'Most Innovative Startup 2020' by RSA - Watch the pitch video

View More

Schrems II Resources

Conduct EU-US Data Transfer Risk Assessments based on Schrems II decision

  • Pre-built EU-US Data Transfer Risk Assessments
  • Automatically identify and remediate risks
  • Real-time collaboration and messaging
Watch the video

Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics


Identify and review data transfers from the European Union

  • Gather information on data assets & processes
  • Generate visual data maps
  • Identify cross-border data transfers
  • Initiate PIAs/DPIAs or Schrems II risk assessments
Watch the video

Simplify gathering information, dynamically update your data catalog, and automate assessments and reports


Manage and remediate discovered vendor risks

  • Comprehensive view of vendor assessment risks
  • Trendlines over time through a consolidated risk score.
  • Automated vendor privacy ratings

Overview

After the invalidation of Privacy Shield, many companies are relying on the SCCs in order to continue transferring data of EU citizens to companies based in countries who are not deemed adequate for data transfer.

After the CJEU judgement, it is clear that these companies have to conduct Risk Assessments with the data recipients in these countries in order to ensure they have enough controls to mitigate any potential data or regulatory risk.

Schrems-II DPA Response Table

SECURTI.ai is staying on top of how regulators are reacting to the Schrems-II decision. Check back to stay updated on the latest guidance.

Updated October 20, 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
European Data Protection Supervisor (EDPS)

"The EDPS welcomes that the Court of Justice of the European Union, in its landmark Grand Chamber judgment of 16 July 2020, reaffirmed the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries...The EDPS notes that the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries. European supervisory authorities have the duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country. As the supervisory authority of the EU institutions, bodies, offices and agencies, the EDPS is carefully analysing the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies. The example of the recent EDPS’ own-initiative investigation into European institutions’ use of Microsoft products and services confirms the importance of this challenge."

Keeping in view the risk-based approach, the EDPS recommends certain (1) short-term action plans for data transfers to the United States that present high risks, and (2) medium-term action plans for all data transfers to the U.S and other third countries.

(1) Short-term action plans:

*Mapping: Pursuant to the order of the EDPS released on 5 October 2020, EUIs shall carry out an inventory of all on-going cross-border data processing activities. EUIs will maintain descriptions of data processing operations, destinations, recipients, transfer tools used, types of transferred personal data, categories of data subjects affected, and information on onward transfers in their inventories as part of the mapping exercise.

*Reporting: Based on the above mapping exercise, EUIs shall report by 15 November 2020 on specific risks and gaps that they were able to identify. EUIs are expected to provide specific and transparent information on (1) illegal data transfers which are not based on any transfer tool, (2) transfers that are based on derogations under Article 50 of the Chapter V of the Regulation (EU) 2018/1725., and (3) data transfers that present high risk to data subjects. The third category includes all high-risk data transfers to the U.S. to entities that are subject to Section 702 FISA or E.O. 12333 and transfers that involve processing on a large-scale, sensitive personal data, or data of a highly personal nature.

The EDPS strongly encourages EUIs to avoid any data processing activity that involves personal data transfer to the U.S. and adopt a strong precautionary approach while using any new service provider or engaging in a new data processing operation.

(2) Medium-term action plans

*Transfer impact assessments: The EDPS shall provide a list of preliminary questions to EUI data controllers to conduct transfer impact assessments (TIAs) with data importers. Based on the results of TIAs, EUIs shall assess whether or not a particular third country provides essentially equivalent level of data protection as provided in the EU/EEA. If EUI decides to continue the data transfer to the third country, it shall identify and implement supplementary measures or additional safeguards to ensure essentially equivalent data protection standards in the third country. The EUI shall also assess whether conditions of derogations are adequately fulfilled where a cross-border transfer was permitted based on derogations.

*Reporting: Depending on the results of the TIAs, EUIs will be asked to report to the EDPS in spring 2021 on the following data transfer categories:

**Transfers to a third country that do not ensure an essentially equivalent level of protection,

**Transfers that are suspended or terminated shall be notified in line with Article 47(2) of the Chapter V of the Regulation (EU) 2018/1725., where EUI considers that the third country does not ensure an essentially equivalent level of protection

**Transfers that are based on derogations shall be notified in line with Article 50(6) of the Chapter V of Regulation (EU) 2018/1725.

The goal of the EDPS is to ensure that all ongoing and upcoming international data transfers comply with the EU Charter of Fundamental Rights, GDPR, the CJEU’s decision in Schrems II case and any applicable legal requirement. It aims to issue long-term compliance action plans based on the results of TIAs and mapping exercises.

Yes
NA
NA
Press Release | 17th July 2020
Strategy Document | 29th October 2020
European Data Protection Board (EDPB)

"The EDPB welcomes the CJEU’s judgment, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries...While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.

If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.

The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs or to notify its competent supervisory authority if it intends to continue transferring data.

The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.

The EDPB recalls that it issued guidelines on Art 49 GDPR derogations (2); and that such derogations must be applied on a case-by-case basis.

The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment."

I am using SCCs with a data importer in the U.S., what should I do?

"The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a caseby-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent SA."

Can I continue to use SCCs or BCRs to transfer data to another third country than the U.S.?

"The Court has indicated that SCCs as a rule can still be used to transfer data to a third country, however the threshold set by the Court for transfers to the U.S. applies for any third country. The same goes for BCRs. The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness.

You can contact your data importer to verify the legislation of its country and collaborate for its assessment. Should you or the data importer in the third country determine that the data transferred pursuant to the SCCs or to the BCRs are not afforded a level of protection essentially equivalent to that guaranteed within the EEA, you should immediately suspend the transfers. In case you do not, you must notify your competent SA. Although, as underlined by the Court, it is the primary responsibility of data exporters and data importers to assess themselves that the legislation of the third country of destination enables the data importer to comply with the standard data protection clauses or the BCRs, before transferring personal data to that third country, the SAs will also have a key role to play when enforcing the GDPR and when issuing further decisions on transfers to third countries. As invited by the Court, in order to avoid divergent decisions, they will thus further work within the EDPB in order to ensure consistency, in particular if transfers to third countries must be prohibited."

What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?

"The supplementary measures you could envisage where necessary would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection. The Court highlighted that it is the primary responsibility of the data exporter and the data importer to make this assessment, and to provide necessary supplementary measures. The EDPB is currently analysing the Court’s judgment to determine the kind of supplementary
measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. The EDPB is looking further into what these supplementary measures could consist of and will provide more guidance."

Yes
Yes
Yes
Press Release | 17th July 2020
Adopted FAQs | 23rd July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Information Commissioner's Office (ICO)

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.

