The elephant in the room: international data transfers after the Schrems II decision
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgement in Case C-311/18, more commonly known as “Schrems II”. The CJEU invalidated the EU-US Privacy Shield Adequacy Decision and considered the application of Standard Contractual Clauses (SCCs) for data transfers outside the EU/EEA.
We have previously commented on the initial hearings and Advocate General’s opinion in this case. In this piece, we assess the implications of Schrems II and suggest proactive steps European organisations should take to minimise the impact of the decision on their business operations.
Background of the case
In the ground-breaking judgement C-362/14 (“Schrems I”) in October 2015, the CJEU declared the Safe Harbor decision invalid, holding that US “legislation permitting public authorities to have access [to personal data] on a generalised basis” did not guarantee an adequate level of protection to the EU citizens. In 2016, the European Commission’s Decision 2016/1250 replaced the invalidated Safe Harbor decision with the Privacy Shield framework to provide an appropriate data transfer mechanism to the US.
The Schrems II case arose from proceedings brought in Ireland by the Data Protection Commission (DPC) against Facebook Ireland Ltd and Maximilian Schrems, shortly after Mr Schrems challenged Facebook Ireland’s reliance on Standard Contractual Clauses (SCCs) to for data transfers with Facebook Inc (the US-based mother company).
Key elements of the decision
The Court delivered the below key rulings as part of Schrems II:
- The GDPR applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country. This is true even if, at the time of that transfer or thereafter, that data may be processed by the authorities of that third county for the purposes of public security, defence or State security.
- Data Protection Authorities (DPAs) have the power to suspend or ban data flows to a third country that relies on SCCs, not only in exceptional circumstances, but wherever they believe data subjects are not afforded an adequate level of protection in that country.
- The relevance of adequacy decisions is strengthened by the judgement. Adequacy decisions are the only tool that can provide a stable solution to a third country data transfer without relying on a case-by-case assessment.
- The Court has invalidated the Privacy Shield Decision since S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection.
- Standard Contractual Clauses (SCCs) remain valid. Their validity depends on a case-by-case assessment:
a) as to whether SCCs include effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by the GDPR; and
b) that the transfer of personal data pursuant to such clauses is suspended or prohibited in the event of the breach of such clauses or it is impossible to honour them.
- The assessment of whether the countries to which personal data are sent offer adequate protection is primarily the responsibility of the data exporter and the data importer, when considering whether to enter into SCCs. If the result of the assessment is that the country of the importer does not provide an essentially equivalent level of protection to that which the data would receive within the EEA, such as the case for the US, the exporter may have to consider putting in place additional measures. If the additional appropriate safeguards do not suffice, organisations have to suspend or end the data transfer. If they still plan to continue transferring data despite this finding, they should notify their supervisory authority,
- The judgement does not affect transfers based on Binding Corporate Rules (BCRs) according to Art. 47 GDPR. Nonetheless, general considerations throughout the judgement on “appropriate safeguards” (e.g., DPAs power to take enforcement actions wherever they believe data subjects are not afforded an adequate level of protection in a third country) may also apply to BCRs.
- The judgement does not affect ‘necessary’ transfers of personal data covered by the derogations outlined by Art. 49 GDPR. Personal data can continue to be transferred to the US if the legal basis for the transfer is found in the derogations outlined by Art. 49 GDPR. Such derogations can apply only in exceptional circumstances, in so far as the transfer is strictly necessary and not repetitive.
The EDPB guidance
The European Data Protection Board (EPDB) adopted guidance on 23 July 2020 shedding light on the practical implications of this decision. According to EDPB,
- There is no grace period for European organisations relying on the Privacy Shield.
- Any data transfers from the EU/EEA to the US are illegal if they are based on the Privacy Shield.
- The threshold set by the Court for transfers to the U.S. applies for any third country. Therefore, the above considerations apply to any international data transfers relying on SCCs and BCRs.
- Supervisory authorities should cooperate with the EDPB to determine which particular transfers to third countries must be prohibited.
- The EDPB plans to provide guidance on the supplementary measures to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees.
Guidance for European organisations
If your organisation is one of the thousands that exports personal data from the EU/EEA to the US, you are probably trying to understand the impact of the decision from an operational and practical standpoint. Guidance from national authorities will be necessary for this purpose and the coming months will be critical to clarify the scope of the judgement as well as its implications for controllers and processors.
As of today, various DPAs have issued statements commenting on the decision, but at times these have been discordant and contrary to the EDPB guidance. On the one hand, the strictest statements have highlighted the unlawfulness of data transfers to the US, even those relying on SCCs. For example, the Berlin Commissioner has advised data controllers storing personal data in the US (e.g., using cloud service providers) to stop their data transfers and to switch to local providers. Others, with a milder approach, have not explicitly deemed those data transfers unlawful. For example, the U.K.’s ICO has advised controllers currently using the Privacy Shield to continue to do so until new guidance becomes available. However, they have also recommended that new exporters delay any plans to start data transfers under the framework. Finally, the Irish DPC, the interested party in the judgement, has welcomed and agreed with the CJEU decision, stating it will investigate the application of the SCCs transfer mechanism to transfers of personal data to the US.
Despite the divergent guidance on this issue by the EDPB and the national authorities, it is likely that organisations will have to rely on new guidance from their national supervisory authority to properly update their data-transfer structures and arrangements. In the meantime, it is advisable to ensure that the relevant, core documents are up to date and ready to support the changes to come. For example, short-term, house-keeping tasks include:
- Assessing the Records of Processing Activities to map which processing operations rely on SCCs and Privacy Shield. The ROPA should report which third country the personal data is transferred to, to whom the data is sent, and the relevant categories of personal data.
- Procurement contracts should also be reviewed carefully to check whether EU/EEA providers are linked to or rely on US-based companies. This includes both processors and sub-processors.
Appropriate mapping of the organisation’s exposure to US-based operations will help the DPO and data protection teams to design appropriate data transfer mechanisms and additional safeguards.
For more information about this, and for additional practical recommendations on how to behave in case your organisation transfers personal data to the US or any other impacted third country, please do not hesitate to contact a member of our Data Protection and Cyber-Risk Service team.