Schrems II – Where are we now?

As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.

The past two weeks have seen updates and comments from a number of European data protection supervisory authorities (“DPAs”) as regulators, privacy professionals and companies come to terms with the implications of the Schrems II decision.  In this blog we summarize early indications of its impact based on DPA guidance and what is yet to become clear.

So, what’s the position two weeks and counting after the Schrems II decision?  Basically this: at present there is no complete guarantee that any of the mechanisms for transferring personal data from the EU to the US are compliant with GDPR, outside circumstances where exemptions apply such as explicit consent or where transfers are necessary for the establishment, exercise or defence of legal claims or for performance of a contract with the data subject.

The safest and most conservative course – likely impractical for many organizations – is to shut down transatlantic transfers and repatriate data to the EU.  A less conservative course is to keep making transfers under SCCs or Binding Corporate Rules (“BCRs”), while actively assessing and documenting data protection conditions in the transferee country, and encrypting transferred data as much as possible, so as to put the data farther from the reach of US law enforcement or intelligence agencies.

Companies may take some comfort from the fact that, the Schrems litigation aside, there have been relatively few examples of enforcement action or litigation related to data export violations, with such action being more common where the violation has been one of multiple GDPR breaches.  Further, there is in practice some safety in being amongst the very large numbers of companies that use SCCs, other than those operating in higher-profile industries such as social media, telecommunications, or industries engaging in innovative uses of personal data likely to attract regulatory scrutiny.

  1. There is no formal grace period for users of the Privacy Shield: The European Data Protection Board (“EDPB”) – the highly influential collective of representatives from the EU DPAs – confirmed this position of the Court in FAQs published on July 24, 2020 (the “FAQs”). Organizations relying on Privacy Shield data transfers now have to look for an alternative route for transfers of personal data to the US as soon as possible.  Whilst in practice immediate enforcement action is very unlikely, companies should not delay considering what alternatives to put in place especially given increasing levels of data protection related litigation in the EU and UK. 
  2. But, participating organizations still need to comply with their Privacy Shield obligations: The U.S. Department of Commerce has confirmed in its FAQs published on July 31, 2020 that it will continue to administer the Privacy Shield program, irrespective of the CJEU’s decision, and it expects participating organizations to comply with their obligations under the framework.  The FTC has also said that it expects certified organizations to do the same.  Therefore, whilst the CJEU’s decision means that participating organizations can no longer rely on the Privacy Shield to comply with the GDPR, it does not relieve them of the U.S. side of their Privacy Shield obligations and, as the FAQs confirm, companies wishing to withdraw from Privacy Shield will have to follow the normal process to do so. 
  3. The impact of the Schrems II decision is not confined to Privacy Shield and SCCs: The threshold set by the Court also applies to all appropriate safeguards for cross-border transfers of personal data under Article 46 GDPR.  This means that the use of binding corporate rules (“BCRs”) is no safer than SCCs.  On the other hand, the Schrems II decision does not have an impact if one of the derogations set out in Art. 49 GDPR applies.  Those include that the data subject has freely given their explicit and unambiguous consent.  Companies seeking to rely on consent, though, may face difficulties meeting their transparency obligations and giving sufficient information about the associated risks of the cross-border transfer to make consent valid for GDPR purposes.  
  4. The views of the DPAs on the continued use of SCCs may be diverging: This means that the practical enforcement risk arising from relying on them may be greater or lesser depending on which country’s DPA is most relevant to your company.  The EDPB’s FAQs refer to further guidance to come. In the meantime, the EDPB has said that “[w]hether or not you can transfer personal data [to the US] on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”

The German independent supervisory authorities convening in the Datenschutzkonferenz (PDF: 370.62 KB) have released a statement that arguably goes further, saying that SCCs without additional measures are generally not sufficient for data transfers to the US. Statements made by Romanian or Slovenian DPAs prior to the FAQs took the position that SCCs are fit for transatlantic data transfers, whereas the Irish Data Protection Commission adopted a middle ground and said that the use of SCCs to transfer personal data to the US is now “questionable”.  It remains to be seen whether a consistent approach will be established. 

