The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. After several EU data protection authorities (DPAs) published their reactions, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, presented its guidance in form of an FAQ.
At the time of its publication, the guidance comprises 12 FAQs. It will be updated with further analysis. While the EDPB notes that supplementary measures may be necessary when using standard contractual clauses (SCCs), it fails to specify what that means but promises to provide more guidance in the future. Summarized below are the key takeaways from the EDPB’s guidance.
- There is no grace period for EU- U.S. Privacy Shield certified organizations to put in place a new transfer mechanism. (FAQ 3)
- Transfers based on the EU-U.S. Privacy Shield are illegal. (FAQ 4)
On the use of SCCs (FAQ 5, 9):
- If the country of destination does not provide sufficient protection, SCCs may still serve as a transfer mechanism, if supplementary measures are put in place. The EDPB is currently analysing and will issue further guidance on the necessary supplementary measures.
- Parties to the transfer should suspend/end the transfer, or inform the DPA, if SCCs are still used (a) without the country of destination providing an adequate level of protection, and (b) without the supplementary measures.
On the use of Binding Corporate Rules (BCRs) (FAQ 6, 9):
- In principle, the Schrems II judgment applies to BCRs as well.
- In relation to BCRs, companies should assess the law of the country of destination, put in place supplementary measures if the level is not adequate, and inform the DPA if the transfer continues. If supplementary measures are not put in place, transfers should end.
On the use of Art. 49 GDPR exceptions (FAQ 8):
- Use of Art. 49 GDPR derogations (e.g., explicit, specific, and informed consent; for occasional transfers related to a contract; transfers necessary for important reasons of public interest, as recognized by the EU Member States), may be permissible depending on the circumstances.
When none of the transfer options work, data should be localized(FAQ 12):
- If data controllers use data processors that transfer data to the US, the EDPB states “the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S.” The EDPB further notes that: “If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory and all processing activities should take place in the EEA.”