It has been a little over a week since the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a legal mechanism to transfer personal data from the EU to the United States in the Schrems II judgement. You haven't heard about the Schrems II case (you probably don't work in data protection). No problem, please see last week's post in the Schrems II Series for the background and initial analysis of the CJEU's decision.
Over the last week, we have seen businesses and privacy experts considering the impact of the judgement on international data transfers while governments and regulators provide holding statements while they digest the judgement. The UK Government has stated the importance of international data transfers for global economies as well as keeping society moving, which has become increasingly apparent in the time of Covid-19. The UK Government has expressed its disappointment with the invalidation of the Privacy Shield but stressed that it is working with the Information Commissioners Officer (ICO) to release updated guidance for businesses. The Schrems II decision has shrouded international data transfers in uncertainty (although they were not completely certain previously) so government or regulatory guidance would be welcome at this stage.
Last Thursday, the European Data Protection Board (EDPB) released its responds to frequency asked questions arising out of the judgement. Unfortunately the EDPB guidance does provide any new practical solutions for businesses to digest, but does re-iterate the strict approach being adopted to the protection of personal data. We have highlighted some key points coming out of regulatory guidance below.
1. Is there a moratorium on regulatory action?
Not expressly. There have been differing views from the regulators. The EDPB has said a dry 'no', emphasising that the CJEU has invalidated the Privacy Shield without maintaining its effect and any transfers on the basis of the Privacy Shield are 'illegal'. However, the ICO has released a statement that all businesses currently relying on the Privacy Shield may continue to do so until further guidance is released, although businesses should not start relying on the Privacy Shield at this time. While this may seem like welcome advice, it doesn't add any further certainty or businesses as no timeline has been provided. Ultimately, if a company is transferring personal data from the EU to the US, it will need to move away from the Privacy Shield at some stage in the near future.
We have also seen from the Department of Commerce (DofC) in the US guidance that the Privacy Shield will continue to be used until further guidance can be provided. US Secretary of Commerce, Wilbur Ross, expressed his deep disappointment in the ruling and noting his department would be reviewing the judgement in detail to understand its impact. The DofC will continue to administer the Privacy Shield program, including processing submissions and re-certifications to the Privacy Shield and maintaining the list of companies certified under it until further guidance is provided. This provides some comfort to businesses, particular US businesses, currently relying on the Privacy Shield as it provides some breathing room although it does conflict with the EDPB view.
2. What about other transfer mechanisms under the GDPR?
The EDPB has made it clear that the threshold set by the judgement applies to all transferred personal data under Article 46 of the GDPR. Therefore, no matter what transfer mechanism you are relying on, you must establish that that transfer mechanism facilitates, in a practical way, that all personal data is subject to safeguards in the third country in which it is being transferred that are 'essentially equivalent' to the EU data protection laws. The EDPB stresses that all transfers under Chapter V of the GDPR must ensure that the 'level of protection of natural personal guaranteed by [the GDPR] that regulation is not undermined'. As such, supplementary measures may be required for all transfers, on a case by case basis, for any transfer mechanism. The EDPB does not provide any assistance as to what these 'supplementary measures' may look like and businesses remain in the dark as to what exactly is required to meet the 'essentially equivalent' standards of EU law.
3. What about other third country transfers, can we still use the SCC's and Binding Corporate Rules?
The EDPB makes it clear that while this judgment focused on transfers to the US the same protection principles apply to other jurisdiction. The same assessment of national laws will have to be made to any other third country to which personal data is being transferred to ensure the national laws will not impinge on the effectiveness of the transfer mechanism or any supplementary measures. Businesses will need to take note of all international transfers and run a similar assessment of the protection available (or not available) to the data subjects.
What is next?
The European Data Protection Board (EDPB) has stated that it will work closely with its US counterparts to establish a complete and effective framework that guarantees the level of protections granted to data subjects in the US is essentially equivalent as the protections provided in the EU. We should remember that this is the second US data sharing regime to be struck down, the Privacy Shield was the response to the invalidation of the US Safe Harbour protections in 2015. This suggests it may be more difficult to find a speedy solution this time around which allows for data transfers from the EU to the US while adequately protecting the rights of EU data subjects.
As many regulators and government authorities (the UK and ICO included) are currently reviewing the impact of the judgement, we should expect to see ongoing guidance being released over the coming weeks and months.
Stay tuned to this Schrems II Series for ongoing updates and legal analysis of international developments concerning the Schrems II decision as and when they arise.
} The judgement clarifies that the standard for appropriate safeguards in Article 46 GDPR is that of "essential equivalence".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.