A (Slight) Light at the End of the Schrems II Tunnel: EDPS on the Explicit Consent Derogation

Fox Rothschild LLP

Fox Rothschild LLP

The European Data Protection Supervisor (EDPS) has issued an opinion on the European Union Agency for Cybersecurity’s (ENISA) use of the explicit consent derogation as a legal basis for cross border transfers to the US concerning subscriptions to its newsletter.

Key points:

Cry and Pray (and try to not transfer):

  • The EDPS has requested EU institutions (EUIs) take a strong precautionary approach concerning new processing operations carried out with appropriate safeguards and appropriate supplementary measures.
  • The EDPS strongly encourages EUIs to ensure that any new processing operations or new contracts with any service provides does not involve transfers of personal data to the US.
  • ENISA uses an EU based processor and US sub-processors.
  • ENISA should primarily assess with the processor the availability of alternative newsletter solutions not involving the transfer of personal data to sub-processors in the US.
  • (Failing that) ENISA should instruct is processor re: the legality of transfers and the processor should comply with the provisions of Chapter V (re cross border transfers)

Regarding the derogation of explicit consent: Consent should be freely given (e.g. the option to consult the newsletter directly on the ENISA website), specific, informed (see above re disclosure and unambiguous.


  • Data subjects need to be fully informed that the processing of their personal data involves a transfer to a third country (or an international organization).
  • In the absence of an adequacy decision and appropriate safeguards this must also include information on the possible risks of such transfers for the data subject resulting from the absence of an adequacy decision and appropriate safeguards. Per Schrems II, this should include the limitations on the protection of personal data arising from the domestic law of the US on access and use of data transfers to the US and the lack of enforceable data subject rights. Which risks exist for data subject will depend on the specificities of the US based sub-processor chosen by ENISA’s processor.
  • The information can be provided at the same time as the information and consent to the processing in general as long as it remains specific.


  • Consent should be given by a clear affirmative act e.g. ticking a box. It is not enough to say that “by registering to the newsletter the user agrees to the privacy terms and conditions of the (newsletter service provider.”
  • There needs to be a subsequent affirmative act by the participants to indicate their agreement with transfers to the US referred to by the terms and conditions.


  • Consent for transfers for subscription cannot be used for other/future outreach activities.
  • Explicit consent on transfer is different and in addition to the consent to the processing itself. ENISA could acquire the consent to the transfer when getting the consent to the processing or imposed this on the processor.


  • Be able to demonstrate that the data subject consented to the processing.


  • Data subjects need to be told about the possibility to withdraw their consent in the data protection statement. Once consent is withdrawn the data must be deleted unless there is another legal basis.
  • In case there may be difficulties to enforce contractual terms in practice in the third country, data subjects will need to be informed about this risk due to the absence of appropriate safeguards.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.