July 27, 2020
The EDPB has welcomed the CJEU’s judgment, as it highlights the fundamental right to privacy in the context of the transfer of personal data to third countries. The EDPB says that the decision is “one of great importance”. The EDPB says that the EU and the US should now put together a “complete and effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU, in line with the judgment”.
The EDPB says that it had already identified some of the main flaws of the Privacy Shield on which the CJEU based its decision to declare it invalid. In particular, it questioned the compliance of the EU-US Privacy Shield with the data protection principles of necessity and proportionality in the application of US law. The EDPB says that it intends to continue to play a constructive role in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations, and it stands ready to provide the European Commission with assistance and guidance to help it build, together with the US, a new framework that fully complies with EU data protection law.
The EDPB notes that the CJEU confirmed that standard contractual clauses (SCCs) remain valid, but also that the CJEU underlined the need to ensure that these maintain, in practice, a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter.
The EDPB comments that the assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer. When considering whether to enter into SCCs, the exporter (if necessary, with the assistance of the importer) must take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of.
The EDPB also notes that the CJEU emphasised the importance of the exporter and importer complying with their obligations in the SCCs, in particular the information obligations in relation to a change of legislation in the importer’s country. When those contractual obligations are not or cannot be complied with, the exporter is bound by the SCCs to suspend the transfer or to terminate the SCCs or to notify its supervisory authority if it intends to continue transferring data.
The EDPB also notes the duties of supervisory authorities (SAs) to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the SA and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or put an end to the transfer.
The EDPB says that it will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment. To read the EDPB statement in full, click here.