The following letter sent on 5 October 2020 to EU Commissioner Reynders and European Data Protection Board Chairwoman Jelinek outlines the impact stemming from the Court of Justice of the European Union ruling on the “Schrems II” case around the framework for international data transfers.
>> Read .pdf version
To: Mr. Didier Reynders
European Commissioner for Justice
Ms. Andrea Jelinek
Chairwoman of the European Data Protection Board
Brussels, 5 October 2020
Subject: Impact of CJEU Schrems II ruling on the framework for international data transfers
Dear European Commissioner Reynders and European Data Protection Board Chairwoman Dr Jelinek,
The sectors represented by the undersigned associations remain fully committed to ensuring the protection of EU citizens’ data when transferring data to third countries. With this letter, we would therefore like to address July 16th ruling of the Court of Justice of the European Union (CJEU) on the “Schrems II case” and its impact on the framework for the international transfer of personal data from the European Union to the United States (US), and to other third countries. The ruling has far reaching implications for the ways in which European and global businesses operate.
We understand that the CJEU has upheld the validity of European Commission (EC) decision 2010/87 on Standard Contractual Clauses (SCCs). However, we are concerned with the substantial legal uncertainty that has followed regarding the conditions under which SCCs can be used for data transfers, especially to the US. It has also, more generally, raised questions on all other available international data transfer mechanisms, including Binding Corporate Rules (BCRs) and adequacy decisions, and significantly increased the following risks:
• Fragmentation in the interpretation and enforcement of the judgement by data protection authorities (DPAs) across Europe and the impact this can have, particularly for financial institutions with cross border activities.
• Immediate economic impact for companies forced to suspend data transfers in order to comply with the judgement1 . Given the volume of data transfers between Europe and the US, which notably includes intra-group transfers, this would have a substantial impact on the European digital economy. We would also like to remind that the CJEU has not called for the retention of personal data within the boundaries of the EU.
• Delays in the negotiation of new contracts by businesses given the uncertainty surrounding the judgement and its implications. Guidance is urgently needed so that companies can continue to provide the products and services clients and consumers come to expect, in full respect of the data protection framework and the CJEU ruling.
To address these risks and in response to the judgement we call for legal certainty as soon as possible so that European companies can carry out their business activities.
We therefore welcome the EDPB’s intention to present guidance on the “additional measures” to be put in place alongside SCCs. In this regard we would like to highlight the need for a proportionate and risk based approach with measures that are flexible enough to be adaptable in a business setting. The undersigned associations propose a number of recommendations regarding the upcoming EDPB guidance, which can be found in the annex to this letter.
We also welcome that the EDPB aims for coordinated action and call on the EDPB to assess and provide guidance on the possible scenarios which could emerge as a result of the CJEU’s ruling. For example, it must be clarified what will be expected from controllers when the EDPB/DPA, having reviewed specific transfers, finds a jurisdiction inadequate and no risk mitigating measures can be put in place. Are all other controllersbe expected to stop their own data transfers to that jurisdiction? The administrative burden and economic impact of EU data controllers having to continuallyreassess transfers in light of the EDPB/DPA decisions would be significant. We believe that placing the burden of assessment on the data exporter will not foster legal certainty.
In addition, while the EDPB FAQ has indicated that there is no grace period following the ruling, we would urge the EDPB and DPAs not to proceed with sanctions against companies until the EDPB guidance on additional measures has been issued and a sufficient period of time has elapsed to enable businesses to implement the relevant procedures.
Furthermore, in the absence of the Privacy Shield and SCCs and BCRs that can be used with full legal certainty, we call on the EC to finalise their work on the new SCCs for international data transfers, in full consistency with the ruling and the future EDPB guidance on additional measures.
The updated SCCs should take a risk-based approach, provide for transfers in a variety of situations and between a variety of relationships, while aligning with the provisions of Article 28 GDPR. They must also be available to use as standalone tools and that their use should not be tied to an assessment by the data controller of the privacy standards in the jurisdiction to which the data is transferred. Moreover, the EC and DPAs should take into consideration the development of international cooperation mechanisms in order to facilitate the effective enforcement of legislation for the protection of personal data, also grounded on Article 50 of GDPR.
Lastly, we welcome that discussions have begun on a replacement for the Privacy Shield and call on the EC to continue its work to develop an adequacy framework that allows for the lawful transfer of data to the US while respecting the privacy of EU citizens.
We thank you for your attention and remain available to discuss these issues further. In the meantime, we would be pleased to receive your preliminary views on our points above.
Chris De Noose
AFME & GFMA
Managing Director of the Global FX Division, Technology and Operations and Policy Divisions
Chief Executive Officer
1 In the absence of Guidance on additional measures.