**************************************

]

SCHREMS II

REGULATORY RESPONSES TRACKER 11 NOVEMBER 2020

**************************************

SCHREMS II DATA PROTECTION / REGULATORY AUTHORITY RESPONSES

This document provides a summary only of certain US, European Union (EU) and United Kingdom (UK), and International data protection authorities responses to the Court of Justice of the EU (CJEU) decision in Schrems II of 16 July 2020.1 It is not a substitute for legal advice and is not prepared to be relied upon as such.

Regulator Position Key:

Regulator still considering / awaiting further guidance – Green

Regulator has provided detailed statements concerning risks - Orange

Regulator has provided concrete recommendations – Red

Authority Response? Summary Source(s) Regulator position

PART A: JOINT US/EU REGULATORY RESPONSES

European Commission (EC) / US Secretary of Commerce (DoC)

• Have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the judgement

• Both sides recognise the vital importance of data protection and the significance of cross-border data transfers to their citizens and economies

• Shared commitment to privacy and the rule of law, and partnership will strengthen data protection and promote greater prosperity for our nearly 800 million citizens on both sides of the Atlantic

US Secretary of Commerce Statement (10 Aug)

European Commission Statement (10 Aug)

PART B: PAN-EUROPEAN REGULATORY RESPONSES

1 Where a response is not in English, the summary refers to unofficial translations.

**************************************

Authority Response? Summary Source(s) Regulator position

European Commission (EC)

• EU Commissioner for Justice Didier Reynders has before the EU Parliament said that updated 'Schrems proof' Standard Contractual Clauses ('SCCs'), that are GDPR compliant, will be coming this year

• Confirmed that the European Commission is currently working on a revision of Standard Contractual Clauses ('SCCs'), as well as working with US counterparts in order to develop a stronger framework for the transfer of personal data

• The updated SCC's will reportedly address, among other things: (i) a number of scenarios not covered by existing SCCs, such as processor-to-processor international data transfers (ii) enable multipartite signing (not only bipartite)

Livestream Discussion (3

September)

News Update (3 September)

European Data Protection Supervisor

(EDPS)

• Confirms validity of Standard Contractual Clauses (SCCs) in principle; however, welcomes clarifications on the responsibilities of (i) controllers, and (ii) European data protection authorities

• European supervisory authorities must (i) diligently enforce the applicable data protection legislation, and (ii) where appropriate, to suspend or prohibit data transfers

• Issued a strategic document aiming to monitor compliance of European institutions, bodies, offices and agencies (EUIs) with the judgement in relation to transfers of personal data to third countries and, in particular, the United States.

• The strategy acknowledges, that the judgement has far reaching consequences and aims to bring all transfers into compliance with the Judgement in the medium term.

• Identified two strategic priorities to address in the short term: (i) ongoing controller processor contracts; and / or (ii) processor to sub-processor contracts involving transfers of data to third countries, with an emphasis on those carried out to the United States.

Press Release (17 July)

Press Release (29 October)

**************************************

Authority Response? Summary Source(s) Regulator position

• EUIs are strongly encouraged to avoid transfers of personal data towards the United States for new processing operations or new contracts with service providers.

• "The strategy builds on the cooperation and accountability of controllers to assess whether the essentially equivalent standard or protection, based on the Court's ruling, is guaranteed when transfers of personal data are made towards third countries."

European Data Protection Board

(EDPB)

• Has created a complaints taskforce in response to a total of 101 identical complaints that have been lodged with the EEA Data Protection Authorities following the Schrems II judgement

• For transfers based on the SCCs or Binding Corporate Rules (BCRs) a preliminary assessment to determine whether the third country concerned meets the adequate level of protection is required. This assessment should be done on a case by case basis

• Created a separate taskforce devoted to preparing recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures when transferring data to third countries

• 'There is no one-size-fits-all quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.'

• On 11 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data as well as recommendations on the European Essential Guarantees for surveillance measures.

• The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they

EDPB Press Releases (17 July; 4 September)

FAQs (24 July)

Press Release (11 November)

News Update (11 November)

**************************************

Authority Response? Summary Source(s) Regulator position

are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries.

