As we have reported previously, on July 16, 2020, the Court of Justice of the European Union (“CJEU”) released its decision in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), which ruled that the EU-US Privacy Shield was invalid and the use of Standard Contractual Clauses (“SCCs”) may be valid on a case-by-case basis. Amidst the uncertainty caused by the decision, the European Data Protection Board (“EDPB”), on July 23, 2020, answered some Frequently Asked Questions (“FAQ”) that prove informative for Canadian organizations engaging in cross-border transfers of data.
Upshot for Canadian Organizations
Given the clarifications of the FAQ pertaining to transfers of personal information, which are discussed in more detail below, Canadian organizations should conduct a review of current data flows conducted through Article 46 transfer tools of the General Data Protection Regulation (“GDPR”), the framework that provides guidelines for the collection and processing of personal information from individuals who live in the European Union (“EU”). The transfer tools should be assessed to determine the adequacy of protection afforded by the importing nation. If a third country, whether it be the US or otherwise, does not meet the “essentially equivalent” protection threshold, organizations should work to incorporate supplementary measures to adequately protect personal information. Organizations can also assess whether an Article 49 derogation can be used in certain circumstances.
Key Points from the FAQ
The FAQ sets out information pertaining to the transfer of information to the US and other countries more broadly. It outlines the absence of a grace period for transfers of data under the Privacy Shield, the application of principles pertaining to SCCs to other transfer tools such as binding corporate rules (“BCRs”), the use of derogations in Article 49 of the GDPR and what to do if you are using a data processing system.
Absence of a Grace Period
The EDPB confirmed that there is no grace period for the implications of the decision. As such, the Privacy Shield has been invalidated effective immediately, and all transfers on the basis of the Shield are illegal.
Other Transfer Tools
While the decision largely focused on the transfer of information to the US through the Privacy Shield and SCCs, the FAQ provides that the same assessment of the level of protection applies to all transfer tools under Article 46 of the GDPR, including BCRs, standard data protection clauses, codes of conduct and certification mechanisms. As such, the safeguards in place for transfer of information using any transfer tool must ensure “essential equivalence.”
SCCs and BCRs
While the judgment does not directly address the use of Binding Corporate Rules, the EDPB has found that the Court’s assessment applies in the context of BCRs given the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools. Whether you can transfer personal data on the basis of BCRs and/or SCCs will depend on an assessment taking into account the circumstances of the transfers and supplementary measures. These measures would have to ensure that US law does not impinge on the adequate level of protection they guarantee. If appropriate safeguards would not be ensured, suspend or end the transfer of data or notify your competent supervisory authority if you intend to keep transferring data.
The requirement to carry out an assessment applies to transfers between other countries as well. It is the responsibility of the data exporter and importer to assess whether the level of protection required by EU law is respected in the third country concerned to determine if the guarantees provided by SCCs and BCRs can be complied with in practice. If you are a data exporter, you can contract the data importer to verify the legislation of its country and collaborate for the assessment.
The EDPB will also provide some examples of supplementary measures that parties can introduce after conducting an analysis of the CJEU’s judgment.
Derogations of Article 49 GDPR
The EDPB confirmed that it is still possible to transfer data from the European Economic Area (“EEA”) to the US on the basis of derogations in Article 49, provided that parties are compliant with the conditions incorporated in the GDPR. The derogations pertain to explicit consent, performance of a contract and transfers necessary for the public interest.
As it pertains to explicit consent, it is important to note that the GDPR imposes a higher standard of consent than its Canadian counterpart. Under Article 4, consent must be freely given, specific and informed. In addition, it must be signalled by a statement or by clear affirmative action that demonstrates agreement. The Article 49 derogation also requires the added requirement that the individual must have been informed of all the possible risks of transfer.
Use of a Processor
If you are a controller of data that is processed by a data processor, look to the contract you’ve concluded with your processor as it must provide whether transfers are authorized. Authorization also has to be provided concerning processors to entrust sub-processors to transfer data to third countries.
You may be required to negotiate an amendment or supplementary clause to your contract to forbid transfers if: (1) your data may be transferred to the US (or other third country not compliant with the “essential equivalency” standard); and (2) supplementary measures do not provide adequate protection; and (3) Article 49 derogations do not apply.
If you have any questions or wish to discuss the issue, please reach out to David Krebs or another member of our Privacy Team.