On July 24, 2020, the European Data Protection Board (the “EDPB”) published Frequently Asked Questions (the “FAQs”) on the judgment of the Court of Justice of the European Union (the “CJEU”) in the Schrems II case (case C-311/18).
In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU. At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises:
- The decision allows for no grace period for companies that relied on the EU-U.S. Privacy Shield framework. According to the EDPB, transfers based on the EU-U.S. Privacy Shield framework are now unlawful.
- The CJEU’s assessment of U.S. law must be taken into account for any transfers of personal data to the U.S., in all cases. Therefore, when a company transfers personal data to the U.S. based on SCCs or Binding Corporate Rules, the company must assess whether the data transferred can be protected adequately.
- To transfer data to the U.S., companies can rely on the exemptions articulated in Article 49 of the GDPR, provided that the conditions as interpreted by the EDPB in its guidance on Article 49 of the GDPR are met.
- According to the EDPB, when personal data is transferred to a country other than the U.S. based on SCCs or BCRs, the threshold set by the CJEU for transfers to the U.S. also applies. The data exporter and data importer are responsible for assessing whether the level of protection of a country of destination meets the level required by EU law and whether the laws of the destination country enable the data importer to comply with the SCCs or BCR. If they don’t, additional measures must be taken to ensure an essentially equivalent level of protection as provided under the GDPR.
- The kind of supplemental measures companies should implement when using SCCs or BCRs should be assessed on a case-by-case basis. The EDPB will provide further guidance on what supplemental measures may be appropriate.
- Companies should verify whether the processors they use to transfer data to the U.S. If they do, and such transfers are not considered adequate, companies must re-negotiate their contracts to forbid transfers to the U.S. The same applies to transfers to processors located in other third countries that do not meet the requirements set forth in the Schrems II ruling.
The Schrems II ruling changes the regulatory climate, heightens scrutiny, and alters how you comply with GDPR when making data transfers. To assist you in sorting through the implications of the Schrems II ruling for your company’s data transfer practices, click below for the EDPB FAQs, and our webinar on the Schrems II ruling.
To download the EDPB FAQs click here.
To view, the Schrems II ruling click here
We invite you to a 30-minute consultancy to discuss your specific challenges in complying with GDPR post the Schrems II ruling. We can support you in assessing how to mitigate the compliance risk of your existing data transfers strategically, legally, operationally with emphasis on practical solutions.
Achieved Compliance, we make GDPR compliance easy and straight forward.