• The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law and help them identify those that could be effective.

• The recommendations on the supplementary measures will be submitted to public consultation until 30 November 2020. They will be applicable immediately following their publication.

• To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective.

Convention 108 / Council of Europe

• Issued a joint statement reporting on the facts of the case and highlighted the need to protect fundamental human rights

• Stated that the Schrems II judgement offers opportunities to strengthen the universal data protection framework

• Proposed that the Convention 108+ should be adopted as a legally binding international standard on privacy and data protection as it will 'deliver two essential objectives: facilitating data flows and respecting human rights and fundamental freedoms, including human integrity and dignity in the digital age'

Joint Statement (7 Sept)

EU Parliament

(EP)

• Published informative paper on decision summarizing the judgement and its implications for both commercial data transfers and international relations

• Outlined the early reactions of industry commentators on the validity of SCCs

Informative Paper (16 September)

**************************************

Authority Response? Summary Source(s) Regulator position

EU Cloud Code of Conduct General Assembly

(EU Cloud COC)

• Announced that it was working to build legal solution for the transfers of personal data outside the EU

• Stated that any new method of transfer may become EU-US privacy shield replacement

Press Release (15 September)

PART C: US REGULATORY RESPONSES

Department of Commerce

(DoC)

• U.S Department of Commerce Deputy Assistant James Sullivan issued statement and whitepaper following the decision.

• The whitepaper outlined the US legal framework for foreign intelligence data collection and provided an overview of privacy safeguards under US law in relation to intelligence agencies' access to data.

• As well as considering the current US privacy framework, the whitepaper outlined instances where US intelligence agencies would have no interest in certain data that is transferred. For example, the whitepaper states that intelligence agencies are not concerned with data that would be considered 'ordinary commercial information' and therefore the data protection risks considered in Schrems II are not relevant to these transfers.

Press Release / Whitepaper (28 September)

Federal Trade Commission

(FTC)

• The FTC expects companies to continue "to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework."

• It also encouraged companies to "follow robust privacy principles, such as those underlying the Privacy Shield Framework" and to review privacy notices to ensure they describe their privacy practices accurately

FTC Statement (21 July)

**************************************

Authority Response? Summary Source(s) Regulator position

Privacy Shield Framework

(PSF)

• "This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-US. Privacy Shield Framework."

• The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List

Privacy Shield Statement (16 July)

Updated FAQs (31 July; 20 August)

PART D: EU & EEA REGULATORY RESPONSES (NATIONAL & LOCAL)

United Kingdom

(The Information Commissioner's Office)

(The UK Government)

• States that the EDPB FAQs apply to UK controllers and processors

• The ICO " will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy"

• Confirms that it is "ready to support UK organisations and will be working with UK government and international agencies to ensure that global data flows may continue"

• The UK government is reviewing the details of the judgment and working with the ICO and its international counterparts to make updated guidance available as soon as possible

ICO Press Release (16 July)

Updated ICO Statement (28 July)

UK Government Response (17 July)

Austria

(Österreichische Datenschutzbehörde )

Belgium

(Autorité de la protection des données (APD-GBA) )

• Reported on the facts of the decision and noted the consequences for data controllers and processors who transfer personal data to third countries

• Stated that the Belgian Data Protection Agency (DPA) is examining the 'consequences of the decision to ensure the protection of fundamental rights to data protection while

DPA Statement (31 August)

**************************************

Authority Response? Summary Source(s) Regulator position

persevering the free exchange of date between Europe and third countries'

Bulgaria

(Commission for Personal Data Protection)

• Reported on the facts of decision Statement (16 July)

Croatia

(Croatian Personal Data Protection Agency )

• Reported on the facts of decision and confirmed that they are awaiting further clarification from the EDPB

Statement (17 July)

Cyprus

(Commissioner for Personal Data Protection)

• Confirms that the supervisory authorities, through the EDPB, will soon provide guidance to the affected organisations, for the smooth and uniform implementation of the ECJ Decision

Statement (20 July)

Czech Republic

(The Office for Personal Data Protection)

• Reported on the facts of decision Statement (16 July)

Denmark

(Datatilsynet)

• Standard contractual clauses are "generally still valid"

• "The judgment raises a number of issues which need to be examined further."

