Schrems II

This post is also available in: Español

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its judgment on Case C-311/18 (the Schrems II judgment). In this ruling, the CJEU invalidates Decision 2016/1250 (EU-US “Privacy Shield”) adopted by the European Commission (“EC”) and confirms the validity, in general terms, of EC Decision 2010/87 (the Standard Contractual Clauses, “SCCs”). Following the earthquake caused by this judgment, we are starting to see the first reactions from European data protection authorities. We summarize some of the first declarations published below.

European Data Protection Board

On the same day the Schrems II judgment was issued, the European Data Protection Board (“EDPB”) issued a press release drawing the following conclusions:

  • With regard to the Privacy Shield, it states that it already indicated in its second and third annual report on the subject its doubts about the legal feasibility of the agreement.
  • In relation to the SCCs, it understands that the signatories are responsible for analyzing whether the personal data destination country permits their complete fulfillment by the parties and does not impose policing rules that prevent reaching a sufficient level of protection. To conduct this analysis, as well as the circumstances surrounding the transfer of personal data and the legal regime applicable in the third country to which the data are transferred, they must take the content of the SCCs into account. When assessing the adequacy of the level of protection, the non-exhaustive factors set out under Article 45.2 of the General Data Protection Regulation (“GDPR”) on adequacy assessment may be considered.
  • The EDPB also takes note of the authorities’ obligation to suspend or prohibit transfers to third countries that use SCCs when they consider them insufficient to guarantee an adequate level of protection.
  • The EDPB recalls that it issued guidelines on Article 49 GDPR and advises that this mechanism to make personal data transfers outside the European Economic Area is an exception to the general rule and that the analysis on its applicability must be conducted on a case-by-case basis.

Finally, the EDPB underlines that it is preparing more developed guidelines to help the affected companies take the appropriate steps over the following months.

The EDPB is composed of representatives from the different European data protection authorities, and the European Data Protection Supervisor (“EDPS”). To give an idea of the sense of these guidelines, it may prove useful to analyze the statements of some EDPB members.

European Data Protection Supervisor (“EDPS”)

In its press release, the EDPS emphasizes that one of the reasons why the CJEU invalidated the Privacy Shield is that it is impossible for European data subjects to defend themselves before the United States courts if their personal data is accessed. The right to effective legal protection in the context of data protection has ceased to be a European fundamental right in recent years and has become a right recognized in most countries worldwide. Therefore, the EDPS trusts that an agreement can be reached on this point when creating a new mechanism to allow personal data to be transferred to the United States.

Furthermore, as supervisor of the European institutions, the EDPS takes note that, although SCCs remain valid as a general rule, they require a case-by-base analysis to be used, depending on the destination country of the data. Taking this into account, it will analyze the consequences for the European institutions.

Irish Data Protection Commission (“DPC”)

The DPC concludes that, according to the CJEU, what is important is that, regardless of the mechanism used, the level of protection for the personal data of EU citizens must be equivalent to the level of protection existing in the European Union in the third countries to which their data are transferred.

With regard to using SCCs, it interprets that, although in principle they are a valid mechanism, to guarantee a sufficient level of protection, a case-by-case analysis must be conducted to ensure that this is true.

German Federal Commissioner for Data Protection and Freedom of Information (“BfDI”)

The BfDI also issued a statement on the same day as the Schrems II judgment was issued. The BfDI stresses that the judgment continues to allow international data traffic; however, the processing must bear the necessary guarantees to ensure a sufficient level of protection in all the countries to which the personal data are transferred.

In addition to the BfDI, several of Germany’s regional data protection authorities have stated a position on this. The Berlin Data Protection Authority believes the Schrems II judgment clearly establishes that it does not produce a legal vacuum for transferring data internationally, and so it is not possible to establish a grace period on applying the consequences of the Schrems II judgment.

The Rhineland-Palatinate Data Protection Authority shares this conclusion. Furthermore, with regard to using SCCs to transfer personal data to the United States, it will be necessary to analyze whether the company to which the data are transferred is subject to monitoring, under regulations such as the Foreign Intelligence Surveillance Act. If it is monitored, it is likely that it will not be possible to use SCCs, as their application cannot be guaranteed.

The following supervisory authorities have also stated a position (you can access the different press releases by clicking on the authority’s name):

By Alejandro Negro and Pedro Méndez de Vigo

This post is also available in: Español

Autores:

Consejero

58 artículos

Alejandro Negro

alejandro.negro@cuatrecasas.com

Asociado

44 artículos



pedro.mendezdevigo@cuatrecasas.com