Schrems II: Reactions to the judgement and the supervisory authorities' recommendations - Update #17

Europe

"Schrems II": Opinions of the supervisory authorities on Schrems II and recommendations on the implementation of the judgement in international data transfers

On 16 July 2020, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield Decision to be invalid by judgement in the "Schrems II" case (C-311/18). However, standard contractual clauses ("SCCs") can still be used for data transfers, but, the mere conclusion of a contract is not sufficient for this purpose. The same applies to binding corporate rules ("BCRs").

Examination requirements: The specific means of transferring and processing of personal data at the recipient of the data must comply with an adequate level of data protection

In the case of a transfer of personal data by means of SCCs, the data exporter has to assess whether an adequate level of data protection is guaranteed in the third country for the data affected by the transfer. It is not the general level of data protection in the third country that must be assessed, but the specific level of protection for the transferred data.

It is therefore necessary to assess the following:

  • The concrete communication network of the data: Risks to the level of protection may arise, for example, from government surveillance of transmission networks (for example, data transferred to the US via overseas cable may be subject to surveillance by US secret services, which may not occur in the case of another communication network);

  • The risks associated with saving the data with a specific recipient: differences may arise, for example, from sector-specific legislation which forces certain recipients (e.g. telecommunications providers) to cooperate with secret services, whereas other data importers need not be affected by such legislation;

  • Whether reasonable alternatives exist (e.g. service providers established in the EU) that do not require international data transfer.

If this assessment reveals that the level of protection is not comparable to the European level, the data exporter must take additional measures to guarantee the protection of the data before the transfer. If these measures are not sufficient, personal data may no longer be transferred on the basis of SCCs.

Opinions of the supervisory authorities

Since the publication of the judgement, a large number of authorities have expressed their opinions and recommendations on the CJEU ruling. We document these comments in order to provide companies with assistance in implementing the ruling. Of particular importance are the recommendations of the European Data Protection Board (EDPB), the association of European supervisory authorities, which we have summarised in a separate article. In our table, we highlight the requirements which the supervisory authorities consider to be necessary to comply with when transferring data to third countries following the ruling.

Never miss an update

If you would like to be kept informed about significant updates, best practices for implementing the judgment and CMS privacy policy select "Receive Updates" and provide us with your e-mail address. You can revoke your consent at any time. You can find our data protection information here.

image003

Note: This article is updated regularly but does not claim to be complete. The opinions issued are linked in chronological order. Our table summarises the most recent opinion. It was last updated on 29 December 2020.

Authority/Board

Requirements for data trans­fers using SCCs

Need for action for the data exporter

European Data Protection Board (EDPB)

  • When SCCs or BCRs are used, the data exporter and importer must check the level of protection in the third country in question in order to determine whether the guarantees thus provided can be respected in practice.
  • Otherwise, it must be examined whether additional measures must be taken in order to guarantee a level of protection substantially equivalent to that in the EU and whether the law of the third country does not interfere with these additional measures in order to prevent their effectiveness. To assess the sufficient guarantees for supervisory measures, the EDPB has published recommendations; the four main guarantees are that processing must be based on clear, precise and accessible rules, necessity and adequacy for legitimate purposes, the existence of an independent supervisory mechanism and effective legal protection for data subjects
  • In the 43rd plenary session, EDPB refers to the challenges associated with data transfer to third countries in connection with Brexit and adopts an information note on data transfer in compliance with the GDPR after the Brexit transition period.
  • If the assessment in a particular case leads to the conclusion that the country of the data importer does not offer a substantially equivalent level of protection, the exporter may have to consider safeguards additional to those contained in SCCs.
  • The European Data Protection Committee has drafted a recommendation on how to complement transfer tools. These include, for example, pseudonymisation, encryption that is also effective against the recipient or the choice of a recipient who is protected against access by the law of the country of destination. On the other hand, it should not be possible for providers who have to access the data in plain text (e.g. in the case of cloud processing) and in relation to whom public authorities have access powers beyond the extent necessary for a democratic society to transmit data in conformity with data protection regulations.

