On 16 July 2020, the European Court of Justice (“ECJ”) delivered its awaited judgement in the Schrems II case. The ECJ declared that Privacy Shield – a key mechanism for transfers of personal data from the EU to the US – was invalid.
In addition, the Court considered the validity of Standard Contractual Clauses (“SCCs”), which are also broadly used for international transfers. The ECJ found that, while SCCs remain valid, organisations must ensure that the use of SCCs is sufficient to comply with the required level of data protection under EU law.
Organisations previously relying on Privacy Shield should have alternative transfer mechanisms in place to justify transfers of personal data to the US. Further, the use of SCCs is now subject to higher scrutiny with companies exporting data outside of the EU (“data exporters”) having to assess relevant foreign legislation and contractual clauses to determine whether the recipients of data in a third country (“data importers”) are able to provide a sufficient level of protection for the transferred data. The judgement has sparked conversation about the future of transatlantic data transfers and the global economy as it invalidates many companies’ existing data processing and outsourcing practices.
International transfers under examination
The judgement boils down to the validity of international transfers of personal data to the US and other third countries, which are subject to strict conditions under the EU’s General Data Protection Regulation (“GDPR”). Such transfers must satisfy one of the transfer bases in the GDPR, which include adequacy decisions by the European Commission (e.g. Privacy Shield, now invalidated by the ECJ in Schrems II) and the use of SCCs, which are standard contract clauses prepared by the European Commission and which come into play in the absence of an adequacy decision. In addition to active acts of sending data, transferring also includes granting access to personal data to a recipient located outside of the EU. Therefore, any organisation involved in the following example activities should be aware of the topical requirements surrounding international transfers:
- A company stores data on servers located outside of the EU;
- A company adopts a computing solution where the service provider or its subcontractor transfers data beyond the EU for storage or maintenance purposes;
- A company procures an HR system including 24/7 support, which may thereby require giving access to data to customer support agents outside of the EU from time to time;
- Organisations in and outside of the EU carry out a cooperation project and set up a shared platform for project and document management purposes; or
- Data is transferred within an international corporate group to group companies outside of the EU.
The Schrems saga continues
The Schrems II judgement is merely the latest chapter in the ‘Schrems saga’– and probably not the final one. Max Schrems, an Austrian privacy activist, originally fi led a complaint against Facebook Ireland in 2013 to prohibit the transfers of his personal data by the company to the US. His complaint was essentially based on the argument that the law and practices in the US did not offer adequate protection against access to personal data by public authorities, notably US intelligence agencies. The matter was eventually referred to the ECJ, which, in 2015, invalidated Safe Harbour, a previous framework for data transfers from the EU to the US. (Schrems I).
However, as Facebook Ireland still carried out data transfers to the US relying on alternative transfer schemes, Mr Schrems reformulated his complaint and requested the suspension or prohibition of transfers of his personal data by Facebook Ireland to the US. As a result, the matter was again referred to the ECJ, this time to rule on the validity of SCCs as well as Privacy Shield, i.e., the framework adopted following the invalidation of Safe Harbour (Schrems II).
Privacy Shield invalidated
The ECJ found that US laws governing the access to and use of data by US public authorities meant that a sufficient level of protection was not guaranteed for data transferred under the Privacy Shield framework to the US. In particular, the ECJ considered that requirements under EU law, such as the principle of proportionality, were not met since surveillance programs in the US are not limited to what is strictly necessary. The court also deemed that the Ombudsman mechanism within the Privacy Shield framework did not provide suffi cient means for legal redress. On those grounds, the court invalidated the decision underlying Privacy Shield.
Reliance on SCCs subjected to higher scrutiny – ripple effects for other mechanisms
Although the ECJ found that the use of SCCs continues to be a valid transfer mechanism as such, companies can no longer trust that the use of SCCs alone will justify international data transfers. The court underlined that companies must engage in thorough assessments and take necessary action to verify that personal data transferred pursuant to SCCs are afforded a level of protection essentially equivalent to that guaranteed in the EU. The extent of this necessary due diligence obligation outlined by the ECJ is bound to make international transfers more burdensome as companies transferring data are now expected to fulfi l the following requirements on an ongoing basis:
- An assessment of whether adequate protection is guaranteed for the data transferred pursuant to SCCs taking into consideration the contractual terms between the data exporter and data importer as well as the legislation of the concerned third country, especially concerning access to data by public authorities.
- If the SCCs alone cannot be deemed to ensure adequate protection of transferred data, additional safeguards must be provided to guarantee such protection. Where appropriate, this assessment should be carried out in collaboration with the data importer.
- Companies must suspend or end their international transfers if they are unable to ensure adequate protection for the personal data.
- Under the SCCs, the data importer must inform the data exporter of any inability to comply with the SCCs and, in particular, if it fi nds that local laws have changed making it impossible to comply with the SCCs. In such cases, the data exporter should also suspend or end the data transfers.
- The data exporter must inform the competent data protection authority (“DPA”) if it intends to keep transferring data despite the conclusion that adequate protection would not be ensured.
Currently, major business partners, such as China, India, Brazil and now the US, lack an adequacy decision by the European Commission meaning that transfers to these countries mainly have to rely on the use of SCCs subject to the onerous due diligence obligations described above. It has been asserted that it may be significantly difficult to obtain reliable information on certain third countries’ legal regime and practices, thereby, making the data exporters’ assessment obligations an arduous task.
Further, although the Schrems II judgement concerns the validity of SCCs applicable in controller-to-processor transfers, the judