The landscape of international data transfers has changed drastically since the CJEU rendered its second Schrems-ruling in July 2020 on the Privacy Shield mechanism and Standard Contractual Clauses. The CJEU, as well as data protection supervisors, however did not provide a solution for the gap that was created by the verdict and left data exporters, as well as receiving parties, clueless. Until now.
The EDPB has recently provided (draft) recommendations that should help to solve the major issues that companies have been confronted with since the ruling. These recommendations should be adhered to by all organizations falling within the scope of the GDPR as soon as they will be adopted.
According to the EDPB, supplementary safeguards may be necessary if the safeguarding measures as such are not enough. If supplementary measures still cannot provide a sufficient level of protection, the transfer cannot take place. It is however questionable whether these guidelines will change much in practice, given that it is in some cases simply impossible to contractually deviate from applicable laws that bind the receiving party, which would essentially mean that personal data cannot be transferred to that party at all.
In this article, we provide a summary of the proposed recommendations and suggestions for implementation steps. Once the recommendations are final, we will provide an update.
In July 2020, the European Court of Justice did not only invalidate the Privacy Shield mechanism, on the basis of which personal data could be lawfully transferred from the EEA to a receiving party subscribed to the Privacy Shield. It also took the current Standard Contractual Clauses - a transfer mechanism that is used very frequently - into consideration. Although the CJEU considered the SCCs valid, it did note that the data exporter had to verify, prior to the transfer, whether the level of data protection granted by the GDPR could in fact be respected in the third country in which the receiving party was located. In addition, supplementary measures had to be taken where necessary, according to the CJEU.
Steps to take
Whereas the easiest option would be to keep all personal data in the EEA, in some cases it is necessary to transfer personal data outside the EEA. We therefore question whether these guidelines fit the current practical situation in which personal data are constantly transferred. However, in those cases, according to the EDPB, all organizations sharing personal data with parties located in third countries should – as soon as these guidelines will be adopted – carry out the following steps prior and throughout their transfer activities. These steps of course also apply to existing transfers.
The annex to the guidelines contains a number of examples of supplementary measures that could be taken to ensure the level of protection that is needed in order to legalize a transfer to a third country recipient.
It should be noted that the published guidelines are only a draft version. We however expect that materially not much will change in the yet to come final version.
As stated above, the recommendations are also relevant for organizations that frequently receive personal data from organizations located in the EEA. It is therefore recommended to assess, on the basis of the criteria under step 3, whether or not your organization is subject to local laws that might endanger the level of protection granted by the GDPR and if so, identify whether there are measures that could be implemented in order to sufficiently mitigate those risks.
We question whether these recommendations are a true solution, given that, as also follows from Schrems II, some local legislation such as the US FISA or laws of other countries not taking into account the rule of law, do not provide a level of protection that is equivalent to the GDPR. This would entail that for these transfers, supplementary measures are always necessary. It is however questionable whether these measures could fill the gaps caused by these local laws and whether it will be practically possible to implement measures that do provide for sufficient protection. Overall, the recommendations still leave us with some questions.
Regardless, we recommend starting with data mapping activities and effectiveness assessments. We have a data mapping and assessment format available. Please contact us if you would like to receive this format.
Updated Standard Contractual Clauses
Besides the guidelines, the EDPB has also published a draft version of the updated Standard Contractual Clauses. Once adopted, they should replace the current versions.
This blog was written by Martin Hemmer and Sophie Hendriks.