We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

NA

NA
NA
NA
Press Release | 16th July 2020
Information Commissioner's Office (ICO)

"The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK...Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy."

NA

NA
NA
NA
Press Release | 27th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Conference of Independent Data Protection Supervisors (Germany)

"For a transfer of personal data to the USA and other third countries the existing standard contractual clauses of the European Commission basically continue to be used.

However, the ECJ emphasized the responsibility of the Responsible persons and the recipient to assess whether the rights of the persons concerned enjoy the same level of protection in the third country as in the Union.

Only then can be decided whether the guarantees from the standard contractual clauses in the Practice can be realized. If not, it should be checked what additional measures to ensure a level of protection in the EU essentially equivalent levels of protection can be taken."

NA

Yes
Yes
Yes
Press Release | 28th July 2020
Federal Commissioner for Data Protection and Freedom of Information (Bfdi)

"The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice.

The ECJ has confirmed and strengthened the role of data protection supervisory authorities. As to each single data processing operation, they have to check and be able to check whether the high requirements of the ECJ are met. This also means that these authorities will prohibit the data exchange if the conditions are not complied with. Companies and authorities as well as supervisory authorities now have the complex task of applying the judgment in practice. We will urge rapid implementation in particularly relevant cases

The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities."


"The non-governmental organization noyb Non-of-your-business had filed 101 complaints against the use of Google Analytics and Facebook Connect by European companies after the Schrems II ruling was announced . The complaints are addressed to all national supervisory authorities, including five German state data protection supervisory authorities. In terms of content, the complaints relate to the question of whether Google and Facebook are allowed to transmit personal data to the USA via the products mentioned and thus whether or not their use by websites of European providers is legal.

Both groups are now based on the so-called standard contractual clauses of the European Union. Whether they have taken the "additional measures" required by the ECJ as a supplement to the standard contractual clauses and whether these measures are sufficient to guarantee the level of protection required by the ECJ in the USA is the core issue of the complaint procedure. As a consequence, the EDPB has set up a second task force on the joint initiative of Germany and France . In particular, this should develop criteria for evaluating data transmission in individual cases, criteria for additional measures and procedural aspects for their implementation."

The following are the official effects of the Schrems II decision by CJEU on international data transfers:

*As per Article 44 of the GDPR Personal Data can only be transmitted to a third country from the EU if an appropriate level of protection to the personal data is guaranteed. This can be evidenced by an adequacy decision by the European Commission and in the absence of such a decision, a suitable guarantee i.e Binding Corporate Rules (BCRs) or Standard Contractual Clauses (SCCs) can be used. If even these are not possible, in the most rare cases, other transfer options in Chapter V of GDPR can be used.

*ECJ confirmed that in light of the Charter of Fundamental Rights of the European Union, data transferred to a third country essentially requires equivalent protection as under the GDPR. ECJ declared the European Commission’s Privacy Shield Decision (2016/1250) invalid as a data transfer mechanism but upheld the SCC decision (2010/87) provided that the protection clauses agreed upon contractually are practically available to data subjects in the third country through enforceable rights and effective mechanisms and remedies.

The Court further denied the US as providing an ‘essentially equivalent’ level of protection. Thus transmissions of personal data are not only invalid and illegal under the Privacy Shield but also through other mechanisms such as SCCs and BCRs.

*ECJ held that in case of transfers of personal data made to third countries based upon suitable guarantees such as SCCs and BCRs, it must be seen that the transferred data, through the appropriate guarantees, enjoys equivalent protection and if the law of the third country prevents compliance with the guarantees, additional measures will need to be taken to establish this protection in a specific case. Transfers via derogations in the GDPR are still possible but they must be exceptional. And even then the requirements for such derogations must be met (i.e express, informative and voluntary consent for the consent derogation).

*Data transfers to the US are no longer possible under the Privacy Shield as the US does not have an essentially equivalent level of protection. Transfers to the US under the SCCs and BCRs still remain possible in principle, provided additional measures are taken on a case to case basis which in a concrete manner protect from unrestricted access of data by US security authorities. This applies to the possibility of transfers under exceptional derogations. It is important to note there is no grace period for compliance. Companies must immediately comply with this decision.

*Companies and Supervisory Authorities must respond and must replace the mechanism of data transfer if they were relying on the Privacy Shield to transfer to the US immediately and secondly, they must check all third countries which are being transferred personal data using one of the suitable guarantees (SCCs, BCRs etc.) and assess whether additional measures will be required to protect the data. The result of these assessments must be documented in a comprehensible manner.

*If it is found during these assessments that there is no essentially equivalent level of protection guaranteed by a third country and transfers to that country have not been suspended or terminated, the Supervisory Authority will need to be advised. This obligation lies on both controllers and processors.

*The Bfdi will continue to evaluate the reactions to this letter and release more detailed guidance on data transfers in specific areas. Further guidance on Schrems II will also be released.

Yes
NA
NA
Press Release | 16th July 2020
Press Release | 3rd September 2020
Official Guidance | 8th October 2020
State Commissioner for Data Protection and Freedom of Information (Baden--Württemberg)

NA

Standard Contractual Clauses (SCCs) are still valid as a data transfer mechanism to companies in third countries (without an adequacy decision) but the level of protection to EU residents must be similar to the protection granted in the EU.

(1) EU data exports must review the level of protection granted to EU residents in the third country keeping in mind Article 46 (1) of the GDPR and EU Charter of Fundamental Rights with a view towards the following factors:

* suitable guarantees by the Controller and Processor;

* enforceable rights;

* effective remedies;

* possibility of access by public authorities in the third country.

(2) It is important for data exporters to note that since the SCCs do not bind the public authorities of the third countries, if the public authorities of the third country can intervene and access the data in voilation of the EU residents rights despite the protections provided by the SCCs, then without additional safeguards, adequate protection is not being granted. In such cases the EU data exporter must, in agreement with the data importer:

* Take appropriate additional safeguards as required on case to case basis;

* If despite taking the additionals safeguards, the level of protection granted to the data cannot be guaranteed by the data exporter or importer, the transfer should be cancelled and the data already transferred deleted by the importer.

If the data exporter or importer continue to carry out the transfer despite adequate protection not being granted, the supervisory authority will have to intervene and stop and cancel the transfer.

