04 August 2020

Uncertainties following Schrems II

Following the Schrems II judgment on 17 July (which we discussed here), the EU-US Privacy Shield has been invalidated and the CJEU has clarified that the Standard Contractual Clauses (SCCs) can only be relied on if data importers and exporters can ensure that the SCCs can be complied with in practice.

The CJEU’s judgment has led to uncertainty in relation to the future of international data transfers, and the following issues were in urgent need of regulatory guidance:

  • how businesses can carry out risk assessments in relation to the parties’ abilities to comply with the SCCs;
  • whether businesses may have a grace period to implement such assessments; and
  • whether transfers of personal data to the US can be made pursuant to SCCs at all, in light of the surveillance programmes the CJEU called out in Schrems II.

Updated EDPB Q&A on Schrems II

In response to questions received from Supervisory Authorities, the European Data Protection Board (the EDPB) has issued its Q&A clarifying a number of key points. This document only provides high-level guidance but the EDPB has indicated that it will issue further, more fulsome guidance in due course.

No grace period for existing transfers under the EU-US Privacy Shield 

Contrary to the ICO’s initial position immediately following the judgment, which suggested that organisations already transferring personal data to the US could continue to do so until further guidance was issued, the EDPB has announced that the Privacy Shield can no longer maintain its effects after Schrems II and that data transfers made on the basis of Privacy Shield are illegal. This includes in respect of any transfers carried out before the judgment was handed down.

Alternative ways to transfer data to the US 

Alternative ways to transfer data to the US and other third countries do exist, however each comes with its own limitations and conditions:

  • SCCs and supplementary measures - We already know that SCCs may be relied on to transfer data if the importer and the exporter can ensure that the protection set out in the SCCs can be complied with in practice. Guidance on how to carry out such an assessment remains high-level and we await further detailed guidance. The EDPB emphasised that, where the assessment result is that the SCCs entered into may not be complied in practice, the parties can consider supplementary measures to ensure an “equivalent level of protection” of personal data as provided in the EEA. The EDPB expects to provide further guidance on the detailed forms of such supplementary measures. 
  • Binding Corporate Rules (BCRs) - The principles of the Schrems II judgement will also apply to the BCRs. Businesses adopting BCRs to transfer personal data will need to carefully consider whether the terms of the BCRs can be complied with in relation to transfers to the US and whether it is possible to put effective supplementary measures in place.
  • Common exemptions potentially available:
    • data subjects’ explicit consent - The EDPB’s view is that if businesses were to rely on the derogation of explicit consent, data subjects must be informed of the possible risks of onward transfer to a third country which does not provide an adequate level of protection. Such consent should be explicit and specific to the transfer.
    • necessary for the performance of a contract - Where businesses expect to rely on this exemption, the EDPB highlighted that they must ensure that the transfer is objectively necessary for the contract between the exporter and the data subjects. Such transfer should only be occasional, and assessment of the 'occasional' nature of the transfer should be carried out on a case-by-case basis.
    • necessary for important reasons of public interest - Whilst there is no requirement that such transfers should only be occasional, the EDPB re-emphasised that this derogation should not be relied on to justify large scale or systematic transfers. 
  • If no supplementary measures or derogations can be relied on - The EDPB has suggested that organisations should then seek to negotiate amendments to their contracts to prohibit transfers to the US. 
  • Onward transfers to sub-processors in the US - The EDPB Q&A also indicates that controllers’ obligations in relation to international transfers do not cease at the data processor level. Where a processor is likely to perform onward transfers to the US for the purpose of the contract between a processor and controller, the EDPB suggests that controllers review such onward transfers and take these into consideration when authorising processors to engage sub-processors.

The future of international transfers and practical steps to take

In the absence of further detailed guidance on managing the impact of the Schrems II judgment, it is unfortunate that the EDPB has announced that no grace period applies to existing transfers relying the Privacy Shield. However, the EDPB confirmed it is working with all the Supervisory Authorities to ensure consistency of regulatory guidance across the EEA. The ICO’s latest statement confirmed that the ICO has also endorsed the EDPB’s approach and is likely to continue to do so despite Brexit. The ICO has acknowledged that further guidance is expected and called on businesses to 'take stock of the international transfers you make' and 'react promptly' as guidance becomes available.

In light of the EDPB and the ICO’s current guidance, we suggest that businesses may want to consider taking the following steps:

  1. Review existing data transfers and prioritise transfers that are business-critical or relate to customer data or special categories of personal data.
  2. Identify existing international data transfers to the US made on the basis of Privacy Shield. Consider whether BCRs or SCCs can be put in place and complied with in practice, taking into account any supplementary measures that may be adopted. Note that in the absence of detailed guidance, businesses will need to consider the elements mentioned in the Schrems II judgment.
  3. If the SCCs or BCRs cannot be complied with due to the laws of the importing country, consider whether any exemptions may apply. Note that relying on exemptions should not be the norm and will require legal review. The decision-making process in relation to relying on exemptions should be recorded in detail.
  4. If data subjects’ explicit consent is to be relied on, revisit your privacy notice and consider how best to obtain data subjects’ explicit, informed and specific consent, and be mindful that it must be as simple for data subjects to withdraw their consent as to grant it.
  5. Where data processors are located outside the US, query whether the processor is likely to perform onward transfers to the US and what steps have been taken to ensure compliance with the EDPB Q&A.
  6. Be prepared to carry out risks assessments in relation to SCCs entered into with data importers located in non-EEA countries other than the US once further guidance is issued, as the impact of Schrems II is not limited to the US.

If you require assistance in relation to your international data transfer arrangements, please contact David Varney or your usual Burges Salmon contact.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing
 

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more