Still grappling with the aftershocks of the Schrems II decision from the CJEU on July 16 (we previously discussed the Schrems II decision here), the European Data Protection Board (“EDPB”) has issued a Frequently Asked Questions (“FAQ”) discussing the EDPB’s interpretation of the decision. At the same time, EU regulators continue to issue new guidance with their own interpretation of the decision and their views on the viability of the Standard Contractual Clauses (“SCCs”). While The FAQ’s provide an overview of the case and reminders that supervisory authorities, data exporters, and data importers collectively must assess the appropriateness of any supplemental measures adopted to determine if an adequate level of protection can be achieved, they fail to provide much-needed guidance for organizations that depend on the free flow of personal data between the EU and the U.S. Instead, businesses are left with significant uncertainty as to the lawfulness of transfers to the U.S. as some EU regulators have taken the position that no amount of measures can be adopted to provide essentially equivalent protections for personal data transferred to the U.S. as the level of protection provided under EU law and recommend that the flow of data to the U.S. should essentially stop while still others have suggested that such measures are possible and have taken a more “wait and see” approach.
The EDPB’s FAQs
The EDPB addressed the following key points in the FAQ:
Overview of the Schrems II Decision
- CJEU held that GDPR Article 44 required that “all provisions in that chapter shall be applied in order to ensure that the level of protection of natural personal guaranteed by that regulation is not undermined.” This requires “essential equivalence” to the protections afforded in the GDPR.
- The CJEU found that the laws in the U.S., particularly Section 702 of FISA and EO 12,333 do not ensure an essentially equivalent level of protection as that afforded under GDPR.
Validity of the Standard Contractual Clauses
- SCCs are still valid, even if they do not bind the authorities of the receiving country to the protections of the GDPR. However, the validity of the SCCs depends on whether there are effective mechanisms in place to make it possible to ensure a level of protection that is essentially equivalent to that guaranteed by the GDPR.
- Businesses and supervisory authorities are required to suspend or terminate such transfers if it is impossible to provide this essentially equivalent level of protection or in the event of a violation of the SCCs.
Businesses Must Analyze the Validity of the SCCs on a Case-By-Case Basis
- Data exporters, data importers, and supervisory authorities are each required to verify, prior to transferring data to any third country taking into account the circumstances of the transfer, whether or not the required level of protection can be achieved with the SCCs together with any supplementary measures required of the data importer.
- The validity of transfers to the U.S. based on the SCCs will depend on the result of the business’ assessment, considering the circumstances of the transfer and any supplementary measures that could be put in place by the parties. Supplemented SCCs will only be valid if the analysis shows that they would ensure that the laws in the U.S. do not impinge on the level of protection required.
- If the analysis comes to the conclusion that an adequate level of protection cannot be provided, the data exporter is required to suspend or terminate the transfer of personal data to the U.S. or, if the transfer is to continue, the data exporter must notify the applicable supervisory authority.
Other Transfer Mechanisms (including BCRs) Are Also Subject to the Same Requirements
- Other transfer mechanisms provided in GDPR Article 46 must still provide the same essential equivalence to the protections provided in the GDPR. Data exporters, data importers, and supervisory authorities must assess, on a case-by-case basis and taking into account the supplementary measures that could be adopted, whether any of these mechanisms would ensure that U.S. law does not impinge on the adequate level of protection required.
No Specific Guidance on What Supplemental Measures May be Appropriate
- No answer to the question of what type of supplemental measures could be used with SCCs or BCRs to transfer data to third countries.
- Instead, supplemental measures would have to be provided on a case-by-case basis, taking into account the circumstances of the transfer and after the assessment of the law in the receiving country.
- The EDPB will continue to analyze the decision in Schrems II to determine what type of legal, technical, or organizational measure may be provided in addition to the SCCs or BCRs when those methods of transfer will not provide sufficient level of guarantees on their own and will provide more guidance in the future.
What About Transfers Based on Derogations?
- The transfer of personal data from the EU to the U.S. could still be lawful based on the derogations provided in the GDPR, provided that the data exporter complies with the EDPB’s previous guidelines for these transfer mechanisms.
