Schrems II: A Brief Guide

In its recent judgement C-311/18 (‘Schrems II’), the Court of Justice of the European Union (‘CJEU’) reiterated that the protection granted to personal data in the European Economic Area (‘EEA’) must remain in place wherever the data goes, as protection in third countries must be essentially equivalent to the protection given within the EEA. In light of the CJEU’s judgment, the European Data Protection Board (‘EDPB’) has published a paper outlining its recommendations on transfer tools to ensure compliance with the EU level of protection of personal data. The recommendations were adopted on 10 November 2020, however, many will still not be aware of them.

The EDPB has specified 5 steps for exporters of personal data to take to ensure an essentially equivalent level of protection for personal data being transferred to third countries. As the right to data protection is considered fundamental by EU primary law, controllers and processors must seek to comply in an active and continuous manner by implementing legal, technical and organisational measures that ensure its effectiveness. They must also be able to demonstrate these efforts to data subjects, the general public and data protection supervisory authorities, in line with the principle of accountability.

Step 1: Know Your Transfer

Exporters must be aware of where personal data goes to ensure that it receives an essentially equivalent level of protection wherever it is processed. Exporters must also verify that the data they transfer is adequate, relevant and limited to what is necessary.  This may be achieved by building on the records of processing activities that exporters may be obliged to maintain as a controller or processor under Article 30 GDPR, as well as their obligations to inform data subjects under Articles 13.1.F and 14.1.F GPDR about transfers of personal data to third countries.

The EDPB highlights that when mapping transfers, do not forget to take into account onward transfers. This is when processors outside the EEA transfer the personal data entrusted to them to a sub-processor in another third country or the same third country. Remote access from a third country and/or storage in a cloud situated outside the EEA is also considered to be a transfer. When using international cloud storage, exporters must assess if data will be transferred to third countries and where, unless the cloud provider clearly states in its contract that the data will not be processed at all in third countries. 

Step 2: Identify the transfer tools you are relying on

The second step for exporters is to identify the transfer tools they are relying on as stated in Chapter 5 of the GDPR. Exporters should also be aware that the European Commission may recognise through adequacy decisions that third countries offer an adequate level of protection for personal data.  Adequacy decisions mean that personal data can flow from the EEA to that third country without any Article 46 GDPR transfer tool. However, exporters must still monitor if adequacy decisions relevant to their transfers are revoked or invalidated. Exporters should also note that data subjects are still able to file a complaint and supervisory authorities can bring a case before a national court if they have doubts about the validity of a decision. The main transfer tools within Article 46 GDPR are:

• Standard data protection clauses (‘SCCs’);
• Binding corporate rules (‘BCRs’);
• Codes of conduct;
• Certification mechanisms; and
• Ad hoc contractual clauses.

Whichever transfer tool exporters use, they must ensure that, overall, transferred personal data will have essentially equivalent protection. Supplementary measures may still be needed even where there are appropriate contractual safeguards that apply to transfers to all third countries.

Step 3: Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer

The transfer tool must ensure that the level of protection guaranteed by the GDPR is not undermined by the transfer. The EDPB asks exporters to consider the following factors:

• Assess if there is anything in the law or practice of the third country that may reduce the effectiveness of the safeguards you are relying on. The data importer should provide you with the relevant sources and information relating to the third country in which it is established and the laws applicable to the transfer;
• The assessment should take into consideration all the actors participating in the transfer. You will also need to factor this assessment into any onward transfer that may occur;
• Consider the characteristics of each transfer and determine how the domestic legal order of the country applies to these transfers;
• Applicable legal context depending on the circumstances of the transfer;
• Where legislation in third countries is lacking, you should look into other relevant and objective factors, conduct the assessment with due diligence and document it thoroughly, as you will be held accountable to the decision you may take on that basis.

Step 4: Adopt supplementary measures

If the assessment under step 3 has revealed that the transfer tool is not effective, then exporters will need to consider whether supplementary measures exist which could help provide essentially equivalent protection. These must be identified on a case-by-case basis.

Exporters may look at the following (non-exhaustive) list of factors to identify which supplementary measures would be most effective in protecting the data transferred:

• Format of the data to be transferred (e.g., in plain text/pseudonymised or encrypted);
• Nature of the data;
• Length and complexity of data processing workflow, number of actors involved in the processing, and the relationship between them;
• Possibility that the data may be subject to onward transfers, within the same third country or even to other third countries (e.g., involvement of sub-processors of the data importer).

If exporters are unable to identify these supplementary measures you must cease the transfer of data. If exporters are already conducting transfers, they are required to suspend or end doing so. Data already transferred and any copies should be returned or destroyed in their entirety by the importer. If exporters decide to continue the transfer, they should notify the competent supervisory authority, which may suspend or prohibit data transfers where there is not an essentially equivalent level of protection. The competent supervisory authority may impose any other corrective measure (e.g., a fine) if exporters cannot demonstrate an essentially equivalent level of protection in the third country,  but they start or continue the transfer.

Step 5: Procedural steps if exporters have identified effective supplementary measures

The procedural steps may differ depending on the transfer tool the exporter is using or will use.

SCCs

• Where exports intend to put in place supplementary measures in addition to SCCs, there is no need for exporters to request an authorisation from the competent supervisory authority to add these clauses or additional safeguards, as long as the supplementary measures do not contradict the SCCs and are sufficient to ensure that the level of protection guaranteed by the GDPR is not undermined. The data exporter and importer need to ensure and be able to demonstrate that additional clauses cannot be construed in any way to restrict the rights and obligations in the SCCs or in any other way to lower the level of data protection. The competent supervisory authorities have the power to review these where required (e.g., in the case of a complaint);
• Where exporters wish to modify the standard data protection clauses themselves or where the supplementary measures added contradict the SCCs, exporters are not deemed to be relying on standard contractual clauses and must seek authorisation from the competent supervisory authority per Article 46(3)(a) GDPR. 

BCRs

• The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, exporters should assess whether they can provide supplementary measures to ensure an essentially equivalent level of protection and if the law or practice of the third country will not prevent the effectiveness of the supplementary measures.

Ad hoc contractual clauses

• The reasoning put forward by the Schrems II judgment also applies to other transfer instruments as all of these instruments are contractual, so the guarantees foreseen and the commitments taken by the parties cannot bind third country public authorities. The precise impact of the Schrems II judgment on ad hoc clauses is still under discussion and the EDPB will provide more details as soon as possible. 

Step 6: Re-evaluate at appropriate intervals

Exporters must monitor developments in the third country to which they have transferred personal data which could affect the initial assessment of the level of protection and the decisions made; accountability is a continuing obligation (Article 5(2) GDPR).

Exporters should put sufficiently sound mechanisms in place to ensure that they promptly suspend or end transfers where:

• the importer has breached or is unable to honour the commitments it has taken in the Article 46 GDPR transfer tool; or
• the supplementary measures are no longer effective in that third country.