Schrems II Fallout Continued: Can Companies Rely on Consent?
The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S.. As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:
The consent is explicit.
The consent is specific to a specific data transfer or set of transfers.
The consent is informed, including informing the individual about the risks to their information if it is sent outside of the EU’s borders.
What does this mean for companies in practice? This decision is a reminder of takeaways from EDPB’s prior guidance: consents are difficult to rely on when addressing large volumes of data transfers. As a result, companies will likely need to continue to use Standard Contractual Clauses, albeit with the additional review that we discussed in our prior article in this series.
Why the difficulty with consent? For transfers made because they are necessary for a contract between the company and the individual, the EDPB’s original guidance explained that consent works if the transfer is “occasional,” something the EDPB acknowledges is a case-by-case issue. A transfer made by a travel agency to a hotel was an example of an acceptable necessary transfer made based on consent given in the prior guidance. With respect to occasional transfers, two examples were given in the prior guidance. First, transferring the personal details of a sales manager who travels to third countries to his or her clients in those third countries in order to arrange meetings with the sales manager and clients. Second, transferring personal information to a bank in a country outside of the EU in order to make a payment that the bank client requests be made. In sum, the EDPB guidance makes clear that consent cannot always be used.
Putting it Into Practice: Since the advent of GDPR, it has become harder to rely on consent as a basis for mass transfers of data out of the EU. While in some circumstances consent may be viable, it will likely not be the “magic bullet” to solving Schrems II, and instead companies will likely need to rely on an “SCC plus” model.