Schrems 2 – 12 FAQs Published by the EDPB but Little Practical Guidance
By Francoise Gilbert, CEO, DataMinding, Inc.
Since the publication of the European Court of Justice (EUCJ) decision in the Schrems 2 case, businesses located on both sides of the Atlantic, and around the world, have been attempting to determine how they should interpret and act upon the decision. On July 23, 2020, the EU Data Protection Board (EDPB) issued a first series of Frequently Asked Questions to help analyze, and react to, the EUCJ decision. Since the EDPB is comprised primarily of representatives of the supervisory authorities of each EU Member State, its opinion, guidance and recommendations are of great significance and help understand the expectations of the EU/EEA regulators. Unfortunately, this first draft provides little practical assistance. However, the EDPB commits to pursue its analysis and come back with more specific guidance.
Shield, SCC and also BCRs
The most unequivocal clarification in these 12 FAQs is that the Schrems 2 decision also affects BCRs and transfers other than to the United States.
In FAQ #2, 3, 9, the EDPB indicates that the threshold set by the EUCJ decision applies to all appropriate means used under GPDR Art. 46 to transfer data from the EEA to any third country, and pertains to all transfers of personal data to the United States via electronic means that fall under the U.S. laws identified in the Court decision, regardless of the tools used for the transfer. As a result, transfers conducted through Binding Corporate Rules (BCR) are also affected.
Organizations that rely on BCRs to provide a legal basis to their ability to transfer personal data among their subsidiaries across the world must also conduct an assessment of the effect of US laws on these transfers. As in the case of SCCs, their ability to rely on BCRs will depend on the result of an assessment of the laws applying to the data being transferred.
While most of the attention has been focused on aspects of US surveillance laws, FAQ #9 points out that the threshold set by the EUCJ for transfers to the U.S. applies as well to transfer to any third country. The same goes for BCRs. The EDPB notes that both the data exporter and data importer are responsible for assessing whether the level of protection required by EU law is respected in the third country concerned in order to determine whether the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, the data exporter and data importer should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EU/EEA if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.
What Assessment and What Safeguards
Further, the EDPB confirms that whether an EU/EEA based data exporter can transfer personal data out of the EU/EEA on the basis of Standard Contractual Clauses or BCRs will depend on the result of its assessment of the law of the country of the data importer. (FAQ #5, 6 ). This assessment must take into account the circumstances of the transfers, and supplementary measures that would be put in place by the data exporter and the data importer.
FAQ #10 begins to address the key question that businesses are facing: What kind of supplementary measures can be introduced to meet this new standard? According to FAQ #10, the supplementary measures would have to:
- Be provided on a case-by-case basis;
- Take into account all the circumstances of the transfer; and
- Follow the assessment of the law of the third country, in order to check if it ensures an adequate level of protection.
If the data exporter determines that appropriate safeguards would not be ensured, it must suspend or end the transfer or notify its competent Supervisory Authority.
The EDPB recognizes the limitation of this guidance and promises to look further and provide more tangible and practicable suggestions.
Role of the Supervisory Authority
The EDPB also points out (FAQ #9) that while data exporters and data importers are primarily responsible for assessing whether the legislation of the third country of destination enables the data importer to comply with the Standard Contractual Clauses or the BCRs, the Supervisory Authorities will also have a key role when enforcing the GDPR and issuing further decisions on transfers to third countries.
We expect more developments in the next few weeks. Stay tuned for more reports on the aftermaths of the Schrems 2 decision.
About the Author
Françoise Gilbert advises clients on compliance with the growing number of privacy and information security laws that govern their operations, and how to integrate privacy and security in product design, marketing, corporate and commercial transactions and business strategies. One of the first lawyers to enter the field of privacy and security in the early 1990s, Francoise is widely considered a pioneer in the field. Among other activities, she is the editor and primary author of Global Privacy and Security Law, published by CCH Wolters Kluwer, a two-volume law treatise that analyses in-depth and explains the data, privacy, security, digital marketing and advertising laws of over 70 countries on all continents. The treatise also provides extensive background on the major drivers that are dictating or influencing the laws that govern the collection and use of personal data worldwide.