As the CJEU has declared the EU-U.S. Privacy Shield invalid in its decision on Schrems II, data controllers now have to resort to different data protection safeguards when transferring data to the U.S. While Standard Contractual Clauses (SCCs) remain valid, the CJEU enforces some additional requirements if controllers wish to rely on them as a data protection safeguard. The statement by the EDPB (European Data Protection Board) helps controllers answer questions about continued U.S. or third country data transfers. We summarise the most important points and outline relevant guidance for future data transfers for companies and organisations that previously relied on the EU-U.S. Privacy Shield.
In the meantime, the EDPB has specified its recommendations on third country transfers.
The EDPB statement
First and foremost, the CJEU invalidated the EU-U.S. Privacy Shield without maintaining its effects, as the U.S. law assessed by the Court does not provide a substantially equivalent level of protection to the EU. This means that there is no transitional period applicable to companies or organisations that base their data transfers to the U.S. on the Privacy Shield and therefore these transfers must be prohibited immediately.
In other words, your business must now adhere to alternative safeguards for transfers to the U.S., such as SCCs and BCRs (Binding Corporate Rules), if you want to continue a dataflow that was previously based on Privacy Shield.
Alternative transfer tools: SCCs and BCRs
Companies that transfer data to a U.S. data importer adherent to the Privacy Shield could consider SCCs as a relevant alternative legal basis to continue data exports to the U.S., subject to some conditions. Data exporters have to take supplementary measures along with SCCs to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
In the case of BCRs, U.S. law also has primacy over this tool. Therefore, for both SCCs and BCRs, the data exporter has to assess case-by-case whether or not the transfer meets appropriate safeguards while taking into account the circumstances and possible supplementary measures. If this is not possible, the controller must stop any data transfers.
The EDPB emphasises that controllers must ensure that the data importer can guarantee a substantially equivalent standard in the case of data transfers outside the EU/EEA, according to Art. 46 GDPR. These necessary safeguards apply to SCCs and BCRs for transfers to the U.S. as well as to any other third country. Although the EDPB has not yet published clear guidance on how to assess whether or not appropriate safeguards are guaranteed, it announced it is planning on doing so.
Derogations of Art. 49 GDPR
The EDPB clarifies that it generally remains possible to transfer data from the EU/EEA to the U.S. based on derogations foreseen in Art. 49 GDPR if the respective conditions are fulfilled:
- Transfers based on the consent of the data subject are possible if the consent obtained is explicit, specific for the particular data transfer and informed, particularly to the potential risks of the transfer.
- Transfers for the performance of a contract between the data subject and the controller are possible if the transfer is merely occasional and objectively necessary for the performance of the contract.
- Transfers that are necessary for important reasons of public interest are allowed, only if an essential public interest can be established (not the nature of the organisation) and if such transfers do not take place on a large scale and in a systematic manner.
Data processing agreements
The EDPB pointed out that the controlling companies or organisations using processors must clarify if these processors transfer data to the U.S. or another third country. This information should be provided in the contract concluded with the processor under Art. 28 (3) GDPR (e.g. data processing agreement) and should contain authorisations for possible third country transfers. The EDPB advises companies and organisations to review the contracts and be particularly careful about possible sub-processors that processors use, as data is often stored or maintained in third countries especially in the case of computing solutions.
Controllers must act if a processing agreement indicates data transfers to the U.S. and neither providing supplementary measures to ensure a substantially equivalent level of protection nor any derogations under Art. 49 GDPR apply. In such cases, the only solution to continue using such services is to negotiate an amendment or supplementary clause to the contract and forbid transfers to the U.S. If data transfers to another third country are at stake, the controller must verify whether or not the legislation of that country makes compliance with an equivalent level of protection possible. Otherwise, data transfers must be suspended, and the controller must arrange for all processing activities to take place in the EU/EEA.
Recommendations for businesses
If you are a data controller and wish to continue to transfer personal data to the U.S. or another third country, there are several steps to follow. You can consult your organisation’s Data Protection Officer (DPO) for further support in implementing the necessary changes:
- Review your company’s international data transfers, which should be listed in the records of processing activities (ROPAs) under 30(1) GDPR, to identify transfers to the U.S. or third countries and the respective data importers.
- For all international data transfers that were previously based on the EU-U.S. Privacy Shield, ensure an alternative safeguard. The use of possible alternatives, such as SCCs, requires a previous assessment of the third country’s legislation. Additionally, a risk analysis focussing on the kind of data transferred, the scope of data transfers as well as technical and organisational measures in place can be helpful to determine the level of protection afforded.
- If relevant, update your company’s privacy policy on the website as well as other information letters to ensure compliance with the information duties under Articles 13 and 14 GDPR.
The EDPB already announced it would publish further clarifications concerning data transfers to the U.S. and other third countries. Therefore, it is crucial to stay up-to-date about new developments, for instance by following our newsletter.
