One week after the publication of the decision of the European Court of Justice in the Schrems 2 case, the European Data Protection Board (EDPB), which is primarily comprised of representatives of the supervisory authorities of the EU Member States, has issued a first series of Frequently Asked Questions to help affected entities analyze, and react to, the EUCJ decision. Given the important role of the EDPB in the European Union, the opinions, guidance and recommendations of the EDPB are of great significance for businesses operating in the EU/EEA as they help understand the expectations of the European regulators.
Since the publication of the European Court of Justice (EUCJ) decision, businesses located on both sides of the Atlantic, and around the world, have been scrambling to attempt to understand the consequences of the Schrems 2 decision, and determine how they should act upon the decision. Unfortunately, this first draft provides little practical assistance. However, the EDPB has committed to pursue its analysis and come back with more specific guidance.
Shield, SCC and also BCRs
The most unequivocal clarification in these 12 FAQs is that the Schrems 2 decision also affects BCRs and transfers other than to the United States.
In FAQ #2, 3, 9, the EDPB indicates that the threshold set by the EUCJ decision applies to all appropriate means used under GPDR Art. 46 to transfer data from the EEA to any third country, and pertains to all transfers of personal data to the United States via electronic means that fall under the U.S. laws identified in the Court decision, regardless of the tools used for the transfer. As a result, transfers conducted through Binding Corporate Rules (BCR) are also affected.
Organizations that rely on BCRs to provide a legal basis to their ability to transfer personal data among their subsidiaries across the world must also conduct an assessment of the effect of US laws on these transfers. As in the case of SCCs, their ability to rely on BCRs will depend on the result of an assessment of the laws applying to the data being transferred.
While most of the attention has been focused on aspects of US surveillance laws, FAQ #9 points out that the threshold set by the EUCJ for transfers to the U.S. applies as well to transfer to any third country. The same goes for BCRs. The EDPB notes that both the data exporter and data importer are responsible for assessing whether the level of protection required by EU law is respected in the third country concerned in order to determine whether the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, the data exporter and data importer should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EU/EEA if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.
What Assessment and What Safeguards
Further, the EDPB confirms that whether an EU/EEA based data exporter can transfer personal data out of the EU/EEA on the basis of Standard Contractual Clauses or BCRs will depend on the result of its assessment of the law of the country of the data importer. (FAQ #5, 6 ). This assessment must take into account the circumstances of the transfers, and supplementary measures that would be put in place by the data exporter and the data importer.
FAQ #10 begins to address the key question that businesses are facing: What kind of supplementary measures can be introduced to meet this new standard? According to FAQ #10, the supplementary measures would have to:
- Be provided on a case-by-case basis;
- Take into account all the circumstances of the transfer; and
- Follow the assessment of the law of the third country, in order to check if it ensures an adequate level of protection.
If the data exporter determines that appropriate safeguards would not be ensured, it must suspend or end the transfer or notify its competent Supervisory Authority.
The EDPB recognizes the limitation of this guidance and promises to look further and provide more tangible and practicable suggestions.
Role of the Supervisory Authority
The EDPB also points out (FAQ #9) that while data exporters and data importers are primarily responsible for assessing whether the legislation of the third country of destination enables the data importer to comply with the Standard Contractual Clauses or the BCRs, the Supervisory Authorities will also have a key role when enforcing the GDPR and issuing further decisions on transfers to third countries.
We expect more developments in the next few weeks. Stay tuned for more reports on the aftermaths of the Schrems 2 decision.