This post is also available in: Español
On Friday, July 24, 2020, the European Data Protection Board (EDPB) published some answers to the frequently asked questions on the Schrems II Judgment of the Court of Justice of the European Union, previously discussed in this blog.
Although several European authorities have already stated a position on the repercussions of the Schrems II Judgment, the EPDB’s guidelines are particularly relevant, as they comprise representatives of all the European authorities and show the consensus among them.
Thus, the EDPB has clarified the following issues:
Decision 2016/1250 creating the Privacy Shield
The Privacy Shield did not provide an adequate level of protection due to US rules restricting European citizens’ data protection rights. Therefore, the Schrems II Judgment declared the Privacy Shield contrary to EU law.
Consequently, the EDPB clarifies that, since the Schrems II Judgment, transferring personal data to the United States under the guarantees of the Privacy Shield is illegal. Data controllers are obliged to look for alternative guarantees that establish an adequate level of protection to be able to continue transferring personal data to the United States, or, alternatively, they must suspend the flow of data to the United States.
Moreover, the EDPB has clarified that there is no grace period for data controllers to adapt to this circumstance.
Decision 2010/87 of the European Commission approving Standard Contractual Clauses (SCC)
The Schrems II Judgment states that, in theory, the SCC are valid to transfer personal data outside the European Economic Area. However, since it is a non-binding contractual mechanism for the third country in which the personal data will be processed, the parties must analyze whether the regulations in that country make it impossible to enforce the SCC, such as monitoring rules allowing authorities to access data without adequate guarantees.
The EDPB specifies that, when transferring personal data to the United States, we must analyze whether the recipient of the data in the United States is subject to section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333 or other regulations preventing fulfilling the guarantees established in the SCC. If the recipient of the data is subject to regulations of this type, the SCC will not provide sufficient guarantees either, since they cannot be fulfilled in all their points.
This analysis applies if personal data are transferred outside the European Economic Area and not only when they are transferred to the United States.
The EDPB is analyzing what additional measures could be implemented to guarantee an adequate level of protection when the SCC are not sufficient.
Binding corporate rules and other guarantees
The reasoning of the Schrems II Judgment on SCC also applies to the other guarantees offered by the regulations to provide personal data transfers outside the European Economic Area an adequate level of protection.
Therefore, the data controller must analyze whether the binding corporate rules it uses to transfer personal data within its group create an adequate level of protection and are fully applicable in all the data destination countries. It will not be possible to use this mechanism to transfer personal data to a third country whose regulations prevent an adequate level of protection.
Article 49 of the General Data Protection Regulation (GDPR)
The EDPB also mentions the possibility of transferring personal data outside the European Economic Area on an exceptional basis for one-off transfers. Article 49 of the GDPR authorizes these one-off transfers if: (i) the data subject’s express consent is obtained; (ii) the transfer is necessary to perform the agreement; (iii) the transfer is necessary for important reasons of public interest established by the EU or a Member State’s regulations; (iv) the transfer is necessary to file, exercise or defend claims; (v) the transfer is necessary to protect the vital interests of the data subject or other individuals, when they are physically or legally incapable of giving their consent; or (iv) the transfer is made from a public registry that, in accordance to EU or Member State domestic law, seeks to provide information to the public and can be consulted by the general public or any person who can prove a legitimate interest, but only if the criteria established by EU or Member State domestic law are fulfilled in each specific case.
The EDPB specifies that most of the cases in which the application of article 49 of the GDPR is analyzed will be under one of the first three exceptions. The alignment of these transfers with the regulations must be analyzed case by case, and the data controller’s duty of information will be particularly relevant, as it must transparently inform the data subject that the data is not being transferred under guarantees permitting an adequate level of protection.
By Alejandro Negro / Pedro Méndez de Vigo
This post is also available in: Español