EDPB Issues FAQs After Schrems Decision

Written by: Charles R. Langhorne IV, Esq. and Brock Wolf

Last month, the Court of Justice of the European Union (“CJEU”), Europe’s top court, struck down the EU-US Privacy Shield Framework. The Privacy Shield was created to allow businesses to transfer personal data to the United States from the European Union (“EU”). The decision not only invalidated the EU-US Privacy Shield as an approved cross-border transfer mechanism, it also brought into question whether Standard Contractual Clauses (“SCC”) or Binding Corporate Rules (“BCR”) provided an adequate level of protection such that they could be used to transfer personal data from the EU to the US.

The underlying issue the EDPB has with transferring personal data to the US is that the US has laws that, in certain situations, allow public authorities unfettered access to personal data.

For the time being, the European Data Protection Board (“EDPB”) has not invalidated the use of SCC or BCR as a mechanism to transfer personal data from the EU to the US. Instead, the EDPB has issued a set of FAQs to help guide businesses in the interim.

Getting to the FAQs specifically, there are a few important takeaways, some leading to more questions than answers.

• There is no grace period to implement an alternative mechanism to continue transferring personal data to the US.
• This ruling does not affect using SCC or BCR to transfer data to countries other than the US.

The FAQs state that SCC and BCR are not necessarily invalid as it related to transfers to the US, but such transfers need to be assessed on a case-by-case basis, and supplementary measures may be needed to ensure an adequate level of protection. Unfortunately, the EDPB does not give any examples of what such supplementary measures may be. The EDPB basically says “they will get back to us” after they analyze the CJEU ruling.

The action step for businesses is to assess the transfer mechanism used with each of its data processors that involves transferring personal data to the US and determine if SCC need to be entered into. It is possible businesses could look into applying for approval of BCR, but that is not a practical solution because such approval can take months or even years.