History:

17. July 2020: Press release

23. July 2020: FAQs

15. August 2020: Brief statement to BCRs

4. September 2020: Announcement working group 

23. September 2020: Informal statement on timeframe 

11. November 2020: Draft of a Recommendation 01/2020 of the EDPB on additional measures for transfer toolspress release and graph;

Recommendations 02/2020 of the EDPB on adequate guarantees

20. November 2020: Press release to EU Commission consultation on the drafts to the new SCCs und the Recommendation 01/2020 of the EDPB

15. December 2020: Statement on the end of the Brexit transition period

15. December 2020: Information notice on data transfers under the GDPR to the United Kingdom after the transitional period

16. December 2020: Press release on 43rd plenary session

 

European Data Protection Supervisor (EDPS)

While confirming the validity of SCCs in principle, the CJEU provided welcome clarifications on the responsibility of data exporters and European data protection authority in taking into account the risks associated with access to personal data by third country authorities. The criteria established by the CJEU concern all appropriate safeguards under Art. 46 GDPR. In order to determine the substantially equivalent level of protection, the EDPS will shortly issue a guide on the conduct Transfer-Impact-Assessments.

The effects of the judgement will be examined in detail, in particular with regard to contracts concluded by EU institutions. EU institutions are to assess and document the security risks of transfers to third countries in advance. This is to take place in so-called Transfer Impact Assessments (TIA). For future data transfers from EU institutions, the EDPS strongly advises against transfers to the USA.

EDPS refers to Recommendations 01/ 2020 and 02/2020 in the newsletter and states: (i) Processing should be based on clear, precise and accessible rules; (ii)
necessity and proportionality to the legitimate objectives pursued must be demonstrated; (iii) an independent supervisory mechanism should be in place; (iv)
effective remedies must be available to individuals.

History:

17 July 2020: Declaration

29 October 2020: Strategy for EU institutions

11. December 2020: Blog-post

21. December 2020: Newsletter (N 84)

Bulgaria

Refers to the CJEU judgment and provides other protective mechanisms.

The data exporter must switch to alternative transfer mechanisms such as SCCs or BCRs.

History:

16 July 2020: Press release

Germany - data protection conference

  • SCCs can, in principle, be used to transfer personal data to the USA and other third countries, but in the case of the USA only with additional safeguards.
  • The assessment of equivalent data protection in third countries is the responsibility of the controller and the recipient.

 

  • If no such protection can be provided in the third country, it should be examined what additional safeguards are possibleThis also applies to BCRs. Therefore, additional safeguards must also be agreed for data transfers based on BCRs, unless the rights of the data subject in the third country enjoy a level of protection equivalent to that in the Union. Argues for encryption as a key means of securing data transfers to third countries.
  • Data transfer to the UK is still possible under the current conditions (according to the draft trade and cooperation agreement between the UK and the EU)

History:

28 July 2020: Press release

26. November 2020: Press release

28. December 2020: Press release regarding Brexit

Germany– Federal Commissioner for Data Protection and Freedom of Information (BfDI)

SCCs continue to be a possible basis for data transfer. The BfDI fully endorses the EDPB FAQ. 

  • International data traffic is still possible, although additional safeguards would be needed for transfers to the US. As such, encryption and pseudonymisation are particularly relevant.
  • Companies should check their contracts with service providers to see whether and how they transfer data to third countries.

History:

16. July 2020: 1. Press release

24. July2020: 2. Press release

1. October 2020: Interview with Ulrich Kelber (BfDI)

8. October 2020: Information letter with key messages of the judgement and verification scheme for international data transfer

