Recommendations on Managing Personal Data Transfer Compliance Post Schrems II
On the 16th of July 2020, the Court of Justice of the EU (CJEU) issued its much anticipated Schrems II judgement, whereby the CJEU invalidated the EU-US Privacy Shield, causing several uncertainties on the legality of data transfers to the USA given that the Privacy Shield was one of the main frameworks that was used to legitimize personal data flows between the EU and the USA.
Crucially, the Schrems II judgement has a spill-over effect on the legality of all transfers of personal data from the EU to any other third country (non-EU country). In this regard, the European Data Protection Board (EDPB) helpfully moved swiftly to issue a set of Frequently Asked Questions (FAQs) which are accessible here.
Although the CJEU invalidated the Privacy Shield with immediate effect (from date of the Schrems II ruling), other personal data transfer mechanisms were not invalidated. This includes the derogations for specific situations catered for under article 49 of the GDPR, which include the explicit consent of a data subject for a proposed transfer (among others).
The use of Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) as a method of legitimizing personal data transfers to third countries is still possible, although as a result of the Schrems II judgement, these methods of data transfers need to be carefully assessed and additional safeguards will be necessary to meet the “essential equivalence” of protection as afforded to a data transfer between EU member states.
Overall, this effectively means that every entity that transfers data from the EU to a non-EU country needs to carefully revisit and assess the legality of its data transfer mechanisms.
In view of the above, below we set out a list of generic suggested action items:
Data exporters should review existing agreements to determine whether personal data transfers to third countries occur under such agreements and if so, which is the legal mechanism used to legitimize the transfer;
If personal data was being transferred pursuant to the Privacy Shield, such transfer should immediately cease and an alternative legal mechanism for legitimizing the transfer should be identified;
If SCCs or BCRs are used, each data exporter and data importer should first assess whether the level of protection required by EU law is respected in the third country data recipient concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice and ensure “essential equivalence” to the protection afforded to a data transfer between EU countries. If this is not the case, supplementary measures will need to be introduced to ensure that the level of protection remains “essentially equivalent” to the protection applicable for intra-EU transfers;
If it is determined that the personal data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EU, the entity should consider suspending the data transfer until an alternative legal mechanism legitimizing the transfer is identified;
When analysing commercial agreements and data protection related agreements, one should also assess whether authorisation was granted to processors (or possibly other independent controllers or joint controllers) to entrust sub-processors or other third parties in transferring data to third countries;
Careful attention needs to be paid to the IT solutions used by an entity as use of various common IT solutions inherently lead to transfers to third countries (mostly the USA and China). Same considerations need to be made for the continued lawful use of such IT solutions; and
The broad definition attributed to the term “processing” under the GDPR should be kept in mind as even mere “storage” or “access” by a third party located in a non-EU country would trigger a “transfer”.
This article was written by Managing Partner Dr Ian Gauci and Senior Associate Dr Terence Cassar.