Schrems II: Reactions to the judgement and the supervisory authorities' recommendations – Update #29

Europe

"Schrems II": Opinions of the supervisory authorities on Schrems II and recommendations on the implementation of the judgement in international data transfers

On 16 July 2020, the Court of Justice of the European Union (CJEU) declared the EU-US Privacy Shield Decision to be invalid by judgement in the "Schrems II" case (C-311/18). However, standard contractual clauses ("SCCs") can still be used for data transfers, but, the mere conclusion of a contract is not sufficient for this purpose. The same applies to binding corporate rules ("BCRs").

Examination requirements: The specific means of transferring and processing of personal data at the recipient of the data must comply with an adequate level of data protection

In the case of a transfer of personal data by means of SCCs, the data exporter has to assess whether an adequate level of data protection is guaranteed in the third country for the data affected by the transfer. It is not the general level of data protection in the third country that must be assessed, but the specific level of protection for the transferred data.

It is therefore necessary to assess the following:

  • The concrete communication network of the data: Risks to the level of protection may arise, for example, from government surveillance of transmission networks (for example, data transferred to the US via overseas cable may be subject to surveillance by US secret services, which may not occur in the case of another communication network);

  • The risks associated with saving the data with a specific recipient: Differences may arise, for example, from sector-specific legislation which forces certain recipients (e.g. telecommunications providers) to cooperate with secret services, whereas other data importers need not be affected by such legislation;

  • Whether reasonable alternatives exist (e.g. service providers established in the EU) that do not require international data transfer.

If this assessment reveals that the level of protection is not comparable to the European level, the data exporter must take additional measures to guarantee the protection of the data before the transfer. If these measures are not sufficient, personal data may no longer be transferred on the basis of SCCs.

Opinions of the supervisory authorities

Since the publication of the judgement, a large number of authorities have expressed their opinions and recommendations on the CJEU ruling. We document these comments in order to provide companies with assistance in implementing the ruling. Of particular importance are the recommendations of the European Data Protection Board (EDPB), the association of European supervisory authorities, which we have summarised in a separate article. In our table, we highlight the requirements which the supervisory authorities consider to be necessary to comply with when transferring data to third countries following the ruling. In June 2021, the data protection supervisory authorities have initiated an ongoing control of companies in Germany to implement the "Schrems II" decision of the CECJ. In that context, the supervisory authorities of many federal states are contacting the companies with a common catalogue of questions. These questions include information on the use of email service providers, web tracking, hosting of websites and the handling of data of applicants and/or customers as well as the company's employees. We have indicated the participation of a federal state's data protection supervisory authority in this nationwide audit in the respective column of the authority with a corresponding note.

Of particular importance are the recommendations of the European Data Protection Board (EDPB), the association of European supervisory authorities. In our table, we highlight the requirements which the supervisory authorities consider to be necessary to comply with when transferring data to third countries following the ruling. 

Newly updated

  • Germany – Baden-Württem¬berg: Orientation guide on international data transfers (with checklist)

  • Germany – North Rhine-Westfalia (new!): Annual report 2020

  • Switzerland: Information on the transfer or personal data to third countries based on SSCs and model contracts

Never miss an update 

If you would like to be kept informed about significant updates, best practices for implementing the judgment and CMS privacy policy select "Receive Updates" and provide us with your e-mail address. You can revoke your consent at any time. You can find our data protection information here.

Law-Now-Schrems-II-Receive-Updates 

Note: This article is updated regularly but does not claim to be complete. The opinions issued are linked in chronological order. Our table summarises the most recent opinion. It was last updated on 8 October 2021.

Authority

/Board

Requirements for data trans­fers using SCCs

Need for action for the data exporter

European Data Protection Board (EDPB)

  • When SCCs or BCRs are used, the data exporter and importer must check the level of protection in the third country in question in order to determine whether the guarantees thus provided can be respected in practice.
  • Otherwise, it must be examined whether additional measures must be taken in order to guarantee a level of protection substantially equivalent to that in the EU and whether the law of the third country does not interfere with these additional measures in order to prevent their effectiveness.
  • To assess the sufficient guarantees for supervisory measures, the EDPB has published recommendations; the four main guarantees are that processing must be based on clear, precise and accessible rules, necessity and adequacy for legitimate purposes, the existence of an independent supervisory mechanism and effective legal protection for data subjects
  • In the 43rd plenary session, EDPB refers to the challenges associated with data transfer to third countries.
  • The EDPB and the EDPS have adopted the joint opinions and a Recommendation on two sets of contractual clauses (SCCs). These are intended to provide legal certainty for individuals and their personal data. In particular, the new SCCs contain more specific safeguards in the event that the laws of the country of destination affect compliance with the clauses, for example in the case of mandatory requests by public authorities to disclose personal data. The former SCCs under Art. 46 of the GDPR are intended to replace the current SCCs for international data transfers.
  • If the assessment in a particular case leads to the conclusion that the country of the data importer does not offer a substantially equivalent level of protection, the exporter may have to consider safe guards additional to those contained in SCCs.
  • The EDPB has drafted a recommendation on how to complement transfer tools. These include, for example, pseudonymisation, encryption that is also effective against the recipient or the choice of a recipient who is protected against access by the law of the country of destination. On the other hand, it should not be possible for providers who have to access the data in plain text (e.g. in the case of cloud processing) and in relation to whom public authorities have access powers beyond the extent necessary for a democratic society to transmit data in conformity with data protection regulations.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

17. July 2020: Press release
23. July 2020: FAQ

15. August 2020: Brief statement to BCRs

4. September 2020: Announcement working group

23. September 2020: Informal statement on timeframe

11. November 2020:Draft of a Recommendation 01/2020 of the EDPB on additional measures for transfer tools,

press release and graph; Recommendations 02/2020 of the EDPB on adequate guarantees

20. November 2020:Press release to EU Commission consultation on the drafts to the new SCCs und the Recommendation 01/2020 of the EDPB

15. December 2020:Statement on the end of the Brexit transition period

15. December 2020:Information notice on data transfers under the GDPR to the United Kingdom after the transitional period

16. December 2020:Press release on 43rd plenary session

4. January 2021:Press release on EDPB adopted documents - 42nd and 43rd plenary sessions

14. January 2021EDPB and EDPS Joint Opinion 1/2021 on standard contractual clauses between data controllers and processors.

14. January 2021EDPB and EDPS Joint Opinion 2/2021 on standard contractual clauses for transfers of personal data to third countries.

15. January 2021Press release

10. March 2021: Press release

13. April 2021: Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United KingdomOpinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom

16. April 2021: Press release on Opinion 14/2021 and 15/2021

18 June 2021: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
21 June 2021: Press release on the final version of Recommendations on supplementary measures

 

European Data Protection Supervisor (EDPS)

While confirming the validity of SCCs in principle, the CJEU provided welcome clarifications on the responsibility of data exporters and European data protection authority in taking into account the risks associated with access to personal data by third country authorities. The criteria established by the CJEU concern all appropriate safeguards under Art. 46 GDPR. 

  • In order to determine the substantially equivalent level of protection, the EDPS will issue a guide on the conduct Transfer-Impact-Assessments.
  • The new SCCs aim to ensure full harmonisation and legal certainty in the EU when it comes to contracts between controllers and their processors. The new SCCs contain more specific safeguards in case the laws of the country of destination affect compliance with the clauses, especially in the case of mandatory requests by public authorities to transfer personal data.
  • The effects of the judgement will be examined in detail, in particular with regard to contracts concluded by EU institutions. EU institutions are to assess and document the security risks of transfers to third countries in advance. This is to take place in so-called Transfer-Impact-Assessments (TIA). For future data transfers from EU institutions, the EDPS strongly advises against transfers to the USA. The EDPS refers to Recommendations 01/ 2020 and 02/2020 in the newsletter and states: (i) Processing should be based on clear, precise and accessible rules; (ii) necessity and proportionality to the legitimate objectives pursued must be demonstrated; (iii) an independent supervisory mechanism should be in place; (iv) effective remedies must be available to individuals.
  • The EDPS launched two investigations regarding the compliance with the Schrems II judgement. The first investigation is regarding the use of cloud services provided by Amazon Web Services and Microsoft by EU institutions, bodies and agencies under Cloud II contracts. The second investigation is regarding the use of Microsoft (Office) 365 by the European Commission.

History:

17 July 2020: Declaration

29 October 2020: Strategy for EU institutions

11 December 2020: Blog-post

21 December 2020: Newsletter (N84)

15 January 2021:Press release

19 April 2021:Annual Report 2020

27 Mai 2021: Press release

10 June 2021: From Lindqvist to Schrems II:case law of the CJEU on transfers of personal data to third countries

Bulgaria

  • Refers to the CJEU judgment and provides other protective mechanisms.

 

  • The data exporter must switch to alternative transfer mechanisms such as SCCs or BCRs.

History:

16 July 2020:Press release

Germany -Data protection conference

  • SCCs can, in principle, be used to transfer personal data to the USA and other third countries, but in the case of the USA only with additional safeguards.
  • The assessment of equivalent data protection in third countries is the responsibility of the controller and the recipient.

 

  • If no such protection can be provided in the third country, it should be examined what additional safeguards are possible.
  • This also applies to BCRs. Therefore, additional safeguards must also be agreed for data transfers based on BCRs, unless the rights of the data subject in the third country enjoy a level of protection equivalent to that in the Union
  • The Data protection conference argues for an encryption as a key means of securing data transfers to third countries.
  • In addition to the new SCCs further assessments and safeguards are necessary.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

28 July 2020:Press release

26. November 2020:Press release

28. December 2020:Press release regarding Brexit

21 June 2021: Press release

Germany– Federal Commissioner for Data Protection and Freedom of Information (BfDI)

  • SCCs continue to be a possible basis for data transfer. The BfDI fully endorses the EDPB FAQ.
  • Appreciates the EDPS and EDPB statement on the European Commission's draft of SCCs.
  • International data traffic is still possible, although additional safeguards would be needed for transfers to the US. As such, encryption and pseudonymisation are particularly relevant.
  • Companies should check their contracts with service providers to see whether and how they transfer data to third countries.
  • Currently, the use of a facebook fan page by German public offices is not possible in compliance with data protection. The BfDI underlines this opinion with regard to the Schrems II judgement in a letter to the German Federal Ministries and to the highest German public offices.

History:

16 July 2020: 1. Press release

24 July 2020:2. Press release

1 October 2020: Interview with Ulrich Kelber (BfDI)

8. October 2020: Information letter with key messages of the judgement and verification scheme for international data transfer

24 October 2020: Podcast-Interview with Ulrich Kelber

15 January 2021:Opinion on revised standard data protection clauses

25 March 2021: Activity report 2020

25 June 2021: Letter from the BfDI to the German Federal Ministries and to the higher German public offices dated 16 June 2021

Without date: Practical impact of the Schrems II judgment on international data traffic (case C-311/18 „Schrems II“)

Germany - Baden-Württem­berg

  • SCCs have not been declared invalid in principle by the CJEU. In their further use, European companies and subsequently data protection authority will have to assess on a case-by-case basis whether they are sufficient. This also applies to other third countries. In the case of the US, however, the result of this examination is clear, as almost no US company can give credible guarantees that it will be protected from access by the secret services. Further processing on the basis of the Privacy Shield would result in fines. SCCs would only be conceivable in rare cases.
  • Data transfer to the US are barely possible.
  • Criticises the judgement of the CJEU as it imposes European ideas of data protection on third countries and is difficult for companies to implement.
  • Published an orientation guide on international data transfers with checklist (see below).
  • Companies should verify which data they export to which countries. A data export is also the mere possibility of access (e.g. for maintenance). They must then check whether there is an adequacy decision for the country in question and if not, what the legal situation is in the third country in question.
  • Data exports on the basis of the Privacy Shield should be stopped immediately until a new transfer mechanism is in place.
  • This new transfer mechanism should be included in the data protection notices and in the records of processing activities.
  • Further more, suitable additional safeguards were required. For example, data exporters could (in particular providers of cloud services) provably encrypting the data in a way in which the data exporter alone has the key and which the secret services could not overcome.
  • The decisive factor is whether there are reasonable alternatives without concerns regarding the transfer of data (e.g. agreement that data will be hosted in one of the Member States of the GDPR or that no data will be transferred to the US, pp. 8 and 10). If such alternatives exist, the LfDI Baden-Württemberg will prohibit personal data transfer.
  • E.g. Microsoft: According to the State Data Protection Commissioner, the measures taken are a good example for other companies to follow. Microsoft has supplemented its SCCs as follows: (i) recognition of compensation for material and immaterial damage of data subjects in Europe, (ii) an obligation to take legal action against orders issued by the US security authorities, insofar as this is possible, and (iii) the obligation to provide information to data subjects if a government order legally obliges Microsoft to submit data to the US security authorities. Further measures are required, such as encryption, to meet the requirements of the judgement.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

20 July 2020: FAZ interview with Stefan Brink (LfDI BaWü)

21 August 2020: Handelsblatt interview with Stefan Brink

24 August 2020: Orientation guide(updated on 07 September 2020)

28 August 2020: Podcast interview with Stefan Brink

15 October 2020: Podcast interview with Stefan Brink

20 November 2020: Podcast Interview with Stefan Brink and Press release

4 January 2021: Press release

8 February 2021: Activity report 2020 and Press release

2 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

September 2021: Orientation guide on international data transfers (with checklist)

Germany – Bavaria

It is recommended to refraining from services with data transfer to third countries. Reference to the measures taken by Microsoft, which are an important step.

  • Data transfers to third countries without compliance regarding the Schrems II judgement must be stopped.

20 November 2020Press release

1 June 2021Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Without date: Transfer of personal data to third countries

Without date (2021): Interview Carlo Piltz with Alexander Filip (Head of Department 3 for international data transfer at the BayLDA), DSB 2021, 206 (juris)

Germany – Berlin

  • Data exporters and Importers would be obliged to examine, before the first transfer of data, whether the authorities of that third country has access to the data which goes beyond what is permitted under GDPR. If such access rights exist, the SCCs cannot justify the export of the data either.
  • Data already transferred to the third country must be retrieved. Contrary to what has been widely held so far, the mere conclusion of SCCs is not enough to enable data exports.
  • Special obligations to examine exist in particular for data transfers to third countries such as China, Russia or India.

History:

17 July 2020: Press release

8 April 2021Activity report 2020

1 June 2021Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Germany – Brandenburg

1 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Germany – Bremen

10 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ.

Germany – Hamburg

  • The retention of SCCs by the CJEU is not consistent, as activities of the secret service also affect them. The data protection supervisory authorities must comply with the substantive requirements of the judgement, in particular the level of data protection in the recipient country. The EU had to protect data from access not only with US providers but worldwide.
  • Special obligations to examine exist in particular for data transfers to countries such as China, for which "such data protection safeguards are a far cry".

History:

16 July 2020: Press release

26 August 2020: Commentary in Handelsblatt

1 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Germany  Hesse

  • The Commissioner for Data Protection and Freedom of Information of Hesse explicitly requests all units processing data in Hesse to comply with the Schrems II judgement.
  • The Commissioner for Data Protection and Freedom of Information of Hesse advocates the initiative to safeguard international data transfers with regard to the addition of Microsoft's SCCs. The adequacy of U.S. data protection for European export companies is to be answered by a balancing decision.
  • The transfer of personal data to the USA without any additional measures is not possible.

20 November 2020Press release

22 June 2021: Information on Schrems II und Press release

Germany - Lower Saxony

  • SCCs can only be used if they offer equivalent protection in the legal system of the third country concerned. The examination of the third country's legal system is subject to the equivalent standards as those applied in the case of an adequacy decision by the Commission. No such equivalent protection exists for the US. Therefore, additional safeguards were imperative.
  • The requirements for consent under Art. 49 GDPR are very high.
  • The authority has approved certain BCRs.
  • The Commissioner for Data Protection and Freedom of Information of Lower Saxony refers to the press release by the Data protection conference from the 21 June 2021 (see above), in which the Data protection conference argues for further assessments and safeguards in addition to the new SCCs.
  • Data transfers to the US based solely on the Privacy Shield must be stopped immediately. Companies must carry out a comprehensive analysis of whether SCCs are sufficient and consider additional safeguards. These can be of a legal, technical or organisational nature. An adequate level of protection is lacking if the additional safeguards do not protect against disproportionate access by third country authorities and there is no effective legal protection in place. The same applies accordingly to the use of BCRs.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

21 August 2020: FAQ on video conferencing services(questions 7-10)

4 November 2020: Thematic page on the Schrems II judgement (updated: January 2021)

11 February 2021: Press release

1 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Without date: Data transfer after Brexit

Germany – Mecklenburg-West Pomerania

 

  • System software, office and videoconference applications utilized by the institutions of the German Federal State Mecklenburg-West Pomerania cannot be operated without data traffic into third countries, esp. the USA, and therefore cannot be used in accordance with the law.
  • If additional safeguards (e.g. encryption or anonymization) cannot protect the personal data, the usage must be stopped, and institutions must utilize alternative services in accordance with the data protection law.

History:

17 March 2021: Press release

Germany – North Rhine-Westfalia

 

  • Companies must assess the level of protection in the recipient country prior to the transfer and might need to take additional measures that substantially ensure a level of protection as guaranteed in the European Economic Area. If appropriate measures are not apparent, a law-ful transfer is not possible.
  • Advises controllers to review their usage of software and services that transfer or that can transfer data to a third country. The same also applies to processors transferring data to third countries if the controller issuing the contract is not subject to the GDPR.
  • In some cases, when data is transferred to a third country, it might be advisable to stop the transfer, to work without the regarding products or to replace them.
  • There are data transfers to third countries that currently cannot be executed in a manner compliant with the requirements of data protection, so that data controllers should seek for alternatives that can be executed without the transfer of data to a third country.

History:

August 2021: Annual report 2020

Germany - Rhineland-Palatinate

  • Companies cannot use SCCs to exempt themselves from their inspection obligations. They have to deal intensively with the national laws of the third country.
  • In particular, it remains unclear whether a supplementation of the SCCs in the concrete contractual relationship could be suitable as an additional safeguard, in particular by applying security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), since the US authorities are not bound to the SCCs.
  • As part of an "information offensive" on the subject, the LfDI Rhineland-Palatinate has published an inspection scheme to facilitate inspection by the controller.
  • The SCCs may need to be supplemented by other agreements or elements in order to ensure that the adequate level of protection is maintained when data is transferred to the third country. For data transfers to the US, this would mean a considerable effort for controllers, which can probably be considered sufficient only in rare cases. However, this was a question on a case-by-case basis.
  • At the same time, the controllers must examine their data transfers to other third countries, e.g. India, China or Russia, to see whether they comply with the level of data protection required by GDPR.
  • Companies must use alternative services from the EEA, even if these are more expensive.
  • The LfDI Rhineland-Palatinate will approach companies in the context of complaints or otherwise in the medium term in order to receive appropriate explanations.
  • The LfDI Rhineland-Palatinate urgently advises companies to check the lawfulness of ongoing data processing with regard to third countries using the LfDI’s test scheme and, if necessary, to adapt their processes and to terminate or prevent data breach.
  • Major changes to SCCs and BCRs or a Code of Conduct ("CoC") must be submitted to the supervisory authority with the application for approval. A continuous examination of the prerequisites of the transmission by the controller is necessary.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

16 July 2020: Press release and FAQ

24 July 2020: Press release

22 September 2020: Podcast interview with Dr. Kugelmann (LfD Rhineland-Palatinate)

6 November 2020: Test scheme

10 November 2020: Short lecture by Dr. Kugelmann

10 November: Podcast-Interview with Sylvia Beck

29 December 2020: Press release

12 Mai 2021: Information offensive regarding data transfer to third countries

1 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

21 June 2021: Press release

Germany – Saarland

1 June 2021: Participation in the nationwide initiative of the German data protection supervisory authorities to control companies in Germany with regard to the implementation of the "Schrems II" decision of the CECJ

Germany –Thuringia

 

  • The LfDI Thuringia refers to the "information offensive" of the LfDI Rhineland-Palatinate and the materials published there (see above).
  • It is unclear how data exporters and importers would achieve a result correspond with EU data protection rules when assessing SCC protection measures and compliance with them in the case of the US.
  • The LfDI Thuringia refers to the press release by the Data protection conference from the 21 June 2021 (see above), in which the Data protection conference argues for further assessments and safeguards in addition to the new SCCs.

History:
17 July 2020: Press release

11 November 2020Reference to information offensive to the LfDI RLP

22 June 2021: Press release

Denmark

  • Reference is made to the CJEU judgment, the implications of which need to be further analysed. The supervisory authority also refers to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • In connection with the Schrems II judgment, the Danish Data Protection Authority has decided to monitor the transfer of personal data to third countries by a number of companies and authorities.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:
20 July 2020: Press release

11 November 2020:Reference to the Recommendations 01/2020 and 02/2020 of the EDPB

13 November 2020: Reference to the EU Commission consultation ondraft of the new SCCs

Without date:Brexit and data transfer to third countries

4 January 2021: Press release on the withdrawal agreement

12 January 2021: Priorities for the supervisory activities of the Danish Data Protection Authority in 2021 (Schrems II)

28. June 2021: Press release

Estonia

  • The responsibility for examining whether the protection of personal data by SCCs could (also in the future) be guaranteed lies now with the data exporter and importer. The supervisory authority also refers to the consultation on the Recommendation 01/2020 of the EDPB. In addition, statements are made on the classification of countries outside the EU. The supervisory authority addresses the safeguards of Art. 46 ff  taking into account the Schrems II judgement
  • If the protection of personal data cannot be guaranteed, data transmission must be suspended. If the transfer is to continue, additional safeguards must be used.

History:
17 July 2020: Press release

12 November 2020: Reference to consultation on the Recommendation 01/2020 of the EDPB

17 November 2020:Comments on the classification of countries outside the EU

Finland

  • The Finnish Data Protection Officer refers to the EDPB FAQ (see above).
  • He has also asked companies to provide information on whether they use SCCs and what measures they have taken following the Schrems II judgement. The Finnish Data Protection Officer also refers to the Recommendations 01/2020 and 2/2020 of the EDPB.
  • In the case of SCCs, controllers must assess the level of data protection in the third country. The data importer must assist in this examination.

History:
16 July 2020: Press release

22 July 2020: Reference to EDPB-guidelines

4 September 2020: Report on letters to companies

17 November 2020: Reference to EU Commission consultation on the drafts to the new SCCs und the Recommendation 01/2020 and 02/2020 of the EDPB

2 December 2020: Reference to EU Commission consultation of the draft to the new SCCs and Recommendation 01/2020 of the EDPB

8 June 2021: Press release

29 June 2021: Press release

5 July 2021: Press release

France

  • Data concerning health cannot be transferred to US cloud providers. This would apply even if the data were stored in Europe but US secret services could still access it through the CLOUD Act. A statement about less sensitive data was not associated with this. However, in the case in question, the French Supreme Administrative Court reversed the order.
  • One possible solution would be a data trusteeship of European companies. However, the French Supreme Administrative Court did not consider such a trusteeship necessary.

History:
17 July 2020: Press release

9 October 2020:Order concerning health data

13 October 2020:Judgement of the Supreme Administrative Court

28 December 2020:Press release regarding Brexit

Great Britain

See: United Kingdom

Greece

  • Refers to FAQ of the EDPB (see above).
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

No indications of any need for further action.

History:

19 January 2021:Press release

Ireland

  • The application of SCCs to the transfer of personal data to the US was questionable, as data transfers between the EU and the US were "inherently problematic", regardless of the legal transfer mechanism on a case-to-case basis. At least for Facebook, SCCs are not an adequate guarantee (even with additional safeguards)

In particular, the question of the admissibility of data transfers to the USA on the basis of SCCs required further and careful examination.

  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:
16 July 2020: Own press release

9 September 2020: Press release of Facebook

Without date: Guidelines for transfers of personal data from Ireland to the UK at the end of the transitional period (11.00 a.m. on 31. December 2020)

3 December 2020:Press release

25 February 2021: Activity report 2020

Iceland

  • Refers to the FAQ of the EDPB (see above).
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

 

History:

16 July 2020: Press release(updated: 24. July 2020)

18 December 2020:Press release

30 December 2020:Press release

8 July 2021: Press release

Israel

  • The EU-US Privacy Shield is also no longer available for Israel-US data transfers. The Israeli data protection authority had previously interpreted this as an adequate protection mechanism.
  • Companies need to consider whether they can use other safeguards.

History:

29 September 2020:Press release (English summary)

Italy

  • Refers to EDPB FAQ and links the EDPB press release to the Recommendations 01/2020 and 02/2020 (see above). The data protection authority also favors a political solution between the EU and the US and, in the longer term, other countries. The Transfer-Impact-Assessments of the Ministry of Economy and Finance for the implementation of a cashback program, the Recommendations 01/2020 of the EDPB and the judgement were included to assess the risks.
  • No indications of any need for further action.

History:

29 July 2020:Press release

17 November 2020:Speech of Guido Scorza

26 November 2020Impact assessment of the Ministry of Economy and Finance for the implementation of the cash-back program
Without date: Graphical Information regarding data transfer to the USA

Liechtenstein

  • Data may still be transferred on the basis of other sufficient guarantees in accordance with Art. 46 et seq. GDPR, in particular standard data protection clauses, to the USA. Data may still be transferred on the basis of other appropriate guarantees in accordance with Art. 46 et seq. GDPR, in particular SSCs, to the USA. Furthermore, the DPA refers to the EDPB's Recommendation 01/2020 and 02/2020 of the EDPB.
  • The controller must design the additional measures taken in such a way that they ensure that the data transfer complies with the GDPR. If an equivalent level of protection is not guaranteed in the third country, the transfer of personal data must be stopped. Many U.S. applications are to be classified as critical.
  • According to the Data Protection Office of Liechtenstein it is not possible to use Google Analytics and Mailchimp in accordance with the GDPR regarding the Schrems II judgement due to data transfer to the USA.

Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”), but the Data Protection Office of Liechtenstein underlines that this decision is limited in time until 2025 and could also be object to an annulment by the CJEU. Therefore, the Data Protection Office emphasises a legal uncertainty of data transfer to the UK. 

History:
17 July 2020: Press release und Guide

3 December 2020: Schrems II-Judgement: Update

7 January 2021:Press release

11 June 2021: Activity report 2020

1 July 2021: Press release

Lithuania

  • Reference is made to the CJEU judgement, the implications of which need to be further analysed.

 

  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:
20. July 2020: Press release

21. December 2020:Press release on the SCC template

19. January 2021:Press release on Brexit

Luxembourg

  • Agrees with the FAQ of the EDPB (see above) and refers to the obligations of the data exporter and importer regulated in the SCCs (clauses 4 and 5). Reference to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”). 
  • Data exporters have to make record of all international data transfers. They must analyse SCCs to determine whether they effectively protect personal data in the legal system of the third country. If SCCs alone do not provide equivalent protection, they must be supplemented by additional safeguards. These can be of a technical, organisational or legal nature.

History:

27 July 2020: Press release

7 October 2020: Presentation

17 November 2020:Reference to the Recommendations01/2020 and 02/2020 of the EDPB

31 December 2020: Update of the Guidelines on Data Transfer to the United Kingdom

31 December 2020: Rules on data transfer for the period in the EU-UK Trade and Cooperation Agreement

20 January 2021: Press release

28 June 2021: Press release

1 July 2021: Press release regarding the adequacy decisions for UK

12 July 2021: Information regarding international data transfers and Brexit

Malta

  • Refers to the EDPB FAQ and the Recommendations 01/2020 and 02/2020 (see above)
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

30 July 2020: Press release

11 November 2020:Press release Recommendation 01/2020 of the EDPB

12 November 2020: Press release Recommendation 02/2020 of the EDPB

15 January 2021:Press release

28 June 2021: Press release

Netherlands

  • SCCs are still a valid basis for data transfer to third countries, provided that an equivalent level of protection can be guaranteed. Reference is made, inter alia, to the CJEU's recitals that under US law, intelligence and security services have extensive powers of access to EU citizens' data which are "not limited to strictly necessary data".
  • The practical consequences of the judgment are still being examined by the EDPB. In case of doubt, the transfer to a third country should be stopped and the data processed within the EU.

 

  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:
20. July 2020: Press release

11. November 2020:Press release

16. April 2021:Press release

21 June 2021: Press release

Without date: Information on the Brexit and FAQ

Norway

International data transfers must be examined on a case-by-case basis. Data transfers to the USA are generally illegal. American surveillance laws (e.g. FISA Sec. 702 and EO 12333) often make effective additional safeguards impossible. There is no transitional period for the implementation of the Decision. The supervisory authority also refers to the Recommendations 01/2020 and 02/2020 of the EDPB.

  • The supervisory authority announced to promptly update their information on the transfer of personal data to third countries.

Data exporters must question the data importer which laws and conditions apply in the third country. They must then consider whether additional safeguards can be put in place. If these are not sufficient, they must stop the data transfer.

  • They must then consider whether additional safeguards can be put in place. If these are not sufficient, they must stop the data transfer.

History:
16 July 2020: Press release

27 July 2020: FAQ

11 November 2020:Reference to the Recommendations 01/2020 and 02/2020 of the EDPB

31 December 2020: News on data transfer to the UK

21 June 2021: Press release

Austria

  • Data transfers to the US would only be possible with additional safeguards. There is no "grace period". Apart from that, the Austrian data protection authority refers to the opinion and FAQ of the EDPB (see above) as well as to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • The data exporter must consider additional safeguards. Further guidance will be published soon.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:

August 2020: Statement (updated November 2020)

Without date:Information on Brexit with regards to the Trade and Cooperation Agreement between the EU and the UK

Poland

  • Data exporters and importers must verify not only the compliance of the contractual provisions with EU law, but also the possibility for authorities of a third country to access these data. The Data Protection Officer also refers to the Recommendations 01/2020 and 0/2020 of the EDPB.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).
  • Provided that the level of protection of personal data is not equivalent to that in the EU, the transfer of data to a third country could also be based on other transfer mechanisms, insofar as these ensure a level of protection equivalent to that in the EU.

History:
20 July 2020: Press release

13 November 2020: Announcement to the Recommendations01/2020 and 01/2020of the EDPB

17 November 2020: Announcement on EU Commission consultation on the new SCCs

23 November 2020:  Announcement on the consultation on the Recommendation 1/2020 of the EDPB

24 November 2020: Announcement to the EU Commission draft of the new SCCs

30 December 2020:Press release

19 January 2021: Press release

2 March. 2021:Press release

30 June 2021: Press release

Romania

  • Alternative transfer mechanisms for data transmissions to the USA are referred to. According to this, BCRs, codes of conduct and certification mechanisms are available in addition to SCCs. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB. In the consultation between the supervisory authority and the Romanian-American Chamber of Commerce, reference was made to the judgement and Recommendations 01/2020 and 02/2020 of the EDPB.
  • It was pointed out that steps to be followed, potential sources of information and examples of complementary safeguards should be provided.

History:
20 July 2020: Press release

17 November 2020: Announcement to the Recommendations 01/2020 and 02/2020 of the EDPB

7 December 2020: Consultation of the Supervisory Authority and the Romanian-American Chamber of Commerce and note on the provision of information

Slovenia

  • It should be noted that SCCs and BCRs can serve as a legal basis instead of the Privacy Shield Decision. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • So far, no indications of any need for further action.
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”).