- With respect to transfers based on the consent of the data subject, data subjects must first be informed as to the possible risks of the transfer (in particular, that the receiving country does not provide an adequate level of protection and that adequate safeguards to provide an adequate level of protection were either not possible or otherwise not implemented). After being provided with such information, the data subject’s consent must be explicit, and specific for the particular data transfer or set of transfers.
- Transfers that are made necessary for the performance of the contract between the data subject and the controller should only be made when the transfer is occasional and when the transfer itself is objectively necessary for the performance of the contract.
- Transfers that are made because they are necessary for important reasons of public interest may only be made if the particular public interest served was recognized by EU or member state law (not foreign law). This derogation should also not be relied on when the transfers are systematic and occur on a large scale. Furthermore, the EDPB reminded businesses that the use of this derogation should not be relied on as the “rule” for the lawful transfer, but only to specific situations and when strictly necessary.
Guidance From Data Protection Regulators so Far
Data protection regulators in the EU continue to issue statements and guidance regarding the use of SCCs and other transfer mechanisms, with various interpretations. Far from the “uniformity” promised by the GDPR, some regulators have taken very strict approaches to the transfer and have all but declared SCCs dead, while still others view the Schrems II ruling as essentially “validating” the use of SCCs as a transfer mechanism. In effect, the validity of the SCCs, and possibly the ability to transfer personal data from the EU to the U.S. on anything other than the narrowest of exceptions, may depend largely on which regulator you ask and which one has jurisdiction over the data exporter.
- Strict interpretation of Schrems II: Businesses should keep personal data in the EU, SCCs are incurably dead. Regulators in Berlin, Hamburg, and the Netherlands have taken the strongest position and have advised data controllers not to transfer personal data to the U.S., with the Berlin Commissioner going as far as stating that data controllers in Germany should begin to use service providers in the EU or another third country that could provide the necessary levels of protection. The Data Protection Authority in Rhineland-Palatinate indicated that there was no grace period for companies using the SCCs to comply with the CJEU requirement of essential equivalence standard and, if transferring unencrypted data to the U.S. and there are no other alternative data transfer mechanisms, those transfers are no longer possible. Similarly, the DPA in Thuringia all but pronounced the use of the SCCs to transfer data to the U.S. dead.
- Medium interpretation of Schrems II: SCCs aren’t dead yet, but there is a high bar to their valid use. Other regulators have taken a somewhat softer approach. The German Commissioner for Data Protection and Freedom of Information said that individual companies involved in a transfer of personal data to the U.S. bear the burden of proof to determine the appropriate safeguards. Similarly, the Estonian Data Protection Inspectorate stated that the companies have to make the assessment on whether the personal data of Europeans’ could be protected, and if not, the transfer must be suspended or terminated. The Irish DPA also stated that while the assessments need to be done on a case by case basis, the use of the SCCs to transfer personal data to the U.S. is now questionable.
- Liberal Interpretation of Shrems II: SCCs are generally valid, but businesses must develop supplemental measures. Yet some of the other data protection regulators have expressed more optimism regarding the future of the SCCs to transfer personal data to the U.S. This included the UK’s Information Commissioner’s Office, who indicated that they were willing to work “to ensure that global data flows can continue,” and Denmark’s Datatilsynet, who indicated that SCCs are “generally still valid.” The Switzerland Federal Data Protection and Information Commissioner also shared this view that the SCCs remain generally valid even though the CJEU decision was not directly applicable to it. However, many of the EU regulators in this camp have qualified their statements by indicating that there are several issues they need to investigate further, including what, if any, supplemental measures may be adopted to permit the SCCs to provide the “essentially equivalent” protections that the CJEU determined was necessary.
Overall Impact to Business and Next Steps
The various interpretations of the Schrems II case creates significant uncertainty for both data importers and data exporters who relied on the SCCs for the lawful transfer of personal data to the U.S. Moreover, the ability to use the SCCs may depend heavily on the interpretation of the lead supervisory authority for the data exporter, effectively creating a mish-mash of rules across the EU and potentially leading to data exporters attempting to engage in forum shopping.