24. October 2020: Podcast-Interview with Ulrich Kelber

Germany - Ba­den-Württem­berg

  • SCCs have not been declared invalid in principle by the CJEU. In their further use, European companies and subsequently data protection authority will have to assess on a case-by-case basis whether they are sufficient. This also applies to other third countries (e.g. UK). In the case of the US, however, the result of this examination is clear, as almost no US company can give credible guarantees that it will be protected from access by the secret services. Further processing on the basis of the Privacy Shield would result in fines. SCCs would only be conceivable in rare cases.
  • Criticises the judgement of the CJEU as it imposes European ideas of data protection on third countries and is difficult for companies to implement.
  • Companies should verify which data they export to which countries. A data export is also the mere possibility of access (e.g. for maintenance). They must then check whether there is an adequacy decision for the country in question and if not, what the legal situation is in the third country in question.
  • Data exports on the basis of the Privacy Shield should be stopped immediately until a new transfer mechanism is in place.
  • This new transfer mechanism should be included in the data protection notices and in the records of processing activities.
  • In the case of SCCs, certain additions to the clauses had to be made in any case (suggested wording in the guidance on pp. 11-13). Furthermore, suitable additional safeguards were required. For example, data exporters could (in particular providers of cloud services) provably encrypting the data in a way in which the data exporter alone has the key and which the secret services could not overcome. The decisive factor is whether there are reasonable alternatives without concerns regarding the transfer of data (e.g. agreement that data will be hosted in one of the Member States of the GDPR or that no data will be transferred to the US, pp. 8 and 10). If such alternatives exist, the LfDI Baden-Württemberg will prohibit personal data transfer.
  • E.g. Microsoft: According to the State Data Protection Commissioner, the measures taken are a good example for other companies to follow. Microsoft has supplemented its SCCs as follows: (i) recognition of compensation for material and immaterial damage of data subjects in Europe, (ii) an obligation to take legal action against orders issued by the US security authorities, insofar as this is possible, and (iii) the obligation to provide information to data subjects if a government order legally obliges Microsoft to submit data to the US security authorities. Further measures are required, such as encryption, to meet the requirements of the judgement.

History:

20 July 2020: FAZ interview with Stefan Brink (LfDI BaWü)

21 August 2020: Handelsblatt interview with Stefan Brink

24 August 2020: Orientation guide (updated on 07 September 2020)

28 August 2020: Podcast interview with Stefan Brink

15 October 2020: Podcast interview with Stefan Brink

20. November 2020: Podcast Interview with Stefan Brink and Press release

Germany – Bavaria

 

It is recommended to refraining from services with data transfer to third countries. Reference to the measures taken by Microsoft, which are an important step.

History:

20.11.2020: Press release

Germany – Berlin

Data exporters and

Importers would be obliged to examine, before the first transfer of data, whether the authorities of that third country has access to the data which goes beyond what is permitted under GDPR. If such access rights exist, the SCCs cannot justify the export of the data either.

Data already transferred to the third country must be retrieved. Contrary to what has been widely held so far, the mere conclusion of SCCs is not enough to enable data exports.

Special obligations to examine exist in particular for data transfers to third countries such as China, Russia or India.

History:

17 July 2020: Press release

Germany – Hamburg

The retention of SCCs by the CJEU is not consistent, as activities of the secret service also affect them. The data protection supervisory authorities must comply with the substantive requirements of the judgement, in particular the level of data protection in the recipient country. The EU had to protect data from access not only with US providers but worldwide.

Special obligations to examine exist in particular for data transfers to countries such as China, for which "such data protection safeguards are a far cry", as well as with regard to Brexit.

History:

16 July 2020: Press release

26 August 2020: Commentary in Handelsblatt

Germany – Hesse

 

The Commissioner for Data Protection and Freedom of Information of Hesse advocates the initiative to safeguard international data transfers with regard to the addition of Microsoft's SCCs. The adequacy of U.S. data protection for European export companies is to be answered by a balancing decision.

History:

20. November 2020: Press release 

Germany-Lower Saxony

SCCs can only be used if they offer equivalent protection in the legal system of the third country concerned. The examination of the third country's legal system is subject to the equivalent standards as those applied in the case of an adequacy decision by the Commission. No such equivalent protection exists for the US. Therefore, additional safeguards were imperative.

The requirements for consent under Article 49 GDPR are very high.

Data transfers to the US based solely on the Privacy Shield must be stopped immediately. Companies must carry out a comprehensive analysis of whether SCCs are sufficient and consider additional safeguards. These can be of a legal, technical or organisational nature. An adequate level of protection is lacking if the additional safeguards do not protect against disproportionate access by third country authorities and there is no effective legal protection in place. The same applies accordingly to the use of BCRs.

