I just attended today’s online LIBE meeting on possible solutions following the CJEU’s “Schrems II” decision, where it was recognized that the question of data transfers to third countries is fundamentally a geopolitical matter before being a legal one. In this way, legal certainty should be re-established as soon as possible – but such an achievement doesn’t seem likely or even possible in the short-term.
The European Commission is currently active on three domains: 1. Cooperating with Supervisory Authorities to provide further practical guidance for organizations on how to lawfully transfer personal data; 2. Working on the modernization of SCCs to reflect what was established by the CJEU in the “Schrems II”, to be finalized by the end of 2020; 3. Engaging in discussions with the US to explore the possibility of creating a data transfer framework which will be stronger than Privacy Shield. Commissioner Didier Reynders mentioned that there cannot be a quick fix but instead that a substantial and convincing solution is required to ensure that adequate protection travels together with data around the world.
The EDPB, at the same time, is working on defining appropriate supplementary measures for controllers and processors to ensure a level of protection that is essentially equivalent to that in the EU in all third countries. This approach is valid regardless of the actual means for the transfer under Art. 46 GDPR, including SCCs, BCRs, etc.Derogations under Art. 49 GDPR must be treated as what they are, as derogations, exceptions to the rule – not as suitable transfer mechanisms to be used as a rule, but only on a case-by-case basis. Controllers now have the responsibility to assess whether an essentially EU-equivalent level of protection will be guaranteed with respect to the transfer under question. This is a practically unbearable burden for companies and should instead be carried out by the relevant EU Institutions with the support of the EU Supervisory Authorities, as was underlined byMEP Sophie in ‘t Veld.
The EDPB is indeed currently working on reviewing its documents in the light of the “Schrems II” decision and is preparing recommendations on appropriate supplementary measures in the legal, technical and organizational domains in order ensure that an equivalent level of protection can be ascertained, as was confirmed by EDPB Chair Andrea Jelinek in the meeting. Jelinek also mentioned that the role of the EDPB presents significant challenges as there cannot be a one-size-fit-all approach and that still every organization should carry out its own evaluations.
Max Schrems strongly pointed out that the only viable solution is at the geopolitical level and consists of the revision of FISA 702, the law that substantially challenges the EU equivalent level of protection, by the US Government.
What to do: there is no bullet-proof solution to transfer data lawfully at this point, as mentioned already in Part III of the “A New Age of Data Transfers” blog post. Waiting for the hopefully imminent EDPB guidance on appropriate supplementary measures and the updated SCCs, companies should inevitably try to perform the necessary evaluations on the essentially EU equivalent level of protection to be guaranteed with respect to the transfer in point, re-assessing their data flows accordingly and if transfer is necessary, to start working on possible technical, legal and organizational supplementary measures that can be implemented.