Europe: EDPB issues FAQs on Schrems II – No Grace Period for Privacy Shield Transfers; Case-by-Case Assessments Required to Continue with SCCs

On 23 July, the European Data Protection Board issued a set of Frequently Asked Questions with regard to the Schrems II decision of the Court of Justice of the European Union. More information on the Schrems II decision can be found in our Privacy Matters blogpost of 16 July 2020.

The main takeaways from these FAQs are:

  • With regard to Privacy Shield:
    • Transfers under the Privacy Shield are now illegal. There is no grace period during which EU controllers can continue to transfer personal data to the US on the basis of Privacy Shield.
    • EU controllers who wish to continue transferring personal data to the US must look for another appropriate transfer mechanism.
  • With regard to the use of Standard Contractual Clauses for transfers to the US:
    • Whether EU controllers can continue transferring personal data to the US under the Standard Contractual Clauses will depend on the result of their assessment of the level of protection in the US taking into account the circumstances of the transfer and any supplementary measures that can be put in place.
    • The EDPB highlighted that it is the primary responsibility of the data exporter and the data importer to carry out these assessments and to provide necessary supplementary measures. It noted the EDPB will also look into what these supplementary measures could consist of and will provide further guidance in due course.
    • If the assessment shows that appropriate protection is not ensured, EU controllers must suspend or end the transfer of personal data. In the event that an EU controller decide to continue transferring personal data despite this conclusion, it must notify its competent supervisory authority.
  • With regard to other transfer tools under Article 46 GDPR:
    • The reasoning developed for the Standard Contractual Clauses, applies to all transfer mechanisms listed in Article 46 such as Binding Corporate Rules.
  • With regard to transfers to third countries other than the US:
    • According to the EDPB, the reasoning of the court in Schrems II in relation to transfers to the US under Standard Contractual Clauses or any other transfer mechanisms, applies equally to transfers to all third countries not the subject of an adequacy decision. Case-by-case assessments are required to be carried out in relation to transfers to all such third countries.
  • With regard to relying on article 49 derogations for transfers to the US:
    • The EDPB confirms that it is possible to rely on article 49 derogations for transfers to third countries in accordance with the guidelines it issued in this respect.

Even though the ramifications of the Schrems II decision for global transfers may take some time to fully play out, it is clear that organisations will need to act quickly to revisit their data transfers and data transfer mechanisms.

The global data protection, privacy & security team at DLA Piper has developed a standardised data transfer methodology to assist its clients in navigating the impact of the judgment and carrying out the required assessment when relying on SCCs or other transfer mechanisms. The methodology includes a five step assessment process, comprising a proprietary scoring matrix and weighted assessment criteria to help manage effective decision making.

For further information and advice, please get in touch with dataprivacy@dlapiper.com or your usual DLA Piper contact.