Yesterday (16 July 2020), the European Court of Justice issued its breaking judgement in the ‘Schrems II’ case. You can read more about the Court’s ruling on our website. In brief, this judgement means the end of the EU/US Privacy Shield. Although the EU Model Clauses (or ‘standard contractual clauses’, SCCs) are upheld, it remains to be a question whether they can ensure the required ‘appropriate level of protection’ for personal data that is being brought outside the EEA. The judgement is relevant for you if your organization transfers personal data to the US, or to other countries outside the EEA. If that is the case, you should follow the steps below.
Read the article 'Privacy shield out, fortunately we still have the model contracts' here
1. Identify relevant data flows
Does your organization transfer any personal data to recipients established outside the EEA? Note that the term ‘transfer’ is interpreted broadly, and also includes giving access to personal data, making it available (for example through remote screen access), or storing it on servers.
2. Check the legal basis for your transfers
Does your organization transfer any personal data based on:
- Privacy Shield? For example to any of the organizations listed here
- Binding Corporate Rules?
- Other adequacy decisions of the European Commission (regarding the ‘white list countries’)?
Only with regard to the latter one, no further action is required.
3. Transfers based on Privacy Shield? --> ?
These transfers are no longer allowed to take place under the GDPR. At this time, it is unclear whether a ‘grace period’ will be announced for these transfers (when Safe Harbor became invalid in 2015, the data protection authorities in the EU announced that for a period of almost four months, they would not take any enforcement measures relating to transfers that were based on Safe Harbor). Until there is more clarity on this or on other solutions, we recommend to enter into the SCCs instead - even though we are aware of the uncertainties involved with this option (as described under step 4). Copies of the SCCs can be found here. With the SCCs, you will at least have a contractual safeguard in place for the data transfers in question, which seems to be a better alternative to having nothing in place at all.
4. Transfers based on SCCs --> Re-assessment required
Although the SCCs are still valid, they are no longer automatically sufficient as safeguards for data transfers. This means that your organization should re-assess any transfer of personal data which is made on the basis of SCCs. Based on the judgement, this means that you will have to make an assessment of the level of protection for data subjects in the country of destination, taking into account (among others) the practice of the public authorities of that country, and of its legal system and practices. This is however not a straightforward task and we expect that guidance will be published by relevant bodies in the near future. In light of the accountability principle, you should also document your analysis. You can furthermore consider if there are other, non-contractual safeguards, that could be used to (further) protect the data, such as encryption or other technical safeguards. If you come to the conclusion that an adequate level of protection is ensured, the transfer can (still) take place on the basis of the SCCs. However, if for example the local authorities in the country of destination can intercept personal data coming from the EU, with no clear legal limitations (as is the case in the US), the conclusion will likely be drawn that the SCCs – which only bind the contractors and not the public authorities – are not sufficient as safeguards. Such transfers will thus require to be suspended, unless a derogation applies (under Article 49 GDPR). Please note that pursuant to guidance issued by the EDPB, these derogations must be interpreted restrictively.
5. Transfers based on BCRs
In its judgement in the Schrems II case, the Court of Justice did not directly state anything in relation to Binding Corporate Rules (or ‘BCRs’); the transfer mechanism used for intragroup data transfers which requires prior approval of the competent data protection authority. For now, this means that BCRs remain a valid transfer mechanism under the GDPR and that no further action seems to be required when transferring data based on approved BCRs. As the BCRs are of a similar nature as the SCCs (they are both considered an "appropriate safeguard" pursuant to Article 46 GDPR), it will not be surprising if this mechanism too will soon require a further assessment by the data exporter into the level of protection of the importing countries.
6. Update relevant documentation
As a result of the ‘switch’ in transfer mechanisms, you will need to update certain privacy documentation (for instance the record of processing activities, the internal and external privacy statements, and internal data protection policies).
7. Develop an approach for future transfers
Prior to any future data transfers, you will need to make a careful, documented and case-by-case assessment about the level of protection of the data to be transferred (unless future guidance suggests otherwise). You should at least ask yourself the following questions:
Do I have an alternative for the transfer? In other words: is it possible to keep the data within the EEA?
What do I know about the legal system and ‘reputation’ of the importing country, e.g. can public authorities easily access the data?
Is there a legal possibility (for my organization, for data subjects, or for the data importer) to limit such access?
Does the law provide for effective judicial remedies for data subjects?
What additional (technical) measures can I take to protect the data?