EDPB Statement and FAQ on CJEU judgement in "Schrems II"
On 24 July 2020, the European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ (FAQ) document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S. This FAQ document supplements the Statement on the CJEU's judgment in "Schrems II" (CJEU, decision of 16 July 2020 - C-311/18, CRi 4/2020) which the EDPB adopted on 17 July 2020.
FAQ Document
The FAQ document aims to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.
This document will be developed and complemented, along with further guidance, as the EDPB continues to examine and assess the judgment of the CJEU.
EDPB, FAQ document on the CJEU judgement C-311/18, 24 July 2020
Statement
The CJEU's judgment in "Schrems II" invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considers Commission Decision 2010/87 on Standard Contractual Clauses (SCC) for the transfer of personal data to processors established in third countries valid.
Privacy Shield: The EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment. The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.
Standard Contractual Clauses: The EDPB takes note of the primary responsibility of the exporter and the importer, when considering whether to enter into SCCs, to ensure that these maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The CJEU underlines that the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB will be looking further into what these additional measures could consist of.
Role of DPAs: The EDPB also takes note of the competent supervisory authorities’ (SAs) duties to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or processor has not already itself suspended or put an end to the transfer.
EDPB, Statement on CJEU Judgment in Case C-311/18, 17 July 2020
