During the European Data Protection Board's 34th plenary session on Friday 17 July, it adopted a statement on the CJEU's ruling in the Schrems II case. In summary the EDPB noted:
- it is standing by to assist the European Commission to help build, together with the US, a new framework to replace the Privacy Shield;
- in relation to the Standard Contractual Clauses ("SCCs"), whilst these remain valid, the EDPB highlights that the judgement has emphasised the need to ensure that the SCCs in practice ensure a level of protection that is essentially equivalent to that guaranteed under the GDPR in light of the EU Charter;
- it is primarily the obligation of the exporter and importer to assess whether the third country offers adequate protection when considering use of the SCCs;
- as part of this prior assessment, the exporter (and if necessary with help from the importer) must take into account the content of the SCCs, the circumstances of the transfer and the legal regime in the third country where the importer is located (in light of the non-exhaustive factors under Art 45(2) of the GDPR);
- if this assessment concludes the importer does not provide an essentially equivalent level of protection, the exporter may need to put in place "additional measures to those included in the SCCs". The EDPB has not clarified at this stage what these additional measures could be, but notes it is looking further into what these could consist of.
From a UK perspective, on 16 July the ICO stated it is "considering the judgement from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy" and that the ICO stands "ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”
In addition, the ICO notes on its website it is "currently reviewing our Privacy Shield guidance after the judgement issued by the European Court of Justice on Thursday 16 July 2020" and that "if you are currently using Privacy Shield please continue to do so until new guidance becomes available". The ICO also notes on its website "please do not start to use Privacy Shield during this period".
The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law. While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR. If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of. The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs or to notify its competent supervisory authority if it intends to continue transferring data.
