The European Data Protection Board has adopted the following statement:
The EDPB welcomes the CJEU’s judgment, which highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. The CJEU’s decision is one of great importance. The European Data Protection Board (EDPB) has taken note of the fact that the Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, and of the fact that it considers Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries valid.
The EDPB discussed the Court’s ruling during its 34th plenary session of 17 July 2020.
With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment.
The EDPB identified in the past some of the main flaws of the Privacy Shield on which the CJEU grounds its decision to declare it invalid.
The EDPB questioned in its reports on the annual joint reviews of Privacy Shield the compliance with the data protection principles of necessity and proportionality in the application of U.S. law. (1)
The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.
While the SCCs remain valid, the CJEU underlines the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.
If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.
The CJEU’s judgment also recalls the importance for the exporter and importer to comply with their obligations included in the SCCs, in particular the information obligations in relation to change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or terminate the SCCs or to notify its competent supervisory authority if it intends to continue transferring data.
The EDPB takes note of the duties for the competent supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.
The EDPB recalls that it issued guidelines on Art 49 GDPR derogations (2); and that such derogations must be applied on a case-by-case basis.
The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment.
The EDPB and its European SAs stand ready, as stated by the CJEU, to ensure consistency across the EEA.
For the European Data Protection Board
(1) See EDPB, EU-U.S. Privacy Shield – Second Annual Joint Review report here, and EDPB, EU -U.S. Privacy Shield – Third Annual Joint Review report here.
(2) DPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, p3.