(3) The following Checklist should be used by EU data exporters to ensure compliance with the judgement:

* Make an inventory of your data transfers/exports to companies/entities (public or private) in third countries. This includes not just physical storage but also remote access, retrieval and maintenance;

* Immediately instruct in writing to all your processers and sub-processers who transfer data to the US using the Privacy Shield to immediately suspend all transfers of personal data to the US until another alternative transfer mechanism cannot be found which guarantees and adequate and equivalent level of protection to the data;

* Update and adapt your data protection declarations, remove any mention of using Privacy Shield as a transfer mechanism for transfers to the US;

* Check and customize your list of processing activities accordingly;

* Contact your service provider/contractual partner in the third countries you export data to and inform him about the CJEU decision and its consequences;

* See if the data importers you transfer/export data to are based in third countries with adequacy decisions by the EC Commission - the US is no longer adequate after the invalidation of the Privacy Shield by the CJEU - if yes, then then the rest of the checklist does not apply;

* Check whether the data importers you transfer/export data to are based in third countries which can fall under the SCCs decision by the EC Commission. Countries which allow public authorities to dispropotionally intervene in the rights of data subjects (i.e a massive retrieval of data without informing the data subject or providing any judicial oversight) is not providing adequate protection;

* Review the legal situation of the third country to which you transfer data to. Focus on data protection laws of the third country - public authorities' access options including intelligence services on the data, legal protections that can be employed by you, the data importer and the data subjects, case law and official practice in the third country with reference to data protection level etc. Employ the help of EDPB and Supervisory Authorities to conduct this review;

* Reassess whether the transfer to the data importer in the third country can be avoided - consider using services that do not transfer data to the third country, contracting a ban on transfers to the third country or using encryption - only transfer to third countries without an adequacy rating and which do not provide an adequate level of protection to the data if necessary;

* if the transfer is necessary, undertake supplementary measures along with the SCCs to protect the data. Refer to (4) and (5) for mandatory measures.

(4) For countries like the US, where the public authorities can dispropotionally intervene with the data subjects' rights, as has been held by the CJEU, the following additional safeguards necessarily have to be taken:

* Encryption for which “only the data exporter has the key” and which “cannot be broken by U.S. [intelligence] services”;

* Anonymization or pseudonymization where “only the data exporter can re-identify the data”.

However, even these are considered sufficient only for some type of transfers and they are not a catch-all solution - protection must be seen on a case to case basis.

(5) Finally, the data exporter should contact the data importer and consider the following changes in the SCCs:

* Amendment to SCC Clause 4(f): Informing the data subject, not only in the case of transfers of special categories of data, but also in the case of any transfer (before or as soon as possible after the transfer) that his or her data will be transferred to a third country that does not provide an adequate level of protection within the meaning of Regulation (EU) 2016/679.

* Amendment to SCC Clause 5(d)(i): Obligation of the data importer to inform not only the data exporter but also the data subject promptly of any legally binding requests by a law enforcement authority for disclosure of the personal data; if this disclosure of information is otherwise prohibited, e.g. by a criminal law requirement to maintain the secrecy of investigation, the data exporter must contact the LfDI BW and clarify the further procedure. (if informing the data exporter or data subject of the surveillance request is not allowed by the law of the third country, the LfDi SA needs to be contacted for further guidance on how to proceed). Additionaly, general information of requests recieved in the past should also be disclosed by the data importer to the data exporter.

*Amendment to SCC Clause 5(d): Obligation of the data importer to take legal action against the disclosure of personal data and to refrain from disclosing personal data to the relevant public authorities until a competent court of last instance has ordered the importer to disclose the data in a legally binding manner.

*Amendment to SCC Clause 5(h): Along with the data exporter, the data importer should be obligated to inform/notify the affected party of any award of contract to a sub-processor.

*Amendment to SCC Clause 6: The data subject can hold the data exporter or data importer liable for any breach of the provisions of the SCC by the data importer or a sub-processor.

*Inclusion of the illustrative indemnification clause set out in Appendix 2 to the SCC.

Yes
Yes
Yes
Official Guidance | 25th August 2020
Official Guidance - Updated | 7th September 2020
Berlin Commissioner for Data Protection and Freedom of Information (Berlin)

Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically China, Russia, and India are countries for which there will be similar problems for data transfers...SCCs can continue to be used for personal data transfers with data recipients in third countries however, EU Data Exporters must be aware that mere conclusion of SCCs cannot justify all transfers to third countries; and they must conduct a prior check to determine if there is state access to the transferred data in the third country and means for data subjects to demand compensation for illegal data transfers.

NA

NA
NA
NA
Press Release | 17th July 2020
Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg)

"The decision of the ECJ to keep the Standard Contractual Clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily justified by the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses. Contractual agreements between the data exporter and the importer are equally unsuitable for protecting data subjects from government access. At least with regard to the conclusion of the SCC with the US company at issue, the ECJ should have come to the same conclusion...However, the court passed the ball to the European SAs. The European SAs will have to consider the content-related standards of today's decision. In particular, they must now pay particular attention to the level of data protection in the recipient country. Upon request, the exporter has to prove to his locally competent data protection authority both the proportionality of official access options and the guarantee of a functioning legal protection. For their part, the supervisory authorities in the European Data Protection Committee are called upon to jointly evaluate the legal and actual situation in the recipient countries. In addition to the USA, this responsibility also affects the other states outside the EEA for which the European Commission has not made any adequacy decisions. The association of data protection supervisory authorities in Germany and Europe now has to come to an agreement quickly on how to deal with companies that are now inadmissibly continuing to rely on the Privacy Shield. The same goes for companies.

"Difficult times are looming for international data traffic. The bottom line is that in recent years it has been the USA, but even the EU Commission, has not succeeded in implementing a sound basis for adequate protection of data that corresponds to the European data protection standard. The implications of this ruling will affect international data transfer as a whole. A data transfer to countries without an adequate level of data protection will therefore no longer be allowed in the future. Here the supervisory authorities are particularly challenged to develop and implement a common strategy."

NA

Yes
NA
NA
Press Release | 16th July 2020
State Commissioner for Data Protection and Freedom of Information (Rhineland-Palatinate)

Numerous companies transfer personal data to offices outside the EU, e.g. to business partners in the USA or China. It is now becoming more difficult and demanding. In today's judgment, the ECJ declared the so-called EU-US Privacy Shield to be invalid, which is no longer the legal basis for data transfers to the USA. However, the standard contractual clauses of the EU Commission can continue to form the necessary legal basis for the data transfer . However, a high level of protection for the basic right to data protection must be ensured.

The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate, Prof. Kugelmann, emphasizes: “The protection of fundamental rights does not end at the border of the EU and also requires checking whether and how US security authorities have access to the data. The ECJ once again strengthens the rights of the individual. For the companies concerned, this means a lot of hard work to be able to conduct their business in accordance with data protection."

