European Data Protection Board Confirms: No Safe Harbor for Privacy Shield Members

As we discussed last week, the Court of Justice of the European Union (“CJEU”) recently ruled that the EU-US Privacy Shield Framework is no longer a valid legal mechanism to transfer personal data from the EU to the US under GDPR (the “Schrems II” decision).

Last Friday, the European Data Protection Board (“EDPB”), an independent EU body composed of composed of representatives from EU member state data protection authorities, issued early but definitive guidance on Schrems II. In its Frequently Asked Questions on the Judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the EDPB stated unequivocally that reliance on Privacy Shield is illegal immediately. There will be no grace period. The guidance leaves organizations with few options to support transfers of personal data to the US. And the options that do remain, under the EPDB guidance, are flawed and incomplete. 

This post will discuss the key points from the EDPB’s guidance, and offer some thoughts on what organizations impacted by Schrems II should do next.

The EDPB’s Guidance

The CJEU did not invalidate other transfer mechanisms, such as standard contractual clauses (“SCCs”) but noted these mechanisms would be subject to case-by-case review by the data transferors and data protection authorities. The EDPB guidance confirms this point and articulates several positions that raise serious doubts about the short and long term stability of international data transfers to “inadequate” countries.

  • As expected, the EDPB confirmed that use of SCCs for transfers to the US will require “supplementary measures.” The EDPB declined to provide specific guidance as to what those supplementary measures would be or include but stated its intention to issue additional guidance on that point . . . someday. So, Privacy Shield is unavailable and SCCs alone are insufficient. But what should be done to render SCCs sufficient remains unclear.
  • The EDPB expects the supplementary measures—whatever they may be—to “ensure that US law does not impinge on the adequate level of protection [the SCCs] guarantee.” Said another way: private parties will need to develop . . . something . . . that will prevent the US government from exercising its authority under surveillance laws such as the Foreign Intelligence Surveillance Act (FISA) to obtain EU personal data. The impossibility of that objective may explain why the EDPB needs a little more time on that guidance.
  • Data importers and data exporters must evaluate each of their data transfers to inadequate countries such as the US. If they conclude that their data cannot be sufficiently protected, even with supplementary measures in place, but the data exporter intends to proceed with the transfer anyway, then it must inform its supervisory data protection authority. In other words, self-report the violation to the relevant regulator.
  • Schrems II highlighted the conflict between FISA and GDPR. A party subject to both may find itself unable to comply with both. Thus, the EDPB guidance notes that transferring personal data under any available legal mechanism (e.g., binding corporate rules) will be subject to the same analysis that applies to SCCs if that transfer uses transfer methods subject to FISA. This observation confirms that transfers undertaken through electronic means such as email and telecommunications networks will be subject to scrutiny.
  • Derogations (exceptions) to GDPR’s transfer restrictions under GDPR Article 49 are still available, including an individual’s consent and transfers necessary to carry out a contract with a data subject. But these derogations have always been difficult to use broadly. For example, consent to a transfer must be both “explicit” and “freely given,”  standards that can be difficult or impossible to meet when using clickthrough terms, combined consents, or situations when the individual has no meaningful choice.
  • The EDPB’s guidance explicitly confirms that all the same considerations that apply to transfers that involve the active processing of personal data also apply to the mere storage or maintenance of personal data by a processor or subprocessor in the US. In other words, do not try to argue that a transfer is not in jeopardy because the processor only stores personal data, but does not “really” process it.
  • Although Schrems II focused on the US and its surveillance laws, the EDPB acknowledges that the same concerns will arise for other countries that lack an adequacy finding. Assuming the EDPB does not back down from the positions above, you can expect these criticisms to extend to China and the UK post-Brexit.

What Should You Do Now?

While this news is unwelcome and discouraging, there are some things you can do now to constructively address the EDPB guidance.

  • Put SCCs in place for transfers for which Privacy Shield was the sole legal basis. Even though supplementary measures may be needed once your case-by-case review is conducted (see below) it would be prudent to provide at least a baseline legal mechanism for these transfers as soon as possible. Not all transfers will necessarily require supplementary measures, and the nature of these measures has yet to be clarified, so it may be prudent to consider that in a later remediation phase.
  • Continue to comply with Privacy Shield in the short term. The US Department of Commerce has stated that it will continue to administer Privacy Shield, which means there is at least some risk of continued enforcement by the FTC. Importantly, if you represented compliance in contracts with commercial customers, you should not simply drop the program and risk a contractual violation. These customers’ transfers should be addressed through an alternate transfer method first (see above).
  • Inventory your data transfers from the EU and perform a transfer assessment. Identifying at-risk transfers is a necessity to comply with the EDPB guidance and identify those transfers that may require supplementary measures. You should identify the data at issue, the purpose of the transfer, the recipient (data importer), and any processors or subprocessors. It will also be necessary to consider the in-country surveillance laws to which those parties are subject to perform this assessment. Implement supplementary measures for any transfers identified in your inventory that warrant these extra measures. Transfers that cannot be made compatible with GDPR must be terminated or notified to the supervisory authority, based on EDPB guidance.
  • Monitor for statements from the EDPB and other regulatory authorities. Once we have more clarity about suitable supplementary measures, it should be possible to assess which transfers to the US (and other countries with extensive surveillance laws) are salvageable, and how they may be salvaged. Remain mindful, however, of the relevant supervisory authority’s views. As we noted last week, individual data protection authorities have already taken harder-line approaches than would be indicated in the EDPB guidance.
  • Monitor for updates from major telecom and cloud providers in the US. We expect these parties may issue supplementary measures to support the large volume of transfers they and their customers engage in daily. Whether these measures can satisfy EU authorities, however, remains to be seen.

If you need assistance with international data transfers, including implementing SCCs, evaluating individual transfers, or developing supplementary measures, please contact any member of our team.