Data Transfers between the EU and the USA after Schrems II – European Data Protection Board’s guidelines & mitigation of compliance risk in IT
The Court of Justice of the European Union issued on 16 July 2020 the Schrems II vs Facebook ruling which resulted in the invalidation of the Privacy Shield. As this decision had immediate effect and removed a significant legal basis for data transfers to the USA, it triggered several questions about the compliance of personal data transfers, in particular within the cloud services solutions.
In November 2020 the European Data Protection Board published draft guidelines for organizations which were requesting a formal framework for addressing these challenges. In this publication, you will find the background story of the Schrems II case and the summary of EDPB guidelines which you may apply in your data processing policies.
Let’s start with explaining the term “Privacy Shield”
In 2016 the European Union decided to issue new laws and rulings on the personal data protection. They included the GDPR (General Data Protection Regulation) which entered into force on 25th May 2018 along with a decision issued by the EU Commission in July 2016 – stating that the USA and EU apply comparable standards for the personal data protection in commercial use – it was the so-called adequacy decision 2016/1250 known as the Privacy Shield.
The decision included several conditions that needed to be met so that the data of the EU residents may be transferred to the companies registered in the USA. In particular, such companies were required to be listed on the Privacy Shield register page maintained by the American government.
The process was based on the self-assessment of the companies which, alongside with several other practices, was assessed as inefficient and not fully aligned with the GDPR in the regulatory reports of years 2018 and 2019.
The mechanism of the Privacy Shield has been used by the tech giants such as Google and Facebook – as well as smaller companies and startups which registered on the Privacy Shield list.
In practice, this meant that the European regulators treated such personal data transfers as equally safe as those made within the EU.
This meant that the personal data transferred under the Privacy Shield did not increase the regulatory risks of compliance nor the potential sanctions for breaches.
The EU regulators are assessing the data controller’s and data processor’s responsibility under the GDPR based on many aspects; in particular, it is important to make sure that in each case that personal data is transferred outside the EU, the transfer is made with particular care, in compliance with the GDPR rules on such transfers.
If a breach occurs, the liability and sanctions will be more severe and higher in case of personal data transfers outside the European Economic Area than within it.
Schrems II case – revolution in the EU personal data transfers to the USA
Please have a look at the video which covers the explanation of the Schrems II case and mitigation of IT compliance risks:
On July 16, 2020, the Court of Justice of the European Union (the “Court”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the Court concluded that:
a) the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid; and
b) that the EU-U.S. Privacy Shield framework is invalid. In practice, it means that i may not be applied by the regulators nor the companies in the context of the GDPR compliance.
As the Schrems II ruling resulted in the invalidation of the Privacy Shield, the SCCs (Standard Contractual Clauses) have been recommended to mitigate the risk of sanctions for compliance breaches – with the disclaimer that whether or not the SCCs are effective depends on the factual background and the case-by-case assessment of public law & regulations. The assessment’s goal is to check if the national laws are not interfering with the purpose of SCC by limiting the individual’s right to privacy which is guaranteed under the GDPR.
The Schrems II ruling affects all transfers relating to the transfers of EU residents’ personal data to the USA.
The data transfers are understood broadly in this context, i.e. physical transfers of data in the documentary form, in digital form to the IT infrastructure based in the territory of the USA (cloud computing solutions, SaaS, PaaS, IaaS) as well as the remote access to the EU residents’ data from the territory of the USA, even if the data is stored on servers located in the territory of the European Economic Area.
The processing relates both to the primary processing as well as the contracts with sub-processors – which in the digitalized world means that probably most businesses, organizations and institutions may face the challenge of compliance with the GDPR due to the invalidation of the Privacy Shield.
This issue has impacted even the international tech giants – which means that businesses which apply their solutions should be careful and aware of the compliance challenges which should be addressed with the proper documentation or even stopping the data transfers to the USA (termination of software licenses) and switching onto the solutions based in the EU and/or the countries which benefit from the adequacy decisions issued by the European Commission.
European Data Protection Board Guidelines
In November 2020 the European Data Protection Board issued the long-awaited draft document of guidelines that address the challenges of the invalidation of the Privacy Shield.
The EDPB summarized the regulatory requirements in 6 steps for compliance in the document of “Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”:
“As a first step, the EDPB advises you, exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is transferred to and processed in the third country.
A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers you may be able to rely on one of the derogations provided for in Article 49 GDPR, if you meet the conditions.
A third step is to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be primarily focused on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on and that may undermine its level of protection. (…) In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards. You should conduct this assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis.
A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. (…) You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and the transfer tool you are relying on and you will be held accountable for the decision you take. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.
A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify these formalities. You may need to consult your competent supervisory authorities on some of them.
The sixth and final step will be for you to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.”
Next Steps for Companies and Institutions
The organizations that currently rely on the Standard Contractual Clauses will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law.
Further, the organizations should consider what additional measures, standards, tools and safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
The changes and adaptations must be done urgently.
How is your company dealing with this issue?
Let us know, let’s talk about it.
Contact us directly at firstname.lastname@example.org