The FAQ of the European Data Protection Board (EDPS), published on July 23rd and translated by the CNIL on July 31st, first reminds that the validity of the European Commission’s Standard Contractual Clauses (“CCT”) in The inadequate framework for the transmission of Data to a third country depends on whether they contain effective mechanisms that make it possible in practice to ensure compliance with the level of protection guaranteed in the European Union by the GDPR.
Continuation of the article below
In other words, it is forbidden to transfer personal data operated with such clauses if it is impossible to respect them.
In this context, the Court of Justice of the European Union (ECJ) in particular reminded that the decision to set up the CCTs:
obliges the data exporter and the recipient of the data (“data importer”) to check whether the level of protection is observed in the third country concerned; The data importer must inform the data exporter about non-compliance with the standard data protection clauses and, if necessary, about additional measures to the measures provided for in the clauses.
In applying these principles, the ECJ has made the Privacy Shield logically invalid.
A partial answer to the need for clarification
In this sense, the EDV FAQ correspond to our expectations for clarification, provided that it is specified that these requirements apply to all “reasonable guarantees” of Article 46 of the GDPR, which regulates the transmission of data from the EEA to a third country.
In the absence of changes in the US legislation mentioned by the ECJ (i.e. Section 702 of FISA and Executive Order 12333), the other legal instruments (CCT and BCR) must therefore provide “measures” in addition “to ensure that the US Right not to compromise on the adequate level of protection provided by the clauses and these measures.
What are CIOs and DPOs missing to make the right decisions?
However, we are waiting for details and examples on the type of “additional measures” that could be provided in addition to CCTs or BCRs, whether they are legal, technical or organizational measures, in particular to transfer data. to the United States, where these instruments alone do not provide adequate protection.
Therefore, as a first step, French CIOs and DPOs need to check whether their contract allows them to choose the location of the data within the European Union and whether this option was selected during the contracting process.
Otherwise, this option should, if possible, be implemented during the execution of the contract and ensure the return of data in Europe through communication with the data subjects.
Otherwise, a change of service provider can be considered in order to repatriate the data within the European Union.
In fact, the final legal option, which is to implement exemptions from Article 49 of the GDPR for transfers of data to the United States, seems to us to be contrary to the principles of those provisions.
In accordance with the EDPB Guidelines (EDPB Guidelines 2/2018 on derogations from Article 49 under Regulation 2016/679, adopted on May 25, 2018, p. 3), we consider the use of the consent of the data subjects as the legal basis for the transmission of your data without adequate protection should not become the “rule” in practice, but should be limited to certain situations.
Nicolas Samarcq is Treasurer of the French Correspondents Association for the Protection of Personal Data (AFCDP), which brings together the Data Protection Officers (DPO). He is also the founder of Lexagone and specializes in GDPR compliance for private and public structures.