling for your company’s data transfer practices, click below for the EDPB FAQs, and our webinar on the Schrems II ruling.
Download the EDPB FAQs by clicking here.
View the Schrems II ruling by clicking here
We invite you to a 30-minute consultancy to discuss your specific challenges in complying with GDPR post the Schrems II ruling. Furthermore, we can support you in assessing how to mitigate the compliance risk of your existing data transfers strategically, legally, operationally with emphasis on practical solutions.
Here at Achieved Compliance, we make GDPR compliance easy and straightforward. Contact us today.