The European Data Protection Board has held its 34th plenary session, during which it adopted a statement on the CJEU’s ruling in Facebook Ireland v Schrems. The Board also adopted Guidelines on the relationship between the second Payment Services Directive (PSD2) and the GDPR on which there will now be consultation, as well as a response letter to MEP Duriš Nicholsonová on contact tracing, interoperability of apps and DPIAs.
Statement on Schrems
The EDPB has adopted a statement on the judgment in Schrems. Regarding the Privacy Shield, the EDPB points out that the EU and the US should work to achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU, in line with the judgment. The EDPB intends to continue playing a constructive part in securing transatlantic transfers of personal data.
With regard to Standard Contractual Clauses, the EDPB notes the primary responsibility of the exporter and the importer, when considering whether to enter into SCCs, to ensure that these maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter on Human Rights. When carrying out such an assessment, the exporter (if necessary, with the assistance of the importer) shall consider the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime in the importer’s country. The Court emphasised that the exporter may have to consider putting measures in place in addition to those included in the SCCs. The EDPB will be looking further into what these additional measures could consist of.
The EDPB also takes note of the competent supervisory authorities’ duties to suspend or prohibit a transfer of data to a third country under SCCs, if, in the view of the competent supervisory authority and in light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or processor has not already itself suspended or put an end to the transfer.
The EDPB refers to its Guidelines on Article 49 GDPR and says that such derogations must be applied on a case-by-case basis.
The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries under the judgment.
PSD2 and GDPR
The EDPB also adopted Guidelines on the PSD2. PSD2 modernises the legal framework for the payment services market. Importantly, PSD2 introduces a legal framework for new payment initiation services (PISP) and account information services (AISP). Users can request that these new payment service providers are granted access to their payment accounts. Following a workshop in February 2019, the EDPB developed Guidelines on the application of the GDPR to these new payment services.
The Guidelines point out that in this context the processing of special categories of personal data is generally prohibited (in line with Article 9 (1) GDPR), except when explicit consent is given by the data subject (Article 9 (2) (a) GDPR) or processing is necessary for reasons of substantial public interest (Article 9 (2) (g) GDPR).
The Guidelines also address conditions under which Account Servicing Payment Service Providers grant access to payment account information to PISPs and AISPs, especially detailed access to payment accounts.
The Guidelines clarify that neither Article 66 (3) (g) nor Article 67 (2) (f) of the PSD2 allow for any further processing, unless the data subject has given consent under Article 6 (1) (a) of the GDPR or the processing is laid down by EU or national law. The EDPB will consult on the Guidelines.
Response letter to MEP Duriš Nicholsonová
Finally, the Board adopted a letter in response to MEP Duriš Nicholsonová’s questions on data protection in the context of the fight against COVID-19. The letter addresses questions on the harmonisation and interoperability of contact tracing applications, the requirement of a DPIA for such processing and the duration for which processing may be put in place.
