International Data Transfers Post-Schrems II

Following the case law of the European Court of Justice (henceforth “CJ”) in “Schrems II”, several questions have been raised in the context of international transfers of personal data. For the European institutions and economic operators whose business models are based on such operations, the climate has become one of legal uncertainty.

In that context, we prepared the present information with brief indications concerning the current framework and recommendations for action on this topic.

A. Legal framework for international transfers of personal data in the light of the General Data Protection Regulation (henceforth “GDPR”):

International transfers are provided for and regulated in Chapter V of the GDPR.

Article 45, foresees the possibility of the European Commission deciding, through an implementing act, that a certain third country or international organization ensures an adequate level of protection, considering the criteria established in the second paragraph of that same Article. From the moment that the referred adequacy decision is taken, everything is processed as if the third country or organisation, which receives the data, was indeed, a Member State (henceforth “MS”).

In turn, Article 46 sets out the procedure to be followed in the absence of the above-mentioned “adequacy decision”. According to the latter, transfers are conditional upon the provision of adequate safeguards, and also upon the granting of enforceable rights and effective legal remedies to data subjects. The safeguards may consist on the use of binding rules applicable to companies, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses authorized by that authority.

In the absence of an “adequacy decision” or adequate safeguards, it will still be possible to make these data transfers under Article 49, provided that we are faced with one of the specific situations covered by it.

B. What was decided in Schrems II?

In its judgment of 16 July 2020, the CJ declared the invalidity of European Commission’s Decision no. 2016/1250 implementing the Privacy Shield Framework (the latter was intended to facilitate international transfers of personal data from the EU to the United States of America- henceforth the “US”).

The basis for such invalidity was the fact that the Privacy Shield does not ensure adequate protection of personal data, as it allows disproportionate encroachments on individuals’ fundamental rights. In this particular case, it was a question of access to personal data transferred to the headquarters of Facebook Inc., California, via Facebook Ireland, by the public authorities of the US (in particular national security agencies such as the FBI and the NSA).

In this judgment, the CJ also had the opportunity to rule on the validity of the standard data protection clauses. In fact, such clauses were deemed as valid, but their use alone, according to the CJ, no longer guarantees the lawfulness of international transfers. To that end, an assessment on the legislation of the third countries of destination should be made, in order to ascertain whether an adequate level of protection is granted, or otherwise, if further measures need to be implemented for that purpose. In case this level of protection cannot be guaranteed, the CJ points out that the data exporter should suspend, or even cancel, the data transfer.

In view of all the above, this decision appears to affect all transfers of personal data outside the EU area and not only those to the US.

C. What happens to the data transfers performed under the Privacy Shield Framework to the US?

As the CJ has declared the invalidity of the Decision no. 2016/1250 with immediate effect, these transfers will be considered unlawful. However, despite the apparent legal vacuum, some solutions have already been pointed out in an attempt to regularise both ongoing and future transfers.

 

D. What solutions were pointed out?

D.1. EU institutions, offices, bodies and agencies

On 6 October 2020, the European Data Protection Supervisor (henceforth “EDPS”) released a document containing a series of measures for the EU institutions, bodies and agencies. These measures fall into two groups: short-term measures and medium-term measures.

One of the short-term measures presented, consists on carrying out a mapping exercise, identifying data transfers for on-going contracts, procurement procedures and other types of cooperation, involving data transfers.

Meanwhile, one of the medium-term measures is to carry out transfer impact assessments to identify whether an essentially equivalent level of protection is afforded in the third country of destination. Based on these assessments, EU Institutions should reach a decision as to whether it is possible to continue transfers identified in the mapping exercise.

D.2. Economic Operators

At the level of economic operators, two solutions have been pointed out by the CJ: use of derogations and use of standard data protection clauses.

