EU Data Protection Supervisor: How to comply with Schrems II

On 29 October 2020 the European Data Protection Supervisor (EDPS) issued its "Strategy for Union institutions, offices, bodies and agencies to comply with the 'Schrems II' Ruling" (Strategy).

Summary

The Strategy aims to ensure that ongoing and future international transfers of personal data by Union institutions, offices, bodies and agencies (EUI) comply with the EU Charter of Fundamental Rights as well as applicable EU data protection legislation, specifically on the transfers of personal data to third countries and or international organisations as set out in Chapter V of Regulation (EU) 2018/1725 (the Regulation). The Regulation is an equivalent of the GDPR, setting out the rules according to which EUIs process personal data.

For its Strategy, the EDPS identified as priority criteria, transfers carried out by EUIs or on their behalf in the context of controller to processor contracts and/or processor to sub-processor contracts, particularly towards the United States. Particularly for such transfers, the document addresses both short term actions plans and medium-term action plans. Furthermore, the Strategy provides an outlook on the further actions the EDPS plans to enact for this purpose. The Strategy, as well as any of such actions, will closely follow the guidance of the European Data Protection Board (EDPB)and will be adjusted, where necessary.

Due to such insights on how the EDPS's intents to ensure compliance with the Schrems II ruling on a governmental level, we are of the opinion that this Strategy may also provide beneficial information for private companies.

Background

The publication of the Strategy follows the European Court of Justice's (ECJ) judgement in case C-311/18 of 16 July 2020 (Schrems II). In Schrems II the ECJ clarified the roles and responsibilities of controllers, recipients of data outside of the European Economic Area (EEA) (data importers) and supervisory authorities. Particularly, the ECJ decided the following:

• The Privacy Shield adequacy Decision is invalid.

• Standard Contractual Clauses (SCC) are valid, provided that they include effective mechanisms to ensure compliance with the General Data Protection Regulation (GDPR).

• Data transfers to a third country have to be suspend or terminated if an assessment, taking into account the circumstances of the transfer and possible supplementary measures, results in the conclusion that an GDPR equivalent level of data protection cannot be ensured in the destination country. Where a controller intents to export personal data - notwithstanding such assessment -  the controller must notify its competent supervisory authority.

• The competent supervisory authority have to suspend or prohibit a transfer of personal data to a third country pursuant to the SCCs if, when considering the circumstances of that transfer, those clauses are not or cannot be complied with in the third country of destination and the protection of the data transferred under EU law cannot be ensured by other means.

Short term action - Mapping exercise and immediate compliance priorities

In order to enable the EDPS to ensure data transfers in compliance with Schrems II - namely by respective enforcement actions or by suspending incompliant transfers - the EDPS ordered EUIs to exercise the following measures.

Mapping

Until the end of October 2020, inventories had to be carried out, concerning all ongoing processing operations and contracts involving transfers to third countries. By means of a mapping exercise, data transfers for ongoing contracts, procurement procedures and other types of cooperation had to be identified, describing:

• processing operations;
• destinations;
• recipients;
• transfer tools used;
• types of personal data transferred;
• categories of data subjects affected; and
• information on onward transfers.

Reporting

Based on such mapping exercise, the specific risks and gaps identified will have to be reported until 15 November 2020. Furthermore, specific and transparent information shall be provided before the end of 2020, on the three following categories of transfers, identified as supervision priorities:

• illegal transfers which are not based on any transfer tool;

• transfers that are based on a derogation under Article 50 Regulation; and

• 'high-risk transfers' to the U.S. to entities clearly subject to Section 702 FISA18 or E.O. 1233319 (according to which U.S. governmental agency may have access to personal data), and involving either (1) large scale processing operations or (2) complex processing operations or (3) processing of sensitive data or (4) data of a highly personal nature.

Caution for future services and new processing operations

To ensure compliant transfers in the future, strong precautionary approaches shall be taken on the use of any new service providers and new processing operations. EUIs are strongly encouraged to avoid processing activities that involve transfers of personal data to the US.

Medium-term action - Guidance and Transfer Impact Assessments

In cooperation with the EDPB, the EDPS will establish long-term compliance priorities for 2021 which will be communicated in a timely and appropriate manner. Such priorities will be based on the outcome of the aforementioned mapping exercise, combined with the conclusions drawn from the following measures.

Transfer Impact Assessments (TIAs)

EUIs will have to decide, whether it is possible to continue transferring data to a destination country identified in their mapping exercises. For this purpose, EUIs and the respective data importer will have to carry out case-by-case Transfer Impact Assessments (TIAs), to check whether the destination country provides for an essentially GDPR equivalent level of data protection. Such assessment will be based on a list of preliminary questions to be provided by the EDPS.

To ensure sufficient data protection, EUIs (together with data importers) may need to identify and implement supplementary measures or additional safeguards. Alternatively, EUIs shall assess, whether one of the derogations of Article 50 of the Regulation could apply in their specific situation.

Reporting

Where indicated by the results of the TIA, the EDPS will request EUIs, in the course of spring 2021, to report on the following three categories of transfers:

• Transfers to a third country that do not ensure an essentially equivalent level of protection;

• Transfers that are suspended or terminated shall be notified if the EUI considers that the third country does not ensure an essentially equivalent level of protection (cf. Article 47 para 2 Regulation); and

• For transfers based on derogations, categories of cases in which Article 50 Regulation (respectively Article 49 GDPR) has been applied shall be notified in line with Article 50 para. 6 of the Regulation.

Joint assessments

The EDPS will also start exploring the possibility of joint assessments of the level of protection of personal data afforded in third countries and how these could be coordinated between authorities, controllers and other stakeholders to provide guidance and ensure compliance with the Schrems II.