Next Steps for EU companies & FAQs
We are fully aware that many controllers are overwhelmed with the recent judgment by the CJEU on EU-US data transfers and the lack of a grace period. We have summarized the most common questions and answers below. We also provide two model request texts that you can send to any US partner or any EU partner with US ties. Taking swift action may be a relevant factor should a DPA consider fines for non-compliance with the CJEU's ruling. We will update these FAQs and publish specific FAQs and model texts for users ("data subjects") in the coming days. Let us know if you have any feedback.
Steps that EU controllers should take
In accordance with the EDPB FAQs on the "Schrems II" judgment, our preliminary recommendation is that controllers take the following steps:
- Review all your external data flows (including to EU processors or controllers that in turn may transfer data to a non-EU entity) for data flows to third countries
- Identify the relevant legal basis (e.g. Adequacy, Article 49, Privacy Shield, SCCs, etc)
- In relation to 50 USC § 1881a (= FISA 702) and EO 12.333 identify especially any US "electronic communication service providers" and any data flow to the US that is not secured against wire tapping by the NSA (see model requests below)
- Stop your data transfers if:
- You or one of our partners still use the Privacy Shield
- A relevant US entity is an "electronic communication service provider" or
- You cannot protect your data flows from NSA wire tapping
- Notify the DPA if you continue to use SCCs, BCRs or any other instrument despite a negative assessment
Model requests to US providers or providers with US ties
You can use these model requests to the most common types of EU-US data flows that may be effected by the CJEU judgment:
- Model request to US data importers if you still use SCCs ("case by case" analysis)
- Model request to providers that process data in the EU/EEA but have US ties ("case by case" analysis)
We will add further model requests for other situations soon.
FAQs for EU companies
- What are the consequences when I do not take action?
The CJEU has highlighted that the controllers and (if the controllers are inactive) the DPAs have a duty to act to suspend or prohibit data transfers (para 134 of the Judgment) when they lack a valid legal instrument for a transfer. This means there is no chance for a “grace period” in this case.
Under the GDPR there is a penalty of € 20 Mio or 4% of the global turnover if you continue to transfer data without a valid legal instrument (Article 83(5)(c) GDPR). NGOs, workers’ councils or individual users can bring complaints or file lawsuits, including for emotional damages.
It is likely that a DPA will not fine a controller if the controller can demonstrate that all measures to comply with the CJEU judgment were taken as quickly as possible. This page is meant to enable controllers to demonstrate such steps.
- Review if you need to transfer data abroad from a business perspective!
In many cases, external non-EU/EEA providers were chosen with little consideration of the ramifications. Therefore, you may be able to switch to an EU/EEA provider (or a provider from an “adequate” country like Switzerland) in many cases and thereby avoid any issues around data transfers altogether.
Even if using an EU/EEA provider may seem costlier initially, the time spent making a non-EU/EEA transfer legal may cost you more than what you save on a cheaper offer from abroad.
- If you still use the SCCs for transfers to any non-EU/EEA provider, what do you need to do?
The controller and the relevant provider need to do a “case by case” analysis (para 134 of the Judgment), to check if there are any national laws which this provider is subject to that violate the GDPR and the Charter of Fundamental Rights.
Generally, laws that allow common law enforcement access to data in individualised cases and subject to the approval of a judge will be compliant with EU law. Forms of less democratic, far-reaching access (“mass processing”) or access without judicial review will be incompliant with EU law.
- If I specifically use the SCCs for transfers to a US provider, what do I need to do?
Most US cloud providers fall under FISA 702 and you will not be able to use them anymore. The definition in 50 USC § 1881(b)(4) for an “electronic communication service provider” lists:
- Providers of remote computing services,
- Provider of electronic communication services,
- Telecommunications carriers,
- Any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored, and
- any officer, employee, or agent of any such entity.
If you are not sure, you can ask your provider if they fall under FISA 702 themselves and/or if they have proper protections against third party surveillance in transit (under FISA 702 and/or EO 12.333). As each situation is different, we have prepared preliminary sample questions, which you may use for free to find out more about whether your US processing solution is compliant with the judgment:
- If I use a provider that processes data in the EU/EEA, but is linked to (or uses) a US company, what do I need to do?