Use of the derogations provided for in Article 49 of the GDPR:

The CJ in the aforementioned judgment encouraged the use of the derogations provided for in Article 49 of the GDPR as an alternative solution to the invalidity of the Privacy Shield Framework. In fact, the Court held that data transfers between the EU and the US would still be possible if one of the conditions foreseen by that rule is met. As an example, and following the understanding of the CJ, transfers to the US will be possible if they are based on the consent of the data subject.

However, it is important to emphasize the exceptional nature of Article 49 of the GDPR. In other words, the use of derogations should be restricted to specific situations, otherwise the ratio of the regime established by the GDPR will be subverted.

Use of standard data protection clauses:

With the Schrems II judgment, the possibility of transferring personal data on the basis of standard data protection clauses, or binding corporate rules, is dependent on the result of its assessment, taking into account the circumstances of the transfers, as well as the possibility of additional measures being applied, and it must always be ensured that the legislation of third countries of destination does not jeopardize the necessary level of protection.

In this context, it should be noted that on 12 November 2020, the European Commission published a Draft Implementing Decision of new standard contractual clauses for the international transfer of personal data. From this, the following points have been highlighted:

  • Scope (the new standard contractual clauses allow data exporters and importers to select the clauses that are relevant to the types of transfers in which they participate);
  • A “modular” approach (the new standard contractual clauses allow for a “modular” approach, which addresses different transfer situations: between controllers; between controller and processor; between processors; between processor and controller);
  • Applicability to non-European Economic Area exporters (henceforth “EEA”) (the new standard contractual clauses do not require the data exporter to be established in the EEA);
  • Communication to data subjects (data subjects will have to be notified of the transfer and given a copy of the standard contractual clauses);
  • Transitional period (there will be a period of one year, from the entry into force of the Commission Decision, during which exporters and importers of personal data may continue to use the standard contractual clauses set out in Decision 2001/497/EC and 2010/87/EU for the performance of a contract concluded before that date).

It is also noteworthy that following the Schrems II judgment, the European Data Protection Board (henceforth “EDPB”) issued two sets of recommendations on 10 November 2020:

  • One concerning supplementary measures to the transfer “tools” to ensure compliance with the EU level of protection of personal data (Recommendations 01/2020);
  • And other on the European Essential Guarantees that must be respected in order to ensure that interference with fundamental rights when transferring personal data does not go beyond what is necessary and proportionate in a democratic society (Recommendations 02/2020).

Recommendations 01/2020:

These Recommendations aim to assist data exporters with the complex task of assessing whether third countries meet the appropriate and necessary conditions for the protection of personal data, and to identify what additional measures are necessary for such protection to be equivalent to what afforded within the EU. To this end, the EDPB recommends six steps to be followed, as well as some examples of additional measures that may be implemented.

Among the recommended steps, we highlight the one which consists of a reassessment of the level of protection afforded to the data transferred and the monitoring of situations or developments that may affect the protection granted.

As for examples of additional measures, an exemplary list of technical, organisational and contractual measures is provided.

Recommendations 02/2020:

In these, the EDPB specifies the applicable legal requirements to justify limitations to the fundamental rights to data protection and privacy. In fact, the EDPB considers that these requirements can be summarised in four European Essential Guarantees:

  • Processing should be based on clear, precise and accessible rules;
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
  • There must be an independent oversight mechanism;
  • Effective remedies need to be available to the individual.

These Guarantees – which apply to all persons regardless of their nationality – aim to further specify how to assess the level of interference with the fundamental rights to privacy and data protection in the context of surveillance measures by the public authorities in a third country, when transferring personal data.

Nevertheless, it should be stressed that according to the EDPB, it will be for the CJ to decide whether interference with a particular fundamental right is justified. In the absence of such a decision, the data protection authorities will be responsible for assessing individual cases, either ex-officio or following a complaint.

Despite the aforementioned considerations, some still believe that the path for many transfers remains uncertain. The big question now is whether and when the supervisory authorities will implement these guidelines.

Knowledge