Keypoint: The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.

In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.

The six-page FAQs provides the following guidance:

No Grace Period for Companies Relying on Privacy Shield

In the wake of the Court invalidating the EU-U.S. Privacy Shield, companies had questioned whether there would be a grace period for companies relying on Privacy Shield as their mechanism to conduct cross-border transfers. The EDPB clarified that there is no grace period to continue cross-border transfers under Privacy Shield. Rather, “transfers on the basis of this legal framework are illegal.” Companies that wish to continue transferring data much do so using a different legal method.

Standard Contractual Clauses (SCCs) Must be Examined by the Parties on a Case-By-Case Basis, Taking into Account the Circumstances of the Transfers and the Supplementary Measures that Can be Put into Place

The EDPB noted that the Court validated the Commission’s Decision 2010/87/EC on SCCs. However, the EDPB emphasized the Court’s holding that the SCCs impose obligations on both data exporters and data importers “to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether” the parties can comply “with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”  Data importers are required to “inform the data exporter of any inability [of the data importer] to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause[s].”  In other words, parties cannot simply agree to the SCCs. There must be an assessment of the underlying legal and factual circumstances of the transfer.

To that end, the EDPB explained that the Court found that U.S. law does not ensure an essentially equivalent level of protection because of Section 702 of FISA and EO 12333. Therefore, “[w]hether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.” The EDPB continued: “The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent” supervisory authority.

Yet, the EDPB was unwilling to identify what “supplementary measures” companies would employ. Rather, it stated that it “is looking further into what these supplementary measures could consist of and will provide more guidance.”

The Court’s Decision Applies to the use of Binding Corporate Rules (BCRs)

The EDPB explained that “[g]iven the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool.” Therefore, companies relying on BCRs also must conduct an assessment of the data transfers.

These Rules Apply to Transfers to All Third Countries

The EDPB clarified that the Court’s decision – and the EDPB’s guidance – does not just impact data transfers to the U.S. Rather, “the threshold set by the Court for transfers to the U.S. applies for any third country.” The EDPB explained: “You can contact your data importer to verify the legislation of its country and collaborate for its assessment. Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers. In case you do not, you must notify your competent” supervisory authority.

Data Controllers that Have Entered into Article 28 Data Processing Agreements that Allow for the Cross-Border Data Transfers Must Take Action or Stop the Transfers

According to the EDPB: “If your data may be transferred to the U.S. and neither supplementary measures can be provided to ensure that U.S. law does not impinge on the essentially equivalent level of protection as afforded in the EEA provided by the transfer tools, nor derogations under Article 49 GDPR apply, the only solution is to negotiate an amendment or supplementary clause to your contract to forbid transfers to the U.S. Data should not only be stored but also administered elsewhere than in the U.S.”