Securing your data transfers after Schrems II

Below we present the most important highlights of the judgment, which will hopefully assist you in assessing the consequences for your business operations.

Privacy Shield

The ECJ has invalidated the Commission Implementing Decision 2016/1250, which had established the EU-US Privacy Shield. Amongst others, the ECJ held that U.S. surveillance programmes such as PRISM and UPSTREAM do not meet the principle of proportionality and that data subjects whose personal data are being transferred do not dispose of sufficiently effective and enforceable rights against U.S. authorities.

Any transfers of personal data to entities established in the U.S. that were solely based on the self-certification of these U.S. entities under the Privacy Shield, are no longer lawful. In light thereof, it is recommended to suspend these transfers until other ‘adequate measures’ have been implemented that secure the lawfulness of these transfers.

Standard Contractual Clauses (SCC)

The ECJ further clarified that for transfers of data that are based on the execution of standard contractual clauses (SCC), it must be ensured that the data subjects are afforded “appropriate safeguards, enforceable rights and effective legal remedies”.

Verification of the level of protection

Firstly, the data exporter and importer must assess whether the transfer based on SCC provides an adequate level of protection, by taking into consideration both (i) the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, (ii) as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country.

Consequently, an exporter established in the EU and an importer of personal data in a third country are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned. For this second aspect, the factors to be taken into consideration correspond to those set out (in a non-exhaustive manner), in Article 45(2) of the GDPR:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
• the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
• the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

Supplementary measures

Secondly, the ECJ clarified that the SCC adopted by the EU Commission are solely intended to provide contractual guarantees, irrespective of the particular situation in a third country. Therefore, to ensure compliance with the level of protection required under EU law, data controllers can be required to, depending on the outcome of the assessment of the level of protection in a particular third country, adopt supplementary measures to ensure compliance with GDPR. It is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures where necessary.

According to the European Data Protection Board (EDPB), supplementary measures need to be assessed on a case-by-case basis, taking into account all the circumstances of the transfer and following the

assessment of the law of the third country. The EDPB announced that it will issue guidance on what these ‘supplementary measures’ can entail. Examples of such supplementary measures could include the following:

• broader and stricter contractual commitments in addition to the SCC;
• encryption measures;
• pseudonymisation techniques, whereby the importer does not gain access to the “raw” personal data as such, to the extent the processing activities allow this;
• swift deletion rules whereby the importer must delete the data immediately upon completion of the processing activity;
• only granting the importer read-only access to the data hosted in the EEA from devices that do not allow for making copies or printing the data (“thin clients”);
• minimize the personal data prior to sharing these with the data importer;
• etc.

On 24 August 2020, the Data Protection Authority of the German state of Baden-Württemberg issued guidance on what these supplementary measures could entail. Amongst others, it suggested specific amendments to the SCC’s and recommended encryption and anonymization / pseudonymisation techniques.

The Belgian Data Protection Authority has indicated that it is currently examining the consequences of the judgment and is making every effort to ensure the protection of the fundamental right to data protection and privacy while safeguarding the free exchange of data between the European Economic Area and third countries.

Competence of supervisory authorities

Lastly, the ECJ confirmed the competence – and even obligation – of supervisory authorities to prohibit or suspend any transfers of personal data to a third country if it considers that the standard data protection clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

This necessitates an active obligation for data exporters to monitor and ensure that the SCC’s which they have implemented are effectively being complied with by the data importers, in order to ensure the continuity of the data transfers (and, as a result, the continuity of the business operations).

As always, our TMT team is available to provide you with more detailed information. We can also assist you in carrying out the necessary assessments and, where required, implementing supplementary safeguards for secure and GDPR-compliant data transfers.