...The validity of the standard contractual clauses by the EU Commission - probably the most widely used transfer instrument for data transfers to third countries - has been confirmed. However, those responsible who use this transfer instrument cannot rest on it. "The ECJ has made it clear that companies cannot buy themselves free from their inspection obligations by using the standard contractual clauses," explains Professor Kugelmann. “The ball is now in the field of those responsible. You cannot avoid having to deal intensively with the national laws of the third country to which you wish to transmit data. If the data recipients are subject to legal regulations in their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses.

The standard contractual clauses still apply. Will everything stay the same for those responsible who use this as a transfer instrument?

Yes and no. An adjustment of the standard contractual clauses by the EU Commission is not necessary. They are valid as such. However, the ECJ has made it clear that those responsible who use the standard contractual clauses must fulfill their obligations arising from them. If it turns out that the processor in the third country is subject to laws that make it impossible for him to follow the instructions of the data exporter, i.e. the person responsible in the EU, and to comply with his contractual obligations, the person responsible for exporting data in the EU has, for example, in accordance with Clause 5 of the standard contract for data transfers from controllers in the EU to processors in third countries (2010/87 / EU) the contractually established right to suspend the data transfer and / or to withdraw from the contract.
This was also the case before. With its ruling, the ECJ made it clear that data-exporting bodies must deal with the legal situation of the target country on a permanent basis in order not to be prosecuted by the supervisory authorities in the EU for data protection violations by the importing body in the third country.

Can the contracting parties adapt the standard contractual clauses themselves and thus create suitable guarantees for their specific contractual relationship?

The ECJ names the possibility of supplementing the standard contractual clauses by the contracting parties in order to nevertheless create suitable guarantees in this specific contractual relationship that the level of protection guaranteed by the GDPR for natural persons is not impaired (Rn. 132). The aim here is to achieve a level of protection that is equivalent to the level guaranteed in the Union by the GDPR in the light of the Charter (marginal numbers 92, 94, 96, 105). The criteria mentioned in Art. 45 (2) GDPR are to be used in particular (marginal no. 104).
It is unclear whether this is actually possible in individual cases, in particular, for example, under the application of security laws such as Sec. 702 Foreign Intelligence Surveillance Act (FISA), as US authorities are not bound by the Standard Contractual Clauses. It is also unclear how this possibility relates to Art. 46 Para. 3 lit. a GDPR, i.e. from when the above additions are subject to a regulatory approval requirement.

Can the standard contractual clauses generally no longer be used for data transfers to the USA?

This is currently under review and will largely depend on the interpretation of US security laws. The security laws in the USA like Sec. 702 FISA, which allows US security agencies to gain access to personal data in certain cases without a court order, takes precedence over telecommunications companies. As a rule, the standard contractual clauses cannot be used for data transfers to such companies. In addition, the law may also have an impact on other companies, e.g. if these companies make use of the services of telecommunications providers, such as cloud services. Then there is the possibility that the US security authorities will gain access to the data in this way. It is also conceivable that solely due to the fact that data is transmitted electronically, i.e. the fact that the data flows through the cables of US telecommunications providers on the way to the recipient in the USA, Sec. 702 FISA applies to all data transmitted in this way. In connection with data transmission to the USA, it should also be borne in mind that, in accordance with US Executive Order 12.333, insufficiently encrypted data can also be monitored if it traverses the transatlantic cables. More generally speaking, this means: In the event that the US security laws that conflict with EU data protection law apply to all data transfers from the EU to the USA, the level of protection in the USA as a whole cannot be regarded as equivalent to the level of protection prevailing in the EU. In this case, the standard contractual clauses, as they are formulated, do not represent suitable guarantees for data transmission to the USA. In the event that the US security laws only apply to certain data transfers to the USA, it is up to the data exporter in the EU, including the respective data importer in the USA, to check whether or which laws in his home country the data importer or the respective data transfer to this is subject to and to evaluate whether the standard contractual clauses represent suitable guarantees in this case.

What do those responsible who use the Standard Contractual Clauses have to do now?

Those responsible must check which laws the data importer in the third country to which they want to transfer the data and, if applicable, its other contractual partners in this business relationship are subject to, and whether these affect the guarantees given in the standard contractual clauses. Possibly. the specific data flows must be analyzed in order to determine which laws of the third country apply in each case. In order to meet the accountability obligation according to Art. 5 Para. 2 GDPR, these tests and the results must be documented. These obligations apply to data transfers to all third countries, not just the USA. Should impairments become apparent, there is the - at least theoretically - possibility of eliminating them by adding to the standard contractual clauses (Rn. 132). Whether it is actually possible to remedy the situation, especially in the event of a conflict between the laws of the third country and European data protection law, is questionable and will show itself in practical application. The individual case must be checked here. Also, from when the limit to ad hoc contracts (Art. 46 Para. 3 lit. a DS-GVO) is exceeded, i.e. when agreements require approval, is still an unresolved question. The check can possibly be bypassed in cases in which other transfer instruments of Chapter V DS-GVO or an exceptional circumstance of Art. 49 DS-GVO can be used. The latter is often considered for travel bookings, for example, but is unlikely to be considered for typical outsourcing scenarios, i.e. services that could also be provided in the EU / EEA but are easier, cheaper or better provided in a third country.

What do those responsible who use the standard contractual clauses have to do if the receiving agency in the third country is subject to a national law that violates the principles of the GDPR or Art. 7 and Art. 8 of the EU Charter of Fundamental Rights?

If the data protection guarantees named in the standard contractual clauses cannot be met by the data importer due to the legal situation in their home country, the data exporter, i.e. the person responsible in the EU, must suspend data transfers there, because otherwise they themselves violate data protection law. Data that have already been transmitted to the third country must all be returned by the data importer or destroyed (marginal number 143). The contracting parties can try to create suitable guarantees by adding to the standard contractual clauses.

What questions do those responsible in the EU now have to ask themselves in connection with the standard contractual clauses?

a) Do I transfer personal data to a country outside the EU or the EEA?
b) If not, the exam ends here. If so: do I use standard contractual clauses of the EU Commission as a transfer instrument within the meaning of Chapter V GDPR?
c) If not, the exam ends here. If so: Is the data importer in the third country or its subcontractors in my business relationship subject to laws of this third country that contravene the GDPR or Art. 7 or Art. 8 of the EU Charter of Fundamental Rights, or is there any other indication that the guarantees given in the standard contractual clauses cannot be met?
d) If not, the exam ends here. If so: Can the standard contractual clauses be supplemented with the help of further agreements between the contracting parties in such a way that the level of protection thus created is essentially equivalent to the level of protection guaranteed in the Union?
e) If so, the exam ends here. If not: Can the data transfer be based on another transfer instrument within the meaning of Chapter V DS-GVO or on an exceptional fact of Art. 49 DS-GVO?
f) If so, everything is fine. If necessary, adapt your information in accordance with Art. 13 GDPR. When applying Art. 49 Para. 1 lit. a DS-GVO that the consent must be given voluntarily, earmarked, informed and unambiguous. If not: Suspend the data transfer immediately and request the data importer to return the data that has already been transmitted or request them to destroy the data. Get in touch with future contractual partners in countries where your data is better protected.