History:
16 July 2020: Press release

16 November 2020: Announcement to the Recommendations 01/2020 and 02/2020 of the EDPB

7 January 2021: Note personal data can be transferred to the UK

27 June 2021: Press release

Sweden

  • Refers to the FAQ of the EDPB as well as to the Recommendations 01/2020 and 02/2020 of the EDPB (see above).
  • The authority has opened six investigations into data transfers to third countries and refers to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • The authority has approved certain BCRs.
  • So far, no indications of any need for further action beyond the EDPB FAQ.

History:

17 July 2020: Press release (updated: 20. July 2020)

16 November 2020:Information page to the Schrems II-judgement

26 November 2020:Review by the supervisory authority

11 December 2020:Breach of GDPR – storage of personal data in American cloud, without sufficient level of protection

29 January 2021:Approval of certain BCRs regarding the transfer of data to Non EU countries by certain companies.

Spain

  • The judgement marks a turning point in the legal framework for data transfers to the US. SCCs are still to be considered valid.
  • So far, no indications of any need for further action.
  • In any case, a uniform European approach is necessary for the implementation of the judgment in the EU countries.

History:
22 July 2020: Press release (updated: 9. October 2020)

Switzerland

  • Even the Swiss-U.S. Privacy Shield does not offer a sufficient level of data protection. A data transfer to the USA can therefore no longer be based on this. This is subject to the reservation of a deviating jurisdiction of Swiss courts. Contractual guarantees such as SCCs and BCRs continue to apply. However, the risks would have to be weighed up on a case-by-case basis as under the GDPR.
  • Controllers should switch from Swiss-U.S. Privacy Shield to SCCs or BCRs.
  • Companies must verify whether the data importer is able to provide the participation required by Swiss law.
  • Additional safeguards would be necessary if the adequate level of data protection could not otherwise be maintained (e.g. seals).
  • Otherwise, it is recommended not to export the data.

History:
16 July 2020: Press release

8 September 2020: Statement to Swiss-U.S. Privacy Shield(updated on 4 December 2020: Statement on the transfer of personal data to the USA and other states without an adequate level of data protection within the meaning of Art. 6 (1) DSG)

18 June 2021: Guidance on the assessment of international data transfer

August 2021: Information on the transfer or personal data to third countries based on SSCs and model contracts

Czech Republic

  • The requirements for the continued use of SCCs in transfers to the US were high. The risks would have to be assessed on a case-by-case basis. In particular, the CLOUD Act had to be considered.
  • Consult with the data importer on the extent to which it is affected by the CJEU ruling.
  • Examine additional safeguards (e.g. encryption without backdoor, metadata only in the EU).
  • Brexit: Regarding the UK the EU-Commission adopted two adequacy decisions (see “United Kingdom”) .

History:
16 July 2020: Press release

7 August 2020: Information for Controllers

2 September 2020: Publication of FAQ on data transfer to third countries

7 January 2021:Press release

United Kingdom

  • The CJEU confirms that data transferred to third countries cannot lose its EU data protection standards. The judgement has wider implications than just the invalidity of the EU-U.S. Privacy Shield. It is a judgement that confirms the importance of safeguards for personal data transferred from the UK. Reference is also made to the Recommendations 01/2020 and 02/2020 of the EDPB.
  • Further efforts by the European Commission and the EDPB are in progress to provide more comprehensive guidance on additional measures that may need to be taken. In the meantime, companies should review their international transfers and react immediately when guidelines and advice become available. Practical and pragmatic advice and support will continue to be offered in view of the challenges facing businesses.
 

 

  • The EU-Commission adopted an adequacy decision regarding the UK under Art. 45 GDPR. The decision is limited in time until the 27 June 2025. During that period the UK is not classified as an unsafe country for data transfer.  Lastly, the European Parliament requested the EU Commission to amend the latest draft. Art. 5 of the Regulation No. 182/2011 and Art. 112 (2) of the Rules of Procedure of the European Parliament regulate the involvement of the Parliament. 

History:

27 July 2020: Declaration of the ICO (Update on the Declaration of 17 July 2020)

13. November 2020: Statement on Recommendations 01/2020 and 02/2020 of the EDPB and the EU Commission consultation on the news SCCs

21 December 2020:Press release

28 December 2020:Statement by the ICO

19. February 2021:Press release of the EU Commission and Draft regarding GDPR and Draft regarding the Law Enforcement Directive

1 June 2021: Press release of the European Parliament

28 June 2021: Adequacy decision of the EU-Commission regarding the UK under Art. 45 GPDR 

Without date: Data protection after the transition period (Brexit)

Cyprus

  • Explains the judgment and refers to the EDPB FAQ.
  • Data exporters must check the level of protection in the third country. If the level of protection is not sufficient, they should suspend a data transfer. If necessary, additional safeguards should be considered.

History:

20 July 2020: Press release