The CJEU’s decision compels both data importers and data exporters to conduct due diligence of the laws in the data importer’s country to determine if the SCCs, potentially plus some undefined supplemental measures, may provide the necessary level of essentially equivalent protections as that provided in the EU. This will inevitably lead to increased compliance burdens as few companies in the EU (or their local regulators) will have the resources and competence necessary to conduct a proper assessment of the law in the data importer’s country or countries. As a result, many businesses will feel compelled to adopt data localization, i.e. keeping the data from Europe, within Europe.
But for all other businesses where data localization is not an option, the data exporter and data importer must conduct the due diligence exercise and the adoption of supplemental measures may be ultimately be necessary. The due diligence should include a consideration of some or all of the following factors:
some industry sectors may rarely be the subject of U.S. government surveillance and therefore unlikely to impose a risk to the Personal Data imported. Organizations that consider this factor may validate this by publishing statistical histories of the government access requests they have received and the statistics on their compliance;
In a Nutshell
Due Diligence Factors
- Industry sector
- Categories and volumes of personal data transferred
- Nature and scope of personal data transferred
- Retention period
- Method of transfer
- the categories and volumes of personal data to be transferred (i.e. is the personal data “interesting” enough to be subject to government surveillance);
- the nature and purpose of the processing by the data importer. For example, if the processing is related to an e-commerce site for the purchase of magazine subscriptions or for newsletters related to the latest legal news in the world of privacy, it is unlikely to be the subject of government surveillance. On the other hand, cloud storage providers where any type of data may be stored may pose a larger risk to becoming the subject of government surveillance activities;
- the retention period of the personal data. If the data importer only has the data for a very short period of time, there may be little risk to individuals in the EU; and
- the nature of the “transfer.” There may be significantly less risk if the transfer only occurs as a result of remote access to personal data by individuals in the US that are stored in the EU and that continue to be controlled by the data exporter.
Once the due diligence is completed, it is important to document the rationale for deciding whether the available measures would provide the essentially equivalent protections necessary to continue the transfers or if the transfers should be suspended or terminated.
If the parties to the data transfer conclude that the data importer cannot protect the personal data to a level that is essentially equivalent to the protections in the EU based on the applicable transfer mechanism itself, they will need to adopt supplemental measures. While the regulators have provided little clear guidance as to what supplemental measures may be appropriate, these may include:
- For traditional cloud storage services, it may be possible to encrypt the personal data prior to exporting it out of the EU while keeping the encryption keys in the possession of the data exporter and away from the data importer. In this case the information exported would no longer be considered personal data as it would no longer identify or be identifiable to an individual and therefore no longer subject to the requirement to provide protections that are essentially equivalent to those of the GDPR;
Would-be data importers may be able to alter their data flow such that the initial transfer between the parties occurs solely within the EU, i.e. to a European-based entity of the would-be data importer. Then the European-based entity can transfer the personal data to its affiliate located within the U.S. This may permit the would-be importer to take advantage of the “lead supervisory authority” provisions in GDPR Article 56 to get a consistent, and a potentially friendlier, interpretation of the validity of the chosen data transfer mechanism from the local data protection regulators;
In a Nutshell
Potential Supplemental Measures
- Encryption (when possible)
- Alter data flow to be subject to lead supervisory authority who may be more accepting of the possibility of supplemental measures
- Termination rights if essential equivalence cannot be achieved
- Notice of surveillance requests
- Ensure that both the data importer and data exporter have the right to terminate the services (likely with a refund of pre-paid fees) in the event essential equivalent protections cannot be achieved; and
- Providing additional contractual requirements for the data importer to notify the data exporter of government surveillance requests (when legally permitted) and to resist and challenge such requests when possible.
Overall, however, both data importers and data exporters must recognize that all businesses, whether in the U.S., EU, or elsewhere, must comply with a lawful order in their country to produce personal data for national security or law enforcement purposes. Those orders may require that the recipient of that order keep the existence and scope of the order confidential such that a data importer receiving such an order cannot notify the data exporter. Any supplemental measures attempting to require a data importer to violate such an order or local law in order to comply with the GDPR or any other privacy protection laws in the EU is not likely to be accepted and may result in a contract that is unenforceable. Data exporters are best off to make good faith efforts to conduct due diligence on the laws in the data importer’s country and attempt to develop realistic and practical measures to ensure essential equivalence to the protections provided in the EU that allow both sides to comply with applicable laws and continue the flow of personal data.