Yes
Yes
Yes
Press Release | 16th July 2020
Thuringian Commissioner for Data Protection and Freedom of Information (Thuringia)

Given the extensive criticism voiced by the Court on the national surveillance legislation and the lack of adequate redress provided by the Intelligence Ombudsman in the Privacy Shield arrangement, it is unclear, how SCCs can still be used for data transfers to the U.S.

If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, what conclusion an EU data protection compliant test result should come to for the transfer to be allowed.

Press Release | 16th July 2020
State Commissioner for Data Protection and Freedom of Information (North Rhine-Westphalia)

With the judgment, a decision of the European Commission that affects the EU-US Privacy Shield is declared invalid (adequacy decision). Anyone wishing to transfer data to the USA in accordance with the General Data Protection Regulation (GDPR) can therefore no longer rely on this adequacy decision, but must use other legal instruments. There is no transition period during which the Privacy Shield can still be used within the meaning of the GDPR. The ruling has also confirmed decisions of the European Commission concerning standard data protection clauses as legal. Such standard data protection clauses can in principle consist of the necessary guarantees that are provided for data transmission to countries outside the EU and the European Economic Area (standard data protection clauses, Article 46 Para. 2 letter c GDPR). However, the users of these clauses must check for themselves whether these guarantees are sufficient or whether they need to be supplemented by further measures - especially if there are poor data protection conditions in the destination country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. whether these guarantees are sufficient or need to be supplemented by further measures - especially if the data protection conditions are poor in the target country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. whether these guarantees are sufficient or need to be supplemented by further measures - especially if the data protection conditions are poor in the target country. A data exporter who is already using standard contractual clauses has thus undertaken to suspend the data transfer if the clauses are not complied with in the target country, or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended. or at least to inform the responsible supervisory authority. If such clauses are not sufficient and if no suitable additional measures are taken, the data protection authorities can order that the transmission be suspended.

NA

Yes
NA
NA
Press Release | Undated
The State Commissioner for Data Protection and Freedom of Information (Bremen)

No statement

NA

NA
NA
NA
Bavaria State Office/State Commissioner for Data Protection Supervision (Bavaria)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection and Freedom of Information (Mecklenburg-Vorpommern)

No statement

NA

NA
NA
NA
The State Representative for Data Protection an the Right to Inspect Files (Badenburg)

No statement

NA

NA
NA
NA
The Hessian Data Protection Officer (Hessen)

No statement

NA

NA
NA
NA
State Representative for Data Protection and Freedom of Information (Saarland)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection (Lower Saxony)

No statement

NA

NA
NA
NA
Saxon Data Protection Officer (Saxony)

No statement

NA

NA
NA
NA
State Commissioner for Data Protection (Saxony-Anhalt)

No statement

NA

NA
NA
NA
Indepedent State Center for Data Protection (Schleswig-Holstein)

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commission Nationale de l'Informatique et des Libertés (CNIL)

"The CNIL is currently conducting a precise analysis of the judgment, together with its European counterparts assembled within the European Data Protection Board. This joint work aims at drawing conclusions as soon as possible on the consequences of the ruling for data transfers from the European Union to the United States".

NA

Yes
NA
NA
Press Release | 17th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Austrian Data Protection Authority

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commision for Personal Data Protection

With the judgment in Case C-311/18 (known as the "Schrems II" judgment), the ECJ has upheld the European Commission decision (EU) 2016/1250 on the appropriateness of the EU-US Privacy Shield protection (it is an adequacy decision known as the "Privacy Shield") for the reason that the access to and use by the US authorities of data transferred from the EU to the US under the monitoring programs not limited to what is strictly necessary (non-compliance with the proportionality principle of the GDPR).

On the other hand, the Court of Justice has validated the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries. However, the ECJ has clarified that if the standard data protection clauses in that country are not or cannot be complied with and the protection of the transferred data, as required by EU law, cannot be ensured in any other way, the EU-based the exporter himself must suspend or terminate the transfer. If not, national supervisory authorities should do so if they consider it necessary.

This judgment has consequences for controllers and processors who transfer personal data to third countries. We invite these companies to consult the statement and answers of the EDPB on the issues raised in this judgment and prepared by the European Data Protection Board (EDPB) with the contribution of the DPA. The DPA is currently in close cooperation with its counterparts at the EDPB examining the consequences of the judgment and is making every effort to ensure the protection of the fundamental right to data protection and privacy while at the same time free exchange of data between the European Economic Area and third countries.

NA

Yes
NA
NA
Press Release | 31st August 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commission for Personal Data Protection

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Agency

The Director of the Personal Data Protection Agency, Mr. Zdravko Vukić, participated in the 34th plenary session of the European Data Protection Board held on 17 July 2020. The main topic of discussion was the judgment of the Court of Justice of the European Union in case C-311/18 Data Protection Commissioner / Maximillian Schrems and Facebook Ireland, which annulled Decision 2016/1250 on the adequacy of protection under the Euro-American privacy system. In contrast, the Court held that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors in third countries is valid.

NA

Yes
NA
NA
Press Release | Undated
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Commissioner for Personal Data Protection

"On 16 July, the European Court of Justice (ECJ) issued a landmark ruling abolishing the Privacy Shield , the legal tool that allowed the transfer of personal data to the United States. At the same time, it considered that the Standard Conventional Clauses (CCs) remain in force, another legal tool that can be used to transmit data to third countries, but under strict conditions. This Decision affects all organizations that transmit or intend to transmit data to third countries and in particular to the USA.

Although the SCCs remain in force, an organization that uses or intends to use them should consider the country of surveillance status and, if a satisfactory level of protection is not provided, should not allow or suspend any transmission. It should also, where necessary, take additional protection measures. Otherwise, affected citizens can take legal action against the organization for compensation and file a complaint with the competent supervisory authority"

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office for Personal Data Protection

In today's judgment, the Court of Justice of the European Union found that a review of Decision 2010/87 (on standard contractual clauses for the transfer of personal data to processors established in third countries) in comparison with the Charter of Fundamental Rights did not reveal any fact that could affect its validity. Decision 2016/1250 on the adequate protection provided by the EU-US Privacy Shield was declared invalid.

