European Data Protection Board – Thirty-fourth Plenary session: Schrems II, Interplay PSD2 and GDPR and letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs
Brussels, 20 July – During its 34th plenary session, the EDPB adopted a statement on the CJEU’s ruling in Facebook Ireland v Schrems. The Board adopted Guidelines on the interplay between the second Payment Services Directive (PSD2) and the GDPR, as well as a response letter to MEP Ďuriš Nicholsonová on contact tracing, interoperability of apps and DPIAs.
The EDPB adopted a statement on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, which invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield and considers Commission Decision 2010/87 on Standard Contractual Clauses (SCC) for the transfer of personal data to processors established in third countries valid.
With regard to the Privacy Shield, the EDPB points out that the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment. The EDPB intends to continue playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA citizens and organisations and stands ready to provide the European Commission with assistance and guidance to help it build, together with the U.S., a new framework that fully complies with EU data protection law.
As regards Standard Contractual Clauses, the EDPB takes note of the primary responsibility of the exporter and the importer, when considering whether to enter into SCCs, to ensure that these maintain a level of protection that is essentially equivalent to the one guaranteed by the GDPR in light of the EU Charter. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The Court underlines that the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB will be looking further into what these additional measures could consist of.
The EDPB also takes note of the competent supervisory authorities’ (SAs) duties to suspend or prohibit a transfer of data to a third country pursuant to SCCs, if, in the view of the competent SA and in light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or processor has not already itself suspended or put an end to the transfer.
The EDPB recalls that it adopted Guidelines on Article 49 GDPR and that such derogations must be applied on a case-by-case basis.
The EDPB will assess the judgment in more detail and provide further clarification for stakeholders and guidance on the use of instruments for the transfer of personal data to third countries pursuant to the judgment. The EDPB and its European SAs also stand ready, as stated by the CJEU, to ensure consistency across the EEA.
The full statement is available here: https://edpb.europa.eu/news/news/2020/statement-court-justice-european-union-judgment-case-c-31118-data-protection_en
The EDPB adopted Guidelines on the second Payment Services Directive (PSD2). PSD2 modernises the legal framework for the payment services market. Importantly, PSD2 introduces a legal framework for new payment initiation services (PISP) and account information services (AISP). Users can request that these new payment service providers are granted access to their payment accounts. Following a stakeholders workshop in February 2019, the EDPB developed Guidelines on the application of the GDPR to these new payment services.
The Guidelines point out that in this context the processing of special categories of personal data is generally prohibited (in line with Article 9 (1) GDPR), except when explicit consent is given by the data subject (Article 9 (2) (a) GDPR) or processing is necessary for reasons of substantial public interest (Article 9 (2) (g) GDPR).
The Guidelines also address conditions under which Account Servicing Payment Service Providers (ASPSPs) grant access to payment account information to PISPs and AISPs, especially granular access to payment accounts.
The Guidelines clarify that neither Article 66 (3) (g) nor Article 67 (2) (f) of the PSD2 allow for any further processing, unless the data subject has given consent pursuant to Article 6 (1) (a) of the GDPR or the processing is laid down by Union law or Member State law. The Guidelines will be submitted for public consultation.
Finally, the Board adopted a letter in response to MEP Ďuriš Nicholsonová’s questions on data protection in the context of the fight against COVID-19. The letter addresses questions on the harmonisation and interoperability of contact tracing applications, the requirement of a DPIA for such processing and the duration for which processing may be put in place.