Statement (20 July)

Estonia

(Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon))

• From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission

• EU companies must always assess the European Commission's data protection clauses themselves

Statement (17 July)

**************************************

Authority Response? Summary Source(s) Regulator position

• "The assessment must determine whether the protection of Europeans' personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended."

Finland

(Office of the Data Protection Ombudsman)

• Has initiated a Schrems II probe, asking companies about their data transfer practices and indicates that regulators will use the probes findings in considering a response to the ruling

News Update (25 August)

France

(Commission Nationale de l'Informatique et des Libertés – CNIL)

• States that the CJEU "validated the standard contractual clauses" allowing the transfer of data from the European Union to importers established outside the EU

• Currently carrying out an analysis of the judgment, in conjunction with its European counterparts meeting within the European Committee for Data Protection. This CNIL note that this joint work is intended to make it possible, as soon as possible, to draw the consequences for data transfers from the European Union to the United States

Statement (16 July)

Germany (including individual local authorities) (Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BFDI))

• The BDFI welcomed that '"the ECJ makes it clear that international data traffic is still possible." However, the BDFI added "companies and authorities as well as supervisory authorities now have the complex task of applying the judgement in practice"

• The BFDI also welcomed the EPDB's newly formed taskforces following the Schrems II decision.

• Highlighted that the taskforces sent strong signal and help a lead a harmonised European response in assessing future compliance with European data protection law.

• Confirmed that five complaints were received by the regional German data protection authorities.

BFDI Statements: initial high level guidance (16 July; 3 September)

Letter (8 October)

**************************************

Authority Response? Summary Source(s) Regulator position

• On 8 October, The Federal Commissioner issued an information letter on the impact of the judgement and confirmed that personal data transferred to a third country must enjoy equivalent protection under the GDPR.

• The letter also highlights that data transfers to the US cannot be made under the invalidated privacy shield, but also other transfer mechanisms such as SCCs and BCRs will also be affected.

• Exporters transferring data on the basis of SCCs and BCRs must assess whether the third country ensures essentially equivalent protection and must introduce additional measures where this is not the case.

(Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI))

• The BlnBDI is asking data processors to relocate personal data stored in the USA to Europe.

Statement: initial high-level guidance (16 July)

(Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit)

• Stated that "Difficult times are looming for international data traffic."

• "Data transmission to countries without an adequate level of data protection will therefore no longer be permitted in the future. The supervisory authorities are particularly challenged here to develop and implement a common strategy."

Statement (16 July)

(Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (LfDI))

• "Protection of fundamental rights does not end at the EU border and also requires an examination of whether and how US security authorities have access to the data."

• Stated that there will be no transition period for data transfers invalidated by the Privacy Shield

• Due to the importance of appropriate data transfers for many companies, the LfDI expects a rush of questions from those responsible and data subjects and asks them for understanding now if the processing will take some time

Statement: - initial high-level guidance (16 July)

**************************************

Authority Response? Summary Source(s) Regulator position

Der Thüringer Landesbeauftragte für den Datenschutz und die Informationsfreiheit

• The data protection officer of Thuringia has welcomed the new ECJ decision, noting especially the ECJ's acknowledgement of the inadequate ombudsman mechanism

• Stated that further consideration from supervisory authorities was required on the use of SCCs

• "If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance must be checked by the data exporter and the data recipient before the transfer, then I do not know how an EU data protection-compliant test result should come about here in the case of data transfer to the USA."