FISA 702 and EO 12.333 have no territorial limitation. They also apply to servers in the EU that are operated by a US “electronic communication service provider” or where certain operations are outsourced to a US provider. The location for hosting is therefore irrelevant.
In some cases, providers may have sufficiently limited the factual access (“possession, custody or control”) from US entities, so that an EU/EEA server is factually beyond the reach of the US government. For example, this may be the case if an EU entity is bound by the GDPR to not provide data to the US parent company and there is no factual access by the US parent company.
As each situation is different, we have prepared preliminary sample questions, which you may use for free to find out more about whether your EU processing solution is compliant with the judgement:
- What about surveillance in transit?
In paragraph 183 of C-311/18, the CJEU also found that US surveillance “in transit” (like “Upstream” or taps of the underwater cables) violate EU fundamental rights.
From a GDPR perspective, we are taking the preliminary position that such external tampering with personal data mainly falls under Article 32 GDPR (“security of processing”). The data exporter and data importer therefore has to implement appropriate technical and organisational measures to protect transferred data from NSA/FBI tapping.
Given that the US government has vast powers to break encryption, it is mainly a technical question in each transfer situation if and how a technical solution is possible. The US government claims to mainly use “selectors” (such as email addresses, IP addresses or phone numbers) for programs like Upstream. Any technical approach therefore has to ensure that such selectors are below the end-to-end encryption layer. In many forms of direct communication (like a PGP encrypted email) the “selectors” are not themselves encrypted.
You can use the sample questions above to ask your provider about measures against surveillance in transit.
- Is there a list of US providers that fall under these surveillance laws?
There is no full list of all US providers that fall under 702 FISA (50 USC § 1881a), as all “electronic communication service providers” fall under this law. The definition of an “electronic communication service provider” can be found in 50 USC § 1881(b)(4).
At the same time, a number of companies have even published so-called “transparency reports” that list accesses under FISA. This allows us to know that these companies are definitely under a FISA order.
You can find some examples here (many other companies simply do not share such information, despite falling under FISA 702):
Verizon Media (former Oath & Yahoo)
- Who is liable for the costs of implementing the fallout from C-311/18?
If you used the SCCs before for your transfers, the law has not changed. Any non-EU/EEA provider had the duty to inform you about laws like FISA 702 and EO 12.333. If they have not done so, they are liable for all costs that result from cancelling the SCCs and transferring data back to the EU/EEA under either Clause II of the Annex of Decision 2004/915/EC or Clause 5(b) of the Annex of Decision 2010/87.
The Privacy Shield Decision was an incorrect executive decision by the European Commission. In theory, damages claims can be brought against the EU under Article 340 TFEU.
- Can I simply use Article 49 GDPR for all US transfers?
The EDPB has taken the position that Article 49 may only be used for “occasional and not repetitive transfers”, which limits Article 49 to individual situations where users have given explicit consent or if the transfer is strictly necessary to provide a contract (e.g. a hotel booking abroad).
Contrary to some claims, outsourcing of processing operations is not strictly “necessary” to provide the contract, if you could theoretically also use an EU/EEA provider or process data in-house. Controllers should also be mindful that data subjects can withdraw their consent at any time.
While Article 49 allows to keep “baseline” communications open with any country in the world (from Switzerland to North Korea) it is only a derogation for crucially necessary transfers.
- How can I assess whether the third country’s law is compatible with EU fundamental rights?
After the Schrems I judgment, in 2016, the Article 29 Working Party (now EDPB) provided clear guidance on what can and what cannot be regarded as a justifiable interference to fundamental rights in a democratic society regarding data protection law (Articles 7 and 8 of the Charter). In this Working Document, the DPAs have already identified four European Essential Guarantees that should be respected in the countries where EU data are sent:
A. Processing should be based on clear, precise and accessible rules;
B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;
C. An independent oversight mechanism should exist;
D. Effective remedies need to be available to the individual.
One will notice that the CJEU used at least two points from this guidance to invalidate the Privacy Shield. Therefore it may be helpful for you to first look at this Working Document.