European Court of Justice renders new Schrems decision on international data transfers
EU-US Privacy Shield collapses
04 November 2020
Based on the Schrems II ruling, personal data can no longer be lawfully transferred to the US under the EU-US Privacy Shield programme. Although other legal instruments (such as the commonly used Standard Contractual Clauses) can still be used for international data transfers, companies must make case-by-case assessments for each international data transfer to analyse if the third country offers adequate protection and the transfer can thus validly be performed.
On 16 July 2020, the Court of Justice of the EU ("CJEU") rendered its ruling on Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. Immediately, the case made headlines as the 'Schrems II'. The ruling was much awaited and focuses on the transfers of personal data by European companies to third countries, including the US. In short, the ruling states that personal data can no longer be lawfully transferred to the US based on the EU-US Privacy Shield programme. Moreover, although other legal instruments – such as the commonly used Standard Contractual Clauses ("SCCs") – can still be used for the needs of international data transfers, additional burdensome constraints seem to have emerged.
Back in 2013, Max Schrems, a law student at the time, filed a complaint with the Irish Data Protection Commissioner against the fact that Facebook Ireland provided his personal data to its parent company, Facebook Inc., in the US where, according to Schrems, there is no adequate level of protection of personal data. This complaint resulted in the 'Schrems I' ruling from the CJEU where the CJEU invalidated the Safe Harbor regime, meaning that companies were no longer allowed to transfer their personal data to the US under Safe Harbor and had to look at alternative legal bases. Safe Harbor was the predecessor of Privacy Shield, being a self-certification mechanism for companies in the US. If a company was certified, European companies were allowed to transfer data to such companies as they were considered to have implement measures and therefore offer an adequate level of protection of personal data. After this ruling, Schrems restated his complaint, now focusing on other transfer mechanisms.
Under the EU General Data Protection Regulation ("GDPR"), it is not allowed to simply transfer personal data to organizations located in countries outside the European Economic Area ("EEA") (so-called "third countries"). The transfer is only allowed if there is a sufficient level of protection in the third country, and the GDPR lists a limited number of ways to satisfy sufficiency, including two methods which were debated in the Schrems II case: the transfer based on an 'adequacy decision' (in this case: on the Privacy Shield agreement between the EU and the US) and the transfer based on SSCs. SSCs are the standard form contracts companies and their service providers will typically use to allow personal data to flow legally from the EEA to other countries where it would otherwise be restricted by the GDPR.
The Privacy Shield is now invalid. The CJEU held that, due to the potential access to, and use by US public authorities of personal data transferred to the US, a level of protection essentially equivalent to that guaranteed under EU law cannot be guaranteed.
On 10 August 2020, the US Department of Commerce and the European Commission issued a joint statement representing that they had initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with Schrems II.
As things stand, however, the Schrems II judgment means that (i) data transfers based on the recipient's registration under Privacy Shield are no longer allowed, and (ii) companies should have suspended and stopped transfers based on the basis of Privacy Shield immediately after the ruling. The European Data Protection Board ("EDPB") confirmed in their FAQs that there is no grace period. Hence, if companies want to keep transferring data to the US, they need to use another legal basis.
Standard Contractual Clauses
Second, and most important, the CJEU ruled that SSCs remain valid. This is good news, and the headline on most news coverage of Schrems II. However, SCCs are not a panacea, and have historically been treated as such by some. The CJEU unequivocally clarified that routine reliance on SCCs to legitimise cross-border data flows without understanding whether the laws and practices in the importing country align with EU standards will not suffice. The CJEU emphasised the requirements that organisations will need to satisfy in order to be able to rely on the SCCs moving forward, namely carrying out an assessment of the level of protection in the destination country in addition to satisfying other GDPR principles (e.g. only processing personal data if this is necessary). This will not be a straightforward assessment for many organisations, and the result may be that organisations may be able to rely on SCCs for some third countries but not others.
If the data exporter is informed by the data importer that compliance with the SCCs is not possible due to applicable law, the exporter not only has a right but an obligation to suspend the data transfer. The same applies if the data exporter is informed by a supervisory authority of such non-compliance.
Once the Brexit transition period ends, the UK will be considered a third country for the purpose of the GDPR. A question can be raised if the UK will receive an adequacy decision on the basis of which transfers are allowed. From a legal standpoint, regulators and advisors in the UK are confident that the UK being granted adequacy is a safe bet, given the UK is (one of the largest) GDPR jurisdictions and is aligned almost across the board from a legal, regulatory, post-Brexit policy and compliance perspective.
That said, this is complicated for a number of reasons – the EU and the UK are locked in heated negotiations over the Brexit deal and the threat of a no-deal looms large. The UK government’s stated policy is to diverge from the EU framework, as confirmed to the House of Lords Committee on the European Union on 28th May (Q18). This raises a red flag. If ‘divergence’ entailed any weakening of individual privacy protection, it would put at risk the data flows to the UK. From a political standpoint, GDPR adequacy could well become a bargaining chip for either side to use as these negotiations continue. Hence, developments around Brexit are an area to closely watch and to prepare for alternative transfer mechanisms if no adequacy decision is granted.