Statement (16 July)

Landesbeauftragter für Datenschutz und Informationsfreiheit Baden-Württemberg

• Confirmed that for data transfers to the US, data controllers should implement safeguards to mitigate risks, including: (i) encryption, where only the data exporter has the key and which cannot be broken by US services and/or (ii) pseudonymization & anonymization, where only the data exporter can match the information with the data subject

• Stated that with data controllers, when transferring data to non-EU jurisdictions, should consider the legal context regarding 'access to EU personal data by secret services' and the 'rights and legal protections granted to data subjects' in the jurisdiction to which data is being transferred

• Stated that companies transferring data should assess the necessity of such transfers and elect, where possible, alternative transfer methods that would reduce any associated risks

• Provided checklist of processes that companies should consider in light of the Schrems II judgement, including: (i) identify all transfers of EU personal data to third countries; (ii) inform service providers in third countries of the Schrems II judgement and its implications; (iii) determine whether the third country has an adequate level of protection with reference to the EU Commission guidance and (iv) where relying on SCCs, consider additional safeguards that may be required

Statement - full guidance (25 August)

**************************************

Authority Response? Summary Source(s) Regulator position

• In respect of next steps the LfDI Baden- Württemberg stated: 'at the centre of the further procedure of the LfDI Baden-Württemberg will be a question as to whether there are reasonable alternative offers to the service provider / contract partner selected by companies without transfer problems. If you are unable to convince us that the service provider / contract partner you are using is not replaceable by a reasonable service provider/contract partner without transfer problems in the short and medium term, the LfDI Baden- Württemberg will prohibit the transfer of data'

The German Data Protection Conference (DSK)

• The DSK endorsed the EDPB FAQs and held that transfers of personal data to the US based on the Privacy Shield must cease

• On SCCs, the DSK highlighted that in cases of data transfers to the US, SCCs without further measures are insufficient

• The DSK also noted that the CJEU's findings have an impact on Binding Corporate Rules ('BCRs') and additional measures need to be taken if the rights of data subject are not protected to the same level in a third country

Statement (28 July)

Gibraltar

(Gibraltar Regulatory Authority)

Greece

(Hellenic Data Protection Authority)

Hungary • Reported decision with links to judgement and press release Statement (20 July)

**************************************

Authority Response? Summary Source(s) Regulator position

(National Authority for Data Protection and Freedom of Information)

Iceland

(Icelandic Data Protection Agency)

• Reported on the facts of decision Statement (16 July)

Ireland

(Data Protection Commissioner (DPC))

• The Data Protection Commission strongly welcomed the judgment

• "Reflecting the complexity of many of the legal issues it addresses, the judgment has many layers, each of which will require careful consideration in the coming days and weeks."

• On the issue of validity of SCCs, the DPC said "This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis."

Statement (16 July)

Italy

(Garante per la protezione dei datai personali)

• Reported on the facts of decision and published Italian translation of EDPB FAQs

Statement (29 July)

Latvia

(Data State Inspectorate (Datu valsts ispekcija))

• Reported on EDPB response to decision Statement (20 July)

**************************************

Authority Response? Summary Source(s) Regulator position

Liechtenstein

(Data Protection Office)

• Concludes at least in the medium term, until a new agreement with the US on data transfer can be concluded by the EU Commission, that organisations/companies must now rely on Binding Corporate Rules (BCRs) and Standard Contract Clauses (SCCs)

• Published a compilation of the requirements and various suitable guarantees for data transfers to third countries on its website.

• Linked to EDPB FAQs with note that plans to published German Translation of FAQs during Aug 2020

Statement - initial high-level guidance (17 July, Update 22 July)

Lithuania

(The State Data Protection Inspectorate)

• The State Data Protection Inspectorate, as a member of the European Data Protection Board, will work together with colleagues from other European Union Member States, to analyse the ruling and provides additional explanations to interested parties and recommendations on the use of personal data transfer measures to third parties

Statement (20 July)

Luxembourg

(Commission Nationale pour la Protection des Données (CNDP))

• The National Data Protection Commission welcomes the judgment

• The CNPD, in collaboration with the EDPB and other EU supervisory authorities, is currently assessing the decision to ensure consistency in the EEA

• The CNPD will work closely with its EU counterparts to ensure that additional guidelines are provided to organizations and businesses

Statement (20 July)

Malta

(Office of the Data Protection Commissioner)

• Reported on the facts of decision and linked to EDPB FAQs Statement (30 July)

**************************************

Authority Response? Summary Source(s) Regulator position

The Netherlands

(Autoriteit Persoonsgegevens (AP)

• The Minister for Legal Protection issued a response to parliamentary questions on the adequacy of American privacy protection.

