EDPS publishes strategy for EU institutions to comply with Schrems II

In July of this year the European Court of Justice gave its preliminary ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559 (the "Schrems II" decision). The Court held that the EU-US Privacy Shield was invalid as the data would be subject to US laws which grant public authorities and intelligence services access to the personal data. As a result, the personal data which is accessed by these bodies is not, in fact, granted equivalent protection to that which it would be granted in the EU. The judgment also clarified the position on standard contractual clauses. For more information please read our summary here. Please also see our webinar and practical guidance.

Last week, the European Data Protection Supervisor (EDPS) issued a strategy in response to the Schrems II decision.  While the strategy is aimed at EU institutions and intends to ensure and monitor compliance by those institutions, it is of wider interest to other organisations looking to comply with the law following Schrems II. The strategy aims to ensure that ongoing and future international transfers comply with EU Charter of Fundamental Rights as well as applicable EU data protection legislation. The EDPS is looking to do this through a two-stage approach:

1. identify urgent compliance and/or enforcement actions through a risk based approach for transfers towards the US presenting high risks for data subjects; and

2. provide guidance and pursue mid-term case-by-case EDPS compliance and or enforcement actions for all transfers towards the US or other third countries.

The strategy is split into two phases: Short term and Medium term.

Short term

As a short term action the EDPS has ordered [SS1] [S&S2] all EU institutions to undertake a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data. EU institutions are expected to describe the processing operations, destinations, recipients, transfer tools used, types of personal data transferred, categories of data subjects affected, as well as information on onward transfers.

By the 15 November 2020, the EU institutions are expected to report on the risks and gaps identified in the mapping phase. If transfers which are likely to present higher risks for the rights and freedoms of individuals are identified, the EU institutions will have to provide specific and transparent information. Those transfers which are likely to present higher risks are:

1. illegal transfers which are not based on any transfer tool;

2. transfers that are based on a derogation for specific situations under Article 50 GDPR; and

3. 'high-risk transfers' to the U.S. to entities clearly subject to US surveillance laws, and

   a. involving either large scale processing operations;

   b. complex processing operations; or

   c. processing of sensitive data or data of a highly personal nature.

EU institutions have been asked by the EDPS to take a cautious approach to new procession operations. The  EDPS is[SS3]  "strongly encouraging" those institutions to ensure that any new processing operations or new contracts with any service providers do not involve transfers of personal data to the US.

Medium term

As a medium term action the EDPS is planning to issue guidance and pursue compliance and enforcement actions on a case-by-case basis. EU institutions will be asked to carry out Transfer Impact Assessments (TIAs) to identify whether an essentially equivalent level of protection as provided in the EU/EEA is afforded in the third country of destination. The EDPS will provide a list of questions for EU institution controllers to launch their TIAs.

The EU institution will then need to decide whether it is possible to continue transfers identified in the short term mapping exercise. EU institutions may need to identify and implement supplementary measures or additional safeguards to ensure an essentially equivalent level of protection as provided in the EEA.

Depending on the outcome of the TIAs,  EU institutions will be asked to report to the EDPS in the course of spring 2021 on the following three categories of transfers:

1. transfers to a third country that do not ensure an essentially equivalent level of protection;

2. transfers that are suspended or terminated (in line with Article 47(2) of the GDPR) if the EU institution considers that the third country does not ensure an essentially equivalent level of protection;

3. for transfers based on derogations, categories of cases in which Article 50 of the GDPR has been applied (in line with Article 50(6) GDPR).

Based on the outcome of the mapping exercise combined with the conclusions drawn from TIAs, and in cooperation with the European Data Protection Board, the EDPS will establish long-term compliance priorities for 2021 which will be communicated in a timely and appropriate manner.

Conclusion

While this strategy only applies to EU institutions -- it maybe an indication of the sorts of steps the EDPS would expect from other organisations following Schrems II. Organisations who are considering their transfers to third-party countries, should look at this strategy and consider if they have considered the same issues as the EDPS. The EDPS is also working with the European Data Protection Board and other supervisory authorities to develop further guidance and recommendations for controllers and processors which will inform approaches going forward.