European Data Protection Supervisor Announces Strategy for EU Institutions’ Compliance with Schrems II
November 09, 2020
Sarah Pearce and Ashley Webber
On 29 October 2020, the European Data Protection Supervisor (“EDPS”) issued its “Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ Ruling” (the “Strategy”). The aim of the Strategy is to monitor and ensure the compliance of EU Institutions, bodies, offices and agencies (“EUIs”) with the Schrems II decision. It is important to note therefore that this Strategy does not apply to corporate organisations, or non-EU institutions, but it does provide a useful insight for all organisations as to the views of the EDPS with respect to international transfers of personal data. The question is, how far will EU data protection authorities follow suit? Will they take a similarly strict stance towards international transfers as discussed below?
The Strategy includes both short and medium term actions for both EUIs and the EDPS which are intended to ensure the goal of compliance is achieved whilst also building on the accountability and cooperation of EUIs. In doing so, the EDPS takes a strict stance towards transfers of personal data to the U.S. including, as discussed further below, a recommendation not to engage in any new transfers of personal data to the U.S.
The key takeaways from the Strategy are:
Priority: the Strategy emphasises the priority to address transfers of personal data made by, or on behalf of, EUIs, in particular towards the U.S. This includes both controller/processor and processor/sub-processor arrangements.
A) Short Term
Mapping exercise: on 5 October 2020, the EDPS issued an order to EUIs to carry out an inventory of all ongoing processing operations involving an international transfer of personal data which they were required to complete by the end of October. The inventories should include information such as the processing operations, destinations and recipients, transfer tool used, and categories of affected individuals.
Risk based approach: in line with the priority criteria, the EDPS developed a risk based approach to identify priority enforcement actions where no essentially equivalent level of protection for transfers would be guaranteed, particularly with respect to the U.S.
Reporting: EUIs are expected to report to the EDPS by 15 November 2020 any specific risks and gaps identified during the mapping exercise. In doing so, they must confirm whether any of the transfers identified are: (i) illegal; (ii) based on a derogation; and/or (iii) “high risk transfers” to U.S. entities which are “clearly subject” to section 702 FISA or E.O. 12333.
Enforcement: following the first reporting exercise, the EDPS may take enforcement actions to bring transfers into compliance or to suspend transfers, where appropriate.
Caution for new processing: with respect to new service providers and new processing operations, the EDPS requests EUIs take “a strong precautionary approach” and goes on to state that it “strongly encourages” EUIs to ensure that any new processing operations or new contracts with service providers do not involve transfers of personal data to the U.S.
B) Medium Term
Transfer Impact Assessments (“TIAs”): EUIs will be asked to carry out case-by-case TIAs to identify whether an essentially equivalent level of protection as provided in the EU is afforded in the third country of destination. Following the expected guidance from the European Data Protection Board on appropriate supplementary measures, the EDPS will provide a list of preliminary questions for EUI controllers to launch TIAs with data importers.
Reporting: depending on the outcome of the TIAs, EUIs will be asked to report to the EDPS in the course of Spring 2021 on the following three categories of transfers: (i) transfers that do not ensure an essentially equivalent level of protection; (ii) transfers that are suspended or terminated if the EUI considers that the third country does not ensure an essentially equivalent level of protection; and (iii) transfers based on derogations.
Long-term compliance: based on the outcome of the mapping exercise combined with the conclusions drawn from TIAs, and in cooperation with the EDPB, the EDPS will establish long-term compliance priorities for 2021.
C) Co-operation with the EDPB
Co-operation: within the EDPB, the EDPS is working with the other data protection authorities in the EEA on developing further guidance and recommendations to assist controllers and processors in their duties to identify and implement appropriate supplementary measures to ensure an adequate level of protection when transferring data to third countries.