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Danish Data Protection Agency

The standard contracts remain valid in principle. Danish Data Protection Agency will regularly provide updates on the Authority's website on the consequences of the Schrems II judgment.

"If you have transferred personal information to the United States on the basis of the Privacy Shield, you should consider whether you can use a different transfer basis in the future, as it is now illegal to use the Privacy Shield. Alternatively, you can consider whether one of the exceptions in Article 49 can be used.

If you are considering using, for example, the Commission's standard contracts as a basis for future transfers, be aware that - although the European Court of Justice has initially declared the standard contracts valid - you must assess the circumstances in the third country to which you want to transfer personal data. The assessment must ensure that the protection established through the use of the standard contracts is "essentially equivalent" to that which we have in the EU, and thus not undermined by the conditions in the third country. In the assessment, it will be relevant, for example, to look at the legislation of the third country, including the possibilities for the authorities (e.g. the intelligence services) to gain access to personal data, the control thereof and the data subjects' means of redress.

If you use the EU Commission’s standard contracts to transfer personal data to the United States and/or third countries and your investigations show that you cannot ensure an adequate level of protection using the transfer tools in the GDPR – and the exceptions in Article 49 cannot be applied either – stop transferring personal data. In relation to Article 49, you should pay particular attention to the fact that the exceptions have a very narrow scope and that several of them cannot be used if you are a public authority.

If you have transferred information on the basis of the standard contracts and the transfer can no longer take place, ask the recipient in the third country to delete or return the transferred information."

Yes
NA
"Yes. Exceptions have a narrow scope and several of them cannot be used if you are a public authority."
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Estonian Data Protection Inspectorate

"The transfer of personal data to the United States has been further tightened since mid-July, as the European Court of Justice annulled the Privacy Shield, a data protection framework that has so far provided security for EU and US companies.

From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which is provided for by the European Commission. Other safeguards can be used in the articles of the General Regulation on the Protection of Personal Data (EDPS).

When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country's adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission's data protection clauses themselves. The assessment must determine whether the protection of Europeans' personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found."

How to understand which article of the General Regulation applies to a specific data transfer?

It should first be ascertained whether the third country or international organization to which the data is to be transferred has received a decision from the European Commission that an adequate level of data protection is ensured in that country, sector or international organization. A list of countries with a sufficient level can be found on the European Commission's website. If the Commission's adequacy decision exists, it is not necessary to apply to the Inspectorate for a special permit for the transfer of data. In the absence of a decision on adequacy for a State or an international organization, data may generally be transferred subject to the safeguards described in Article 46 of the General Regulation or to the application of the exceptions described in Article 49 of the General Regulation.

Transmission in application of safeguard measures (Article 46)

Article 46 of the CCIP describes the safeguards under which personal data may be transferred to a third country whose level of data protection has not been assessed as adequate. It can be transmitted using either binding intra-group rules, standard data protection clauses, legally binding documents between public sector bodies or codes of conduct, etc. Using the European Commission's Standard Contractual Clauses, the text of the standard data transfer agreement is provided and must be followed by the parties to the agreement. In its judgment of 16.07.2020 in case C-311/18, the ECJ upheld this protection measure, but emphasized that data protection supervisory authorities must suspend or prohibit the transfer of data to a third country if, in all circumstances, it is considered that the protection of personal data cannot be ensured in that third country. .
Where the safeguards listed in Article 46 (2) are used , the Inspectorate need not apply for a specific authorization for the transfer of data. A special permit must be requested from the Inspectorate if the transfer takes place in accordance with Article 46(3) CISA (so-called 'ad hoc agreement between the controller and the processor in a third country, administrative arrangements between a public authority or bodies, including legally protected and effective data subjects' rights'). Before issuing an authorization decision, the Authority shall seek the opinion of the European Data Protection Board in order to apply the continuity mechanism provided for in the General Regulation.

Transmission to the United States

The United States is considered to have an insufficient level of data protection. Until 16 July 2020, companies were able to transfer personal data to the United States using the European Commission's Implementing Decision 2016/1250 (Privacy Shield) as a data protection framework, which regulated the adequacy of personal data protection when transferring data between the European Union and the United States. The Commission Implementing Decision was terminated by the judgment of the Court of Justice of 16.07.2020 in Case C-311/18 , which necessitated the use of alternative safeguards for the transfer of personal data. The transfer of personal data to the United States is subject to the safeguards provided for in Article 46 of the General Data Protection Regulation (GPA) or to through the exceptions in Article 49 . The European Data Protection Board has issued a further clarification [in its FAQs].

Yes
NA
NA
Press Release | 17th July 2020
FAQs | 10th September 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

"The European Court of Justice has today delivered an important ruling in the so-called Schrems II case (C-311/18), in which it annuls the European Commission's decision on the adequacy of the level of data protection in the EU-US Privacy Shield. In its ruling, the Court also takes a position on model contract clauses as a basis for transfers of personal data to third countries."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Hellenic Data Protection Authority

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Authority for Data Protection and Freedom of Information

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

"The European Court of Justice has annulled the decision of the European Commission, no. 2016/1250, which deals with the adequate protection of personal data under the Privacy Shield Agreement between the European Union and the United States, which involves the transfer of personal data to companies in the United States that have gone through a specific process and been registered on a US Department of Commerce list...

However, the European Court of Justice upheld the validity of Commission Decision no. 2010/87 on standard contractual terms for the transfer of personal data to processors established in third countries. [The Court] considered that the decision provided for an effective arrangement to ensure that adequate protection was provided in the transfer of personal data to third countries. However, the Court emphasized the need to ensure in practice that standard contractual terms provide the protection afforded by the general data protection regulation. In deciding whether to comply with standard contractual terms, responsible parties intending to export personal data outside the EEA area must therefore assess whether the recipient country provides adequate protection. Such an assessment shall, among other things, take into account the content of the standard contract terms, the circumstances of the transfer (e. specific circumstances of the transfer) and the legal environment of the recipient country. In this connection, the factors specified in the second paragraph shall be considered. Article 45 of the General Privacy Regulation, but that specification is not exhaustive."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Commission

"The Court [has] agreed with the DPC’s view that, whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.

...while in terms of the points of principle in play, the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.

As well as providing clarity on points of substance, today’s judgment also contains important statements of position relating to matters of process, to include the allocation of responsibility between data controllers and national supervisory authorities when it comes to ensuring that the rights of EU citizens are protected in the context of EU/US data transfers. While noting the Court’s reference to the fact that a supervisory authority could not suspend data transfers while an adequacy decision - such as Privacy Shield – was in force, the DPC acknowledges the central role that it, together with its fellow supervisory authorities across the EU, must play in this area. In that regard, we look forward to developing a common position with our European colleagues to give meaningful and practical effect to today’s judgment."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Garante per la Protezione dei Dati Personali

The Court of Justice of the European Union (CJEU) ruled on July 16 (so-called "Schrems II Judgment" ) on the data transfer regime between the European Union and the United States, invalidating the adequacy decision of the " Privacy Shield, adopted in 2016 by the European Commission following the termination of the "Safe Harbor" agreement.

