The European Data Protection Board Issues it’s First Guidance on the EU-US Data Transfers Post-Schrems II

On July 23, 2020, the European Data Protection Board (EDPB) issued its first guidance on the Court of Justice of the European Union’s (CJEU) Schrems II decision which invalidated the EU-US Data Protection Shield and upheld the validity of the Standard Contractual Clauses, subject to certain conditions.  The guidance is styled as answers to frequently asked questions on the CJEU’s judgment and attempts to address a number of immediate issues concerning data transfers to the United States from the European Union.

The guidance confirms that the CJEU invalidated the Privacy Shield without a grace period, and therefore all transfers on the basis of that framework are now illegal.  This stands in contrast to the U.S. Department of Commerce’s vow to continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Framework and maintaining the Privacy Shield List.

For companies that are relying on the Standard Contractual Clauses (SCCs) to import data to the United States, the EDPB explains that the CJEU found that the U.S. laws do not ensure “an essentially equivalent level protection” to that guaranteed within the EU by the GDPR.  Whether these companies can continue transfer personal data on the basis of the SCCs “will depend on the result of [their] assessment, taking into account the circumstances of the transfers, and supplementary measures [companies] could put in place” to ensure that U.S. law does not impinge on the adequate level of protection guaranteed by the contractual clauses and the supplementary measures.

The CJEU’s Opinion contemplates that there might be situations, depending on the law and practices in the third country, where the recipient of the transfer could be in a position to guarantee the necessary protection of the data solely on the basis of the SCCs.  It remains unclear whether the currently existing SCCs might be sufficient for at least some data transfers to the United States (for example, with respect to transfers that are very unlikely to be subject to surveillance by the U.S. government), and what, if any, supplementary measures might be implemented for other transfers.  The EDPB indicated that it is looking further into what these supplementary measures (whether legal, technical, or organizational) could consist of and will provide more guidance.

The EDPB also concluded that the CJEU’s reasoning equally applies in the context of the Binding Corporate Rules (BCRs), an adequacy mechanism consisting of data protection policies adhered to by companies within a group of undertakings or enterprises.  Thus, organizations transferring data to the United States pursuant to the BCRs would need to engage in the same case-by-case analysis now required for transfers pursuant to the standard contractual clauses.

The EDPB confirmed that controllers could still transfer data to the United States on the basis of derogations (exceptions) provided in Article 49 of the GDPR, such as data subject’s consent or where transfer is necessary for the performance of a contract between the data subject and the controller.

The EDPB further explained that if a controller’s data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EU provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution for the controller would be to negotiate an amendment to the contract with a processor to forbid transfers to the United States.

The EDPB indicated that it will develop and supplement its guidance with further analysis, as it continues to examine and assess the CJEU’s judgment.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653