Next steps and recommendations
When using SSCs for the transfer of personal data, a case-by-case assessment is necessary in relation to each transfer of personal data regarding the existence of adequate protection with respect to the transferred data. The aim is to ensure that data subjects actually benefit from a level of data protection equivalent to the one they have in the EEA. Looking at this from a very high-level perspective, this can be ensured only in cases where two requirements are met, as follows:
- the relevant transfer benefits from "appropriate safeguards"; and
- the data subjects can benefit from enforceable data subject rights and effective legal remedies.
To this end, the ruling identifies a number of actions for the exporter to take in advance of transferring data to a third Country, as follows:
First, the ruling demands that the exporter "verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection." The concept of "adequate protection" is not defined, so one may argue whether the threshold the CJEU has in mind refers to EU public policy principles (e.g. the fundamental rights set out in the Charter) or the GDPR provisions; however, it appears advisable that the exporter considers the minimum set of rights that are afforded to the data subject pursuant to the country of destination's laws, e.g. by answering questions like:
- Is the law of the state of destination consistent with the basic principles of the GDPR (e.g. proportionality, minimisation);
- Under which circumstances can the data subject enjoy basic rights (e.g. erasure, rectification, opt-out);
- Is it possible for a data subject to enforce her rights (e.g. by filing for litigation and/or applying before an Authority).
Second, the ruling requires the exporter to take into account the "circumstances of the transfer," in order to identify any red flags that may require the transfer to be subject to narrower conditions. For example, the ruling suggests that a transfer of data may qualify as risky (for the data subject) if there is a prospect of "access [or "surveillance"] by public authorities."
Third, based on the outcome of the above analysis, the ruling weighs the exporter with a duty to assess whether a transfer is too risky for the data subject's rights. Based on this part of the ruling, rumors have emerged about the possibility of a new procedure – the transfer impact assessment (mirroring the data protection impact assessment pursuant to Art. 35 GDPR) – being established in future in order to ensure that all exporters document their reasoning in support of effecting a transfer.
Fourth, if the exporter concludes that the transfer is viable, it should identify and implement adequate measures aimed at addressing the risks triggered by the transfer. While the EDPB is expected to outline these measures in more detail, one may reasonably expect the measures to be of technical (e.g. encryption, anonymisation) and legal nature (e.g. contractual requirements for a party to the transfer to ensure control over data or minimise disclosure to third parties). Plus, exporters may consider relying on a combination of transfer mechanisms/legal bases (e.g. SCCs and consent).
In order to try and factor all the above requirements, the national data protection authorities are giving recommendations for exporters to keep in mind. For example, the Data Protection Authority in Rhineland-Palatinate proposed a multi-step assessment process (available in German only) to determine whether a data transfer is legal, recommending particular attention if the data transfer is directed to the US, involves telecommunication companies (due to the US FISA 702) and/or unencrypted data over transatlantic cables (which may be monitored in the US according to Executive Order 12333).
As a fallback solution, liability commitments are a possibility. US importers, for example, would then agree to compensate for the damage caused by European GDPR violations. However, this does not legalize the transfer of data; it only remedies the economic damage caused by (potential) fines. Or, alternatively, a data controller may assess whether the transfer can rely on alternative legal bases, each of which, however, bears some practical pros and cons, for example:
- While the data subject's consent may in theory be the most prudential approach, obtaining consent (that meets all the requirements recommended by the EDPB) may prove burdensome for the transfers that are already in place.
- Contractual basis may be fit for occasional data transfers, per the EPDB's abovementioned FAQs, but is unlikely to be a catch-all solution.
- Public interest, which is difficult to establish for most private businesses.
The EDPB has indicated that they will further analyse the Schrems II ruling to identify supplementary measures (e.g., legal, technical or organisational measures) that could be provided in addition to SCCs as well as Binding Corporate Rules ("BCRs", another transfer mechanism, being data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises) to transfer data to third countries where SCCs or BCRs would not provide the sufficient level of guarantees on their own. The outcome of this analysis is highly anticipated to give companies more practical guidance and structure for their assessment.
Also looking ahead, the Commission is working on a revised version of the SSCs, with the aim to finalise these by the end of the year. The European Commission says that its aim is to "continue [their] work to ensure the continuity of safe data flows". However, it is not clear from the Commission's statements that the specific points raised by the CJEU in Schrems II will be specifically addressed by the new SCCs. In any event, this would not be possible in all cases: for example, addressing the lack of recourse against the supervisory powers of the US authorities would require the intervention of the US legislature, which the Commission cannot call for through the unilateral enactment of SCCs. Accordingly, the case-by-cases assessment will also stay in place after the introduction of the new SSCs.
Key Business Takeaways
- Any ongoing data flows to the US based on the Privacy Shield must come to a halt
- If a data flow directed outside the EU relies on Standard Contractual Clauses, the exporter should assess whether the privacy standards of each non-EU country to which it exports data under the Standard Contractual Clauses lines up with EU data protection law and possible implement additional measures.
- In any event, the following measures should also be considered when transferring data outside the EU:
- Assessing current technical (e.g., cyber and security) protections for data in order to protect data from unintended disclosure
- Mapping existing data transfers, in order to ensure that there are no unintended flows of data outside the selected countries;
- (Re-)Assessing whether a transfer of personal data is strictly necessary (in compliance with the data minimisation principle);
- If non-personal data would be sufficient, consider anonymisation (for example, by relying on the techniques identified by the European Data Protection Board).
This article was first published in newsPfLAsh - The Newsletter for Pfizer Legal Europe