• The Minister confirmed that data transfers using SCCs are still possible.

Response – initial high-level guidance (20 July)

Norway

(Datatilsynet The Data Inspectorate (NDPA))

• The NDPA highlighted that the Schrems II Case is directly applicable, with no transition period

• The NDPA noted that, in cases where a country has not been recognised as affording adequate protection, data exporters must, among other things, rely on Article 46 of the GDPR as well as assess whether the data importer/subcontractors are subject to laws, rules, or systems which undermine the importer's obligations in relation to the transfer, or lower the level of protection

Q&A (27 July)

Statement – initial high-level guidance (16 July)

Poland

(Urząd Ochrony Danych Osobowych (UODO))

• The President of the UODO emphasized "the need for a consistent approach to assessing the consequences of the CJEU judgment throughout the European Union and the necessity of joint actions in this respect by national supervisory authorities cooperating within the European Data Protection Board"

Statement (20 July)

Portugal

(Comissão Nacional de Protecção de Dados – CNPD)

Romania • Reported on the facts of decision Statement (20 July)

**************************************

Authority Response? Summary Source(s) Regulator position

(The National Supervisory Authority for Personal Data Processing)

Slovakia

(Office for Personal Data Protection of the Slovak Republic)

• Reported on the facts of decision Statement (16 July)

Slovenia

(Information Commissioner)

• The Slovenian Information Commissioner advised that organizations which previously relied on the Privacy Shield "must ensure as soon as possible that the transfers are justified on another basis (e.g. standard contractual clauses, binding business rules, exceptions)."

Statement (16 July)

Spain

(Agencia Española de Protección de Datos)

• Reported on the facts of decision and confirmed that they are working on a harmonized response at the European level to apply this judgement

• The Spanish National Cybersecurity Institute ("INCIBE") published a blog post reporting on the decision. It also suggested that SCCs may be a valid transfer mechanism, if the conditions provided in the Schrems judgement are complied with

• The blog post also states that as a solution organisations may look to store data within the EU and that transfers outside of the EU must be assessed on a case by case basis

Statement – initial high-level guidance (22 July)

Update (15 September)

**************************************

Authority Response? Summary Source(s) Regulator position

Sweden

(Datainspektionen)

• Reported on the facts of decision Statement (17 July)

Switzerland

(The Federal Data Protection and Information Commissioner of Switzerland)

• Concluded that the Swiss-US privacy shield does not guarantee an adequate level of protection regarding data transfers from Switzerland to the US

• Outlined that some principles enshrined under the Federal Act on Data Protection (FADP) are not respected under the Swiss-US privacy shield, including the lawful processing of personal data and right to legal recourse

• Stated that the FDPIC and the EU mutually belong to a group of nations that mutually assume the existence of an equivalent and adequate level of data protection

Statement (8 Sept)

PART E: INTERNATIONAL REGULATORY RESPONSES

New Zealand

(Office of the Privacy Commissioner )

• No direct effect on transfers of personal data from the EU to New Zealand because transfers are conducted on the basis of the adequacy decision

• Monitoring developments because decision on international data transfers more generally is likely to be significant and likely to have a lasting impact on the international framework for data flows

• Considering the decision as develop set of model contract model clauses under the new Privacy Act 2020, which places new limits on international transfers of personal information

OPCNZ Blog Post – initial high-level guidance (7 Aug)

ISRAEL

(Privacy Protection Authority)

• Issued statement regarding data transfers from Israel to the US.

Initial high-level guidance (30 September)

**************************************

Authority Response? Summary Source(s) Regulator position

• Stated that Israeli companies could no longer rely on the EU-US Privacy Shield for data transfers to the US

• The regulator stated that the use of SCCs would continue to be a valid method of data transfer

• The Deputy Head of the PPA, Nir Gerson, noted that the Schrems decision highlights the need to update data transfer regulations and stated that they were looking for alternative methods to regulate data transfers to the US while "meeting the needs of the Israeli economy."