In the “Schrems II” judgment of 16 July 2020 (case C-311/18), the European Court of Justice (ECJ) declared the transfer of personal data to the US on the basis of the “Privacy Shield” agreement unlawful. This ruling had far-reaching consequences for international data transfers, going far beyond the “Privacy Shield” issues to be decided in the actual case.
As a result of the judgment, there has been considerable legal uncertainty regarding the use of online services of all kinds. The ruling also raised the question of whether data transfers not only to the US but to any third country without an adequate level of data protection can be based on the so-called Standard Contractual Clauses (SCCs). This includes countries such as Turkey, China and, from 1 January 2021, the UK.
The ECJ clarified that the guarantees provided by the SCCs for data transfers to third countries are no longer sufficient to ensure an adequate level of protection for personal data. Additional technical and contractual safeguards as well as an assessment of the risk to the data subjects are now necessary to justify a data transfer. However, the exact form of these additional safeguards remained unspecified for a long time. The only known reference was that the additional protection measures required would depend on the circumstances of the specific data transfer.
The Baden-Württemberg data protection authority was the first to provide some initial guidance and suggested a number of possible additional protective measures.
In November, the European Data Protection Board (EDPB) has now also published a draft set of implementation recommendations. These recommendations identify possible additional safeguards:
- encryption of the data and storage of the key in an EU Member State or in a third country with an adequate level of data protection;
- obligation of the data importer to notify the data exporter and/or data subject of requests for the release of data to foreign authorities
- obligation of the data importer to review the lawfulness of any order to disclose personal data and to challenge it, if necessary.
Even after the publication of the draft recommendations of the EDPB a large number of issues arising from the “Schrems II” judgment remain unresolved. For example, it is still unclear how to deal with online services provided by European subsidiaries of US businesses such as Google or Microsoft. Should the storage location of the data (within the EU) or the registered office of the parent company (in a third country) be taken into account because of the possibility that foreign authorities could ask them to disclose data? In any case, businesses transferring data to foreign service providers and partners must act now that the EDPB’s draft recommendations have been published.
But what needs to be done actually?
1. identify international data transfers
First of all, it is necessary to examine in which cases data are transferred to service providers and partners outside the EU. This should also take into account onward transfers, for example when a processor in the EU transfers personal data to a sub-processor in a third country. Remote access from a third country (e.g. for technical support) and storage in a cloud located outside the EEA are also considered transfers under the GDPR.
2. establishing additional protectice measures (“SCCs Plus”)
Furthermore, additional protective measures must be taken, the content and scope of which depend on the specifics of the individual transfer. They can be of a contractual, technical or organisational nature. However, contractual and organisational measures alone will generally not be sufficient to prevent or sufficiently restrict access to personal data by the authorities of the third country.
3. internal risk assessment as to whether the protective measures are sufficient to ensure an adequatelevel of protection
Finally, a comprehensive assessment must be made of the risks associated with the specific data processing for the users or customers concerned. Particular attention must be paid to the following points:
- the concrete risks arising from the circumstances of the transfer
- the specific risks associated with the processing of the data by the data importer
- the possibility of using alternative EU-based providers of the service in question
We will be happy to support you in carrying out such a review and in preparing the necessary documents.