In the same ruling, the CJEU also considered valid the decision 2010/87 concerning the standard contractual clauses for the transfer of personal data to data processors established in third countries.

NA

Yes
NA
NA
Press Release | 29th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data State Inspectorate

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Office

"On July 16, 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield data agreement between the USA and the EU to be invalid in its judgment on the Schrems II case ( judgment ECJ C-311/18 ).

However, the European Court of Justice also made it clear in its judgment that data can still be transmitted to the USA on the basis of other suitable guarantees according to Art. 46 ff. GDPR, in particular on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible must now rely on such instruments."

NA

Yes
NA
NA
Press Release | 17th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
State Data Protection

"Court of Justice of the European Union 2020 July 16 annulled the decision of the Commission of the European Union of July 12 Implementing Decision (EU) 2016/1250 on the adequacy of the protection afforded by the EU-US Privacy Shield under Directive 95/46 / EC of the European Parliament and of the Council."

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

"The CJEU invalidated decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield . In its judgment, the Court found that the “Privacy Shield” did not provide a level of protection essentially equivalent to that guaranteed by the GDPR and the Charter of Fundamental Rights of the EU.

The CJEU also ruled that the mechanism for transferring standard contractual clauses remained, in principle, valid. However, it underlined that these contractual clauses impose an obligation for the data exporter and the recipient of the transfer to verify, beforehand, that this level of protection is respected in the third country concerned and that it obliges this recipient to inform the data exporter for its possible inability to comply with the standard protection clauses. It is then up to the latter to suspend the transfer of data and / or to terminate the contract concluded with the former.

The CNPD, in collaboration with the European Data Protection Board (EDPB) and the EU supervisory authorities, is currently evaluating the decision to ensure consistency in the EEA (European Economic Area)."

NA

Yes
NA
NA
Press Release | 27th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Information Data Protection Commission

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Autoriteit Persoonsgegevens

Organizations can no longer pass on personal data to the United States on the basis of the privacy shield.

The GDPR states that personal data may not simply be passed to persons or organizations based in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the security level for personal data guaranteed by the GDPR is not undermined in those third countries. The GDPR lists a number of ways to achieve this. Of these, 2 are under discussion in the Schrems II case: transfer based on an adequacy decision and transfer based on model contracts.

The EDPB is examining the practical consequences of the ruling and what possible next steps could be. In the short term, the EDPB will provide guidance on additional measures that organizations can include in model contracts.

Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Protection Authority

Business currently using the Privacy Shield mechanism must consider what other transfer bases may be used to transfer personal information to the United States.

If you could conclude that the level of protection will not be equivalent to that in the EEA, you must implement further measures that compensate for this and that ensure a similar level of protection in practice. If there are no such additional measures or you are not able to implement such measures, you cannot transfer the personal data.

What the additional measures may entail must be decided in each individual case, in light of the specific circumstances. It could potentially be a question of legal, technical or organizational measures. At present, however, there is great uncertainty as to what kind of additional measures may be sufficient if the third country has laws that take precedence over the obligations under the transfer bases or otherwise lower the level of protection. This means that at present it is very challenging to transfer personal data to such third countries, and in practice it will probably not be possible for most people to do so.

"Yes. Exception rules must be interpreted narrowly and they can only be used in certain cases."
Press Release | 16th July 2020
FAQs | 27th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Inspector General for the Protection of Personal Data (GIODO)

"The Court of Justice of the EU, in its judgment in the case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems, issued on July 16, 2020, confirmed the high standard of personal data protection with regard to the transfer of personal data to third countries. The CJEU annulled the European Commission implementing decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. At the same time, the CJEU confirmed the continued validity of European Commission Decision 2010/87 on standard contractual clauses (SCC) for the transfer of personal data to data processors based in third countries. The Court, however, stipulated that it should be ensured that the rights of persons whose personal data are transferred to a third country on the basis of standard contractual data protection clauses are protected to an extent substantially equivalent to that guaranteed in the EU by the GDPR in the light of the provisions of the EU Charter of Fundamental Rights.

This means that controllers will need to make an individual assessment of the level of data protection afforded in such cross-border data transfers, which must take into account not only the contractual provisions themselves agreed between data exporters and importers, but also legal provisions in the third country, in particular relating to possible access by authorities. public authority of that state to the transmitted data. When, in the light of the assessment, the level of protection of personal data is not substantially equivalent to that guaranteed in the EU, the transfer of data may be made conditional on an equivalent level of protection by other means."

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

No statement

NA

NA
NA
NA
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
National Commission for Data Protection

"By judgment of 16 July 2020 in Case C-113/18, the Court of Justice of the European Union annuls Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 under Directive 95/46 / EC of the European Union The European Parliament and the Council on the adequacy of the protection afforded by the EU-US Privacy Shield.

[Thus] in the absence of a decision on the adequacy under art. 45 para. (3) of Regulation (EU) 2016/679, the transfer of personal data to the United States may be carried out in accordance with one of the following instruments provided by art. 46 of Regulation (EU) 2016/679: standard data protection clauses, mandatory corporate rules, codes of conduct and certification mechanisms. Also, the transfer of personal data to the United States may be made under the derogations provided in art. 49 of Regulation (EU) 2016/679.

NA

Yes
NA
NA
Press Release | 20th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office for Personal Data Protection

"The Court of Justice of the EU today ruled in Case C-311/18, also known as Schrems II, in which it declared invalid the Privacy Shield decision issued by the Commission and confirmed the validity of the standard contractual clauses issued by the Commission."

NA

Yes
NA
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Office of the Information Commissioner

"The decision of the Court of Justice of the European Union (CJEU) in the case of Schrems II (DPC Ireland v. Facebook Ireland and Schrems) was published today, declaring the CJEU invalid European Commission Decision 2016/1250 on the appropriate level of personal data protection within the EU-US privacy shield agreement. At the same time, the CJEU confirmed the validity of standard contractual clauses that can still be used for data transfers to third countries that do not ensure adequate protection of personal data.

