The European Data Protection Board has published FAQs on the decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. The FAQs say that there is no grace period for organisations transferring personal data outside the EEA (although national regulators have told organisations not to take any immediate decisions).
The FAQs summarise the court decision and consider other transfer tools other than the Privacy Shield. The document says that there is no grace period because the Court has invalidated the Privacy Shield Decision without maintaining its effects, because the US law assessed by the Court does not provide an essentially equivalent level of protection to the EU’s legal regime. This assessment has to be taken into account for any transfer to the US. Transfers on the basis of the Privacy Shield are illegal unless other conditions set out in the FAQs apply.
The FAQs also consider the use of standard contractual clauses (SCCs) and of binding corporate rules (BCRs) to transfer data to the US, and say that if an organisation concludes that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, it is required to suspend or end the transfer of personal data. However, if an organisation intends to keep transferring data despite this conclusion, it must notify its national authority.
The EDPB also considers other transfer tools under Article 46 GDPR. The EDPB says that it will assess the consequences of the judgment on transfer tools other than SCCs and BCRs and points out that the judgment clarifies that the standard for appropriate safeguards in Article 46 GDPR is that of “essential equivalence”.
A further FAQ considers the use of derogations under Article 49 of the GDPR where the transfer is based on consent, or there is a requirement to fulfil the contract with the data subject, or there are reasons for public interest, and refers to its own guidance about this provision.
The EDPB also considers the use of SCCs and BCRs to transfer personal information to other countries and says they are still permitted but organisations need to make the same assessments about the level of protection of personal data in those countries as they would for the US and “supplementary measures” may be required. The supplementary measures would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, to check if it ensures an adequate level of protection. The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance.
It says that national regulators will have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries. As invited by the Court, to avoid divergent decisions, they will work within the EDPB to ensure consistency, in particular if transfers to third countries must be prohibited.
Finally the EDPB considers the position of data controllers using processors who transfer personal data to third countries and says that if a controller cannot be sure that a transfer to the US or a third country can take place lawfully, it needs to amend its contracts to forbid transfers to the US. Further, processing activity should take place in the EEA.