Data transfer to the United Kingdom is still possible.

History:

21 August 2020: FAQ on video conferencing services (questions 7-10)

4 November 2020: Thematic page on the Schrems II judgement

Without date: Data transfer after Brexit

Germany - Rhineland-Palatinate

Companies cannot use SCCs to exempt themselves from their inspection obligations. They have to deal intensively with the national laws of the third country.

In particular, it remains unclear whether a supplementation of the SCCs in the concrete contractual relationship could be suitable as an additional safeguard, in particular by applying security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), since the US authorities are not bound to the SCCs.

As part of an "information offensive" on the subject, the LfDI Rhineland-Palatinate has published an inspection scheme to facilitate inspection by the controller.

  • The SCCs may need to be supplemented by other agreements or elements in order to ensure that the adequate level of protection is maintained when data is transferred to the third country. For data transfers to the US, this would mean a considerable effort for controllers, which can probably be considered sufficient only in rare cases. However, this was a question on a case-by-case basis.
  • At the same time, the controllers must examine their data transfers to other third countries, e.g. India, China or Russia, to see whether they comply with the level of data protection required by GDPR.
  • Companies must use alternative services from the EEA, even if these are more expensive.
  • The LfDI Rhineland-Palatinate will approach companies in the context of complaints or otherwise in the medium term in order to receive appropriate explanations.
  • Major changes to SCCs and BCRs or a Code of Conduct ("CoC") must be submitted to the supervisory authority with the application for approval. A continuous examination of the prerequisites of the transmission by the controller is necessary.

History:

16 July 2020: Press release and FAQs

24 July 2020: Press release

22 September 2020: Podcast interview with Dr. Kugelmann (LfD Rhineland-Palatinate)

6 November 2020: Test scheme

10 November 2020: Short lecture by Dr. Kugelmann

10. November: Podcast-Interview with Sylvia Beck

Germany – Thuringia

It was questionable how the EU's SCCs, which were still applicable, would be "brought to life" in the future.

The LfDI Thuringia also refers to the "information offensive" of the LfDI Rhineland-Palatinate and the materials published there (see above).

In particular, it was unclear how data exporters and importers would achieve a result correspond with EU data protection rules when assessing SCC protection measures and compliance with them in the case of the US.

History:
17. July 2020: Press release

11. November 2020: Reference to information offensive to the LfDI RLP

Denmark

Reference is made to the CJEU judgment, the implications of which need to be further analysed. The supervisory authority also refers to the Recommendations 01/2020 and 02/2020 of the EDPBand the EU Commission consultation on the draft of the new SCCs.

It is suggested that action should be taken if the UK is not recognised as a safe third country.

History:

20. July 2020: Press release

11. November 2020: Reference to the Recommendations 01/2020 and 02/2020 of the EDPB

13. November 2020: Reference to the EU Commission consultation on draft of the new SCCs

Without date: Brexit and data transfer to third countries

Estonia

The responsibility for examining whether the protection of personal data by SCCs could (also in the future) be guaranteed lies now with the data exporter and importer. The supervisory authority also refers to the ongoing consultation on the Recommendation 01/2020 of the EDPB. In addition, statements are made on the classification of countries outside the EU. The supervisory authority addresses the safeguards of Art. 46 ff - taking into account the Schrems II judgement

If the protection of personal data cannot be guaranteed, data transmission must be suspended. If the transfer is to continue, additional safeguards must be used.

History:

17. July 2020: Press release

12. November 2020: Reference to consultation on the Recommendation 01/2020 of the EDPB

17. November 2020: Comments on the classification of countries outside the EU

Finland

The Finnish Data Protection Officer refers to the EDPB FAQs (see above).

He has also asked companies to provide information on whether they use SCCs and what measures they have taken following the Schrems II judgement. The Finnish Data Protection Officer also refers to the Recommendations 01/2020 and 2/2020 of the EDPB and the EU Commission consultation on the draft of the new SCCs.

In the case of SCCs, controllers must assess the level of data protection in the third country. The data importer must assist in this examination.