  1. Users of SCCs have to assess and, if possible, mitigate the data protection risks posed by the laws of the jurisdictions to which they transfer data: In practice, companies have long assumed that the SCCs can be used without question for transfers to countries outside the EEA which are not approved as offering adequate protection by the European Commission (“Third Countries”).  We now know that is not the case.  Companies must be prepared to provide evidence that they have assessed the risks involved with a particular transferee country and, if they continue to use SCCs, they must be able to justify this decision.  A written record of this decision is advisable, in line with the GDPR’s accountability principle.  At the same time, an assessment of any opportunities to reduce the risks involved by anonymizing and/or localizing data where possible is also well worth considering.

Perhaps the hardest part of the analysis of the Third Country legal regime is that it will include an assessment of the rule of law, respect for human rights and fundamental freedoms, relevant legislation including concerning public security, defence, national security and criminal law, and the access of public authorities to personal data.  It will also need to address whether there are effective and enforceable data subject rights and effective administrative and judicial redress for the individuals whose personal data is transferred.  In short, if done from scratch, it will be a significant undertaking.  In time, a “market” approach is likely to develop where transfers to certain jurisdictions are generally accepted as requiring additional safeguards and the FAQs suggest that the DPAs and the EDPB will play a key role to ensure consistency across the EU.

  1. There is a lack of clarity on what additional safeguards may be sufficient, but additional use of encryption currently appears to be the best bet: It is regrettable that the EDPB did not offer examples of appropriate additional safeguards in the FAQs.  Given that the parties to SCCs will not be able to avoid the application of national laws through additional contractual provisions, the focus is likely to be on requiring specific technological measures which protect personal data, such as end to end encryption. 

Notably, some cloud providers are providing services that offer not only encryption at rest and in transit, but also when in use.  These sorts of measures might assist companies wishing to justify cross-border transfers based on the SCCs in the future.  That said, every data transfer has its own risk profile and the risk of public authority access to the data may be different with regard to the exposure to intelligence services, the industry, or the type of personal data.  These may therefore emerge as other differentiators when companies assess whether they can rely on the SCCs or not for a particular transfer.

  1. DPAs may take independent action: The DPAs can suspend or prohibit data transfers made on an unlawful basis, or issue fines.  Under the terms of the SCCs, if either the data exporter or the data importer cannot comply with its contractual obligations the exporter is obliged to suspend the transfer or terminate the SCCs.  If, however, the exporter intends in these circumstances to continue transferring data the FAQs stress that the EDPB expects the exporter to notify its competent DPA.  How actively DPAs will intervene in these situations remains to be seen. 
  2. The SCCs are in the process of being modernized: The European Commission indicated in its June 2020 report on the evaluation and review of the GDPR that it is working on a comprehensive modernization of the currently available sets of SCCs to update them in light of the GDPR’s requirements and to better reflect the realities of processing operations.  The Commission confirmed in its reaction to the Schrems II decision that this work is advanced and that it is working with the EDPB and the EU Member States to have a formal approval to modernize the SCCs as soon as possible.  We expect that the UK will do the same for its as yet unpublished UK SCCs once the EU’s revised SCCs become available. 
  3. Controllers are also responsible for data transfers of processors: The EDPB reminded companies in the FAQs that the controller remains responsible for its processors, such as cloud service providers.  If the processor transfers data to Third Countries and cannot meet the GDPR’s requirements, the controller is required to negotiate an amendment to its agreement with the processor to forbid such data transfers and ensure that data processing occurs in jurisdictions with a level of data protection essentially equivalent to the European standard.  We recommend a review of all processor agreements to verify compliance, and also to identify any processors who were previously relying on the Privacy Shield.  For the time being though, we note that many of the major cloud service providers have represented that they continue to view SCCs as valid for cross-border transfers of data to the U.S. 
  4. Some DPAs expect data transferred on the basis of Privacy Shield to be returned: One significant point of divergence between DPAs surrounds what to do with data previously transferred on the basis of the Privacy Shield.  The Berlin DPA (PDF: 218.74 KB) has taken the stance that data controllers falling under its jurisdiction should repatriate that data to the EU in light of the CJEU’s decision.  The Berlin DPA and made strong overtures towards data localization in the EU.  While most DPAs have not yet taken the same approach (at least publicly), companies may want to consider carefully which DPAs are most relevant for their operations and familiarize themselves with their specific guidance.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.