The EU Court of Justice has abolished the so-called privacy shield, leaving organizations with other listed data transfer mechanisms, which they need to take care of as soon as possible. Disclosures of personal data are still possible [even to the US] provided that the personal data controller itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they have a responsibility to assess the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the United States and have so far relied on the recipient to be a company that can be found on the so-called Privacy Shield list,they must ensure that transfers are justified on another basis as soon as possible (eg standard contractual clauses, binding business rules, exceptions) otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the Court of Justice of the European Union annulled the predecessor of the Privacy Shield, ie the safe harbor agreement, organizations often based data transfers in the US on standard contractual clauses concluded with partner organizations.

The EU Court of Justice has based its argument for repealing the Privacy Shield on the finding that the protection of personal data as provided by US law is not at an equivalent level as in the EU. In particular, it drew attention to the insufficiently limited powers of the US authorities to access transferred data and to ineffective protection through the Ombudsman, which is supposed to ensure the exercise of individuals' rights in the US. In this context, other data transfer mechanisms that EU organizations will have to use, e.g. standard contractual clauses or binding business rules, ensure a higher level of protection of the rights of individuals."

NA

Yes
Yes
NA
Press Release | 16th July 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Federal Data Protection and Information Commission

"In its judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, the Court of Justice annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. However, the EU Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries remains valid.

The FDPIC has taken note of the CJEU ruling. This ruling is not directly applicable to Switzerland. The FDPIC will examine the judgement in detail and comment on it in due course."

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should
always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within
the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried
out. The exporter should check whether the clauses cover the data protection
risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the
data is transferred to a company in a non-listed country that is subject to special
access by the local authorities.
18 It must also be considered whether the foreign
recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case,
any provisions in the SCCs concerning the obligation to cooperate are negated.
c) In such cases, the Swiss data exporter must consider technical measures that
effectively prevent the authorities in the destination country from accessing the
transferred personal data. If data is stored solely in the cloud by service providers
in a non-listed country, for example, encryption would be conceivable, along the
principles of BYOK (bring your own key) and BYOE (bring your own encryption),
so that no individual personal data would be available in the destination country
and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not
possible, the FDPIC recommends refraining from transferring personal data to the
non-listed country on the basis of contractual guarantees.

Yes
NA
NA
Press Release | 16th July 2020
Policy paper | 8th September 2020
Federal Data Protection and Information Commission

Following his annual assessment of the Swiss-US Privacy Shield regime and recent rulings on data protection by the Court of Justice of the European Union (CJEU), the Federal Data Protection and Information Commissioner (FDPIC) has reassessed the data protection conformity of the Privacy Shield regime.

After closely analysing the regime, the FDPIC concludes in his position paper of 8 September 2020 that, although it guarantees special protection rights for persons in Switzerland, it does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection (FADP).

"Contractual safeguards such as the EU’s SCCs, which are also frequently used in Switzerland, or so-called ‘binding corporate rules’ cannot prevent foreign authorities from accessing personal data if the public law of the importing country takes precedence and allows official access to the transferred personal data without sufficient transparency and legal protection of the persons concerned.17 This is true not only in the case of transfer of personal data to the USA, but also to numerous other countries with inadequate legal protection, referred to here as ‘non-listed countries’. Accordingly, it is to be assumed that in many cases the SCCs and comparable provisions do not meet the requirements for contractual safeguards pursuant to Art. 6 Para. 2 Let. a FADP for data transfer to non-listed countries.

Practical advice for Swiss companies
When transferring data to non-listed countries in the future, data exporters should
always consider each individual case with due diligence:
a) If the disclosure of data is based on contractual guarantees such as SCCs within
the meaning of Art. 6 Para. 2 Let. a FADP, a risk assessment should be carried
out. The exporter should check whether the clauses cover the data protection
risks existing in the non-listed country. If necessary, the clauses should be expanded, although this in itself remains of limited effect if the public law of the given country takes precedence and deviates from these, as explained under b) below.
b) When examining data protection risks, it is of particular relevance whether the
data is transferred to a company in a non-listed country that is subject to special
access by the local authorities.
18 It must also be considered whether the foreign
recipient company is entitled and in a position to provide the cooperation necessary for the enforcement of Swiss data protection principles. If this is not the case,
any provisions in the SCCs concerning the obligation to cooperate are negated.
c) In such cases, the Swiss data exporter must consider technical measures that
effectively prevent the authorities in the destination country from accessing the
transferred personal data. If data is stored solely in the cloud by service providers
in a non-listed country, for example, encryption would be conceivable, along the
principles of BYOK (bring your own key) and BYOE (bring your own encryption),
so that no individual personal data would be available in the destination country
and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not
possible, the FDPIC recommends refraining from transferring personal data to the
non-listed country on the basis of contractual guarantees.

Yes
NA
NA
Press Release | 8th September 2020
Policy paper | 8th September 2020
Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Spanish Federal Data Protection Agency (AEPD)

"On July 16, 2020, the Court of Justice of the European Union (CJEU) has published a judgment in which it annuls Decision 2016/1250 of the Commission that declared the adequate level of protection of the Privacy Shield scheme...

The ruling, whose implications mark a new turning point in the way in which international data transfers to the US are made, establishes, in turn, the validity of the standard contractual clauses adopted by the European Commission to carry out international transfers of data. data between a controller established in the European Union and a controller outside the EU."

NA

Yes
NA
NA
Press Release | 2nd September 2020
Basque Data Protection Agency (Basque Country)

No statement

Catalan Data Protection Authority (Catalonia)

No statement

Supervisory Authority Comments Guidance on Risk Assessmentand Additional Safeguards Privacy Shield invalidated Apply to Binding Corporate Rules (BCRs)? Article 49 derogations limited?
Data Inspection Board

"The European Court of Justice ruled yesterday that the Privacy Shield agreement between the EU and the US does not provide sufficient protection for personal data when they are transferred to the US. The annulment of the Privacy Shield means that personal data controllers in the EU are no longer allowed to transfer personal data to recipients in the US on the basis of the Privacy Shield. On the other hand, the Court held that the Commission's decision on standard contractual clauses is valid and that they can be used for transfers to countries outside the EU and the EEA - where applicable - together with additional safeguard measures."

NA

Yes
NA
NA
Press Release | 17th July 2020

Related stories from our blog

View More

Analyzing Assessments and Additional Safeguards for Cross Border Data Transfers post Schrems-II

The Court of Justice of the European Union (CJEU) released a decision invalidating the US-EU Privacy Shield arrangement for transatlantic data transfers and changing obligations of data controllers when using Standard Contractual Clauses (SCCs) as...

schrems ll View More

Schrems-II judgment opens door for complaints on EU-US transfers

Things are getting serious for 101 EU data controllers sending data to the US – Max Schrems’ organization “NOYB” lodges complaints with various EU authorities One month ago, the Court of Justice of the European...

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.