History:

16. July 2020: Press release

22. July 2020: Reference to EDPB-guidelines

4. September 2020: Report on letters to companies

17. November 2020: Reference to EU Commission consultation on the drafts to the new SCCs und the Recommendation 01/2020 and 02/2020 of the EDPB

2. December 2020: Reference to EU Commission consultation of the draft to the new SCCs and Recommendation 01/2020 of the EDPB

France

Data concerning health cannot be transferred to US cloud providers. This would apply even if the data were stored in Europe but US secret services could still access it through the CLOUD Act. A statement about less sensitive data was not associated with this. However, in the case in question, the French Supreme Administrative Court reversed the order.

One possible solution would be a data trusteeship of European companies. However, the French Supreme Administrative Court did not consider such a trusteeship necessary.

History:
17. July 2020:
Press release

9. October 2020: Order concerning health data

13. October 2020: Judgement of the Supreme Administrative Court

28.December 2020: Press release regarding Brexit

Greece

Refers to FAQs of the EDPB (see above).

No indications of any need for further action.

History:

30. September 2020: Press release

Ireland

The application of SCCs to the transfer of personal data to the US was questionable, as data transfers between the EU and the US were "inherently problematic", regardless of the legal transfer mechanism on a case-to-case basis. At least for Facebook, SCCs are not an adequate guarantee (even with additional safeguards)

In particular, the question of the admissibility of data transfers to the USA on the basis of SCCs required further and careful examination. It must be assessed whether the level of protection required by EU law is provided in the UK (reference: Brexit) in order to determine whether the guarantees offered by the SCCs can be complied with in practice. A service provider based in the UK should be consulted for this assessment.

History:
16. July 2020: Own press release

9. September 2020: Press release of Facebook

Without date: Guidelines for transfers of personal data from Ireland to the UK at the end of the transitional period (11.00 a.m. on 31 December 2020)

Iceland

Refers to FAQs of the EDPB (see above).

According to the Data Protection Officer, all parties transferring personal data to the UK have explicitly committed themselves to support the transfer through adequate rights under Chapter V of the GDPR.

History:

16. July 2020: Press release (updated: 24. July 2020)

18.Dezember 2020: Press release

Israel

The EU-US Privacy Shield is also no longer available for Israel-US data transfers. The Israeli data protection authority had previously interpreted this as an adequate protection mechanism.

Companies need to consider whether they can use other safeguards.

History:
29. September 2020: Press release
 (English summary)

Italy

Refers to EDPB FAQs and links the EDPB press release to the Recommendations 01/2020 and 02/2020 (see above). The data protection authority also favors a political solution between the EU and the US and, in the longer term, other countries. The Transfer-Impact-Assessments of the Ministry of Economy and Finance for the implementation of a cashback programme, the Recommendations 01/2020 of the EDPB and the judgement were included to assess the risks.

No indications of any need for further action.

History:

29. July 2020: Press release

17. November 2020: Speech of Guido Scorza

26. November 2020: Impact assessment of the Ministry of Economy and Finance for the implementation of the cash-back programme

Liechtenstein

Data may still be transferred on the basis of other sufficient guarantees in accordance with Art. 46 et seq. GDPR, in particular standard data protection clauses, to the USA. Data may still be transferred on the basis of other appropriate guarantees in accordance with Art. 46 et seq. GDPR, in particular SSCs, to the USA. Furthermore, the DPA refers to the EDPB's Recommendation 01/2020 and 02/2020 of the EDPB and the EU Commission's consultation on the new draft SCC.

The controller must design the additional measures taken in such a way that they ensure that the data transfer complies with the GDPR. If an equivalent level of protection is not guaranteed in the third country, the transfer of personal data must be stopped. Many U.S. applications are to be classified as critical.

History:
17. July 2020:
Press release und Guide

3. Dezember 2020: Schrems II-Judgement: Update

Lithuania

Reference is made to the CJEU judgement, the implications of which need to be further analysed.

Presentation of a template for SCCs for public consultation. Subsequently, the proposals will be submitted to the EDSA for evaluation.

So far, no indications of any need for further action.

History:
20. July 2020:
Press release

21. December 2020: Press release on the SCC template

Luxembourg

Agrees with the FAQs of the EDPB (see above) and refers to the obligations of the data exporter and importer regulated in the SCCs (clauses 4 and 5). Reference to the Recommendations 01/2020 and 02/2020 of the EDPB.

Data exporters have to make record of all international data transfers. They must analyse SCCs to determine whether they effectively protect personal data in the legal system of the third country. If SCCs alone do not provide equivalent protection, they must be supplemented by additional safeguards. These can be of a technical, organisational or legal nature. Reference is made to the EDPB's roadmap, which serves to determine compliance for third country transfers.

History:

27. July 2020: Press release

7. October 2020: Presentation

17. November 2020: Reference to the Recommendations 01/2020 and 02/2020 of the EDPB

Malta

Refers to EDPB FAQs and the Recommendations 01/2020 and 02/2020 (see above)

So far, no indications of any need for further action.

History:

30. July 2020: Press release

11. November 2020: Press release Recommendation 01/2020 of the EDPB

12. November 2020: Press release Recommendation 02/2020 of the EDPB

Netherlands

SCCs are still a valid basis for data transfer to third countries, provided that an equivalent level of protection can be guaranteed. Reference is made, inter alia, to the CJEU's recitals that under US law, intelligence and security services have extensive powers of access to EU citizens' data which are "not limited to strictly necessary data".

The practical consequences of the judgment are still being examined by the EDPB. In case of doubt, the transfer to a third country should be stopped and the data processed within the EU.

History:
20. July 2020:
Press release

11. November 2020: Press release

Norway

International data transfers must be examined on a case-by-case basis. Data transfers to the USA are generally illegal. American surveillance laws (e.g. FISA Sec. 702 and EO 12333) often make effective additional safeguards impossible. There is no transitional period for the implementation of the Decision. The supervisory authority also refers to the Recommendations 01/2020 and 02/2020 of the EDPB.

Data exporters must question the data importer which laws and conditions apply in the third country. They must then consider whether additional safeguards can be put in place. If these are not sufficient, they must stop the data transfer.

History:

16. July 2020: Press release

27. July 2020: FAQ

11. November 2020: Reference to the Recommendations 01/2020 and 02/2020 of the EDPB.

Austria

Data transfers to the US would only be possible with additional safeguards. There is no "grace period". Apart from that, the Austrian data protection authority refers to the opinion and FAQs of the EDPB (see above) as well as to the Recommendations 01/2020 and 02/2020 of the EDPB.

The data exporter must consider additional safeguards. Further guidance will be published soon.

History:

August 2020: Statement (updated November 2020)

Poland

Data exporters and importers must verify not only the compliance of the contractual provisions with EU law, but also the possibility for authorities of a third country to access these data. The Data Protection Officer also refers to the Recommendations 01/2020 and 0/2020 of the EDPB and the EU Commission consultation on the new SCCs and the consultation on the Recommendations 01/2020 of the EDPB.

Provided that the level of protection of personal data is not equivalent to that in the EU, the transfer of data to a third country could also be based on other transfer mechanisms, insofar as these ensure a level of protection equivalent to that in the EU.

History:

20. July 2020: Press release

13. November 2020: Announcement to the Recommendations 01/2020 and 01/2020 of the EDPB

17. November 2020: Announcement on EU Commission consultation on the new SCCs

23. November 2020: Announcement on the consultation on the Recommendation 1/2020 of the EDPB

24. November 2020: Announcement to the EU Commission draft of the new SCCs

Romania

Alternative transfer mechanisms for data transmissions to the USA are referred to. According to this, BCRs, codes of conduct and certification mechanisms are available in addition to SCCs. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB. In the consultation between the supervisory authority and the Romanian-American Chamber of Commerce, reference was made to the judgement and Recommendations 01/2020 and 02/2020 of the EDPB.

It was pointed out that steps to be followed, potential sources of information and examples of complementary safeguards should be provided.

History:

20. July 2020: Press release

17. November 2020: Announcement to the Recommendations 01/2020 and 02/2020 of the EDPB

7. December 2020: Consultation of the Supervisory Authority and the Romanian-American Chamber of Commerce and note on the provision of information

Slovenia

It should be noted that SCCs and BCRs can serve as a legal basis instead of the Privacy Shield Decision. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB.

So far, no indications of any need for further action.

History:

16. July 2020: Press release

16. November 2020: Announcement to the Recommendations 01/2020 and 02/2020 of the EDPB.

Sweden

Refers to FAQs of the EDPB as well as to the Recommendations 01/2020 and 02/2020 of the EDPB (see above). The authority has opened six investigations into data transfers to third countries and refers to the Recommendations 01/2020 and 02/2020 of the EDPB.

So far, no indications of any need for further action beyond the EDPB FAQs.

History:

17. July 2020: Press release (updated: 20. July 2020)

16. November 2020: Information page to the Schrems II-judgement

26. November 2020: Review by the supervisory authority

11. December 2020: Breach of GDPR - storage of personal data in American cloud, without sufficient level of protection

Spain

The judgement marks a turning point in the legal framework for data transfers to the US. SCCs are still to be considered valid.

So far, no indications of any need for further action.

In any case, a uniform European approach is necessary for the implementation of the judgment in the EU countries.

History:
22. July 2020:
Press release (updated: 9. October 2020)

Switzerland

Even the Swiss-U.S. Privacy Shield does not offer a sufficient level of data protection. A data transfer to the USA can therefore no longer be based on this. This is subject to the reservation of a deviating jurisdiction of Swiss courts. Contractual guarantees such as SCCs and BCRs continue to apply. However, the risks would have to be weighed up on a case-by-case basis as under the GDPR.

  • Controllers should switch from Swiss-U.S. Privacy Shield to SCCs or BCRs.
  • Companies must verify whether the data importer is able to provide the participation required by Swiss law.
  • Additions to SCCs should be considered (no examples of formulations are provided).
  • Additional safeguards would be necessary if the adequate level of data protection could not otherwise be maintained (e.g. seals).
  • Otherwise, it is recommended not to export the data.
  • There would be further instructions for the controllers.

History:
16. July 2020:
Press release

8. September 2020: Statement to Swiss-U.S. Privacy Shield

Czech Republic

The requirements for the continued use of SCCs in transfers to the US were high. The risks would have to be assessed on a case-by-case basis. In particular, the CLOUD Act had to be considered.

Consult with the data importer on the extent to which it is affected by the CJEU ruling.

Examine additional safeguards (e.g. encryption without backdoor, metadata only in the EU).

History:
16. July 2020: Press release

7. August 2020: Information for Controllers

2. September 2020: Publication of FAQ on data transfer to third countries

United Kingdom

The CJEU confirms that data transferred to third countries cannot lose its EU data protection standards. The judgement has wider implications than just the invalidity of the EU-U.S. Privacy Shield. It is a judgement that confirms the importance of safeguards for personal data transferred from the UK. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB and the EU Commission consultation on the new SCCs.

Further efforts by the European Commission and the EDPB are in progress to provide more comprehensive guidance on additional measures that may need to be taken. In the meantime, companies should review their international transfers and react immediately when guidelines and advice become available. Practical and pragmatic advice and support will continue to be offered in view of the challenges facing businesses.

The ICO recommends to companies which work with EU and EEA organisations and transferring personal data to them to establish alternative transfer mechanisms so that the free transfer of personal data from the EU to the UK is not disrupted. 
To this end, the ICO is publishing guidance and measures. For most companies and organisations, SCCs are the best alternative.

History:

27 July 2020: Declaration of the ICO (Update on the Declaration of 17 July 2020)

13. November 2020: Statement on Recommendations 01/2020 and 02/2020 of the EDPB and the EU Commission consultation on the news SCCs

21 December 2020: Press release

28 December 2020: Statement by the ICO

Cyprus

Explains the judgment and refers to the EDPB FAQ.

Data exporters must check the level of protection in the third country. If the level of protection is not sufficient, they should suspend a data transfer. If necessary, additional safeguards should be considered.

History:

20 July 2020: Press release