European Data Protection Board: Guidelines on invalid Privacy Shield

Dr. Julia Bruck, Tobias Vößing

European Data Protection Board: Guidelines on invalid Privacy Shield

The European Data Protection Board (“EDPB”) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. It is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (“EDPS”).

On July 23, 2020, the EDPB issued answers to frequently asked questions regarding the the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. In this judgment, the Court examined the Privacy Shield Decision and declared it to be invalid, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. For further information, please see this article regarding the ECJ ruling. The frequently asked questions regarding this judgment were received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”). The answers of the EDPB are as follows:

First of all, there is no grace period. The Court has invalidated the Privacy Shield Decision without maintaining its effects.

Accordingly, transferring data to a U.S. data importer on the basis of the legal framework of the Privacy Shield is illegal. However, there are possible exceptions: personal data can be transfered on the basis of Standard Contractual Clauses (“SCCs”), if an adequate level of protection can be ensured by an assessment that takes the circumstances of the transfer into account and by supplementary measures, a transfer can still take place. But the supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. 

The same applies with regard to data transfers using Binding Corporate Rules (“BCRs”) with an entity in the U.S.

The EDPB will assess the consequences of the judgment on transfer tools other than SCCs and BCRs.

However, It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR. In particular, the data transfers can be based on the explicit consent of the data subject, if it is given specifically for the particular data transfer or set of transfers and that the data subject is properly informed, particularly as to the possible risks of the transfer. However, the consent is revocable.

With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract.

Regarding transfers necessary for important reasons of public interest, they must be recognized in EU or Member States’ law and cannot take place on a large scale and in a systematic manner. 

Generally, SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. Here too, supplementary measures would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection. This threshold set by the Court generally also applies to all appropriate safeguards under Article 46 GDPR used to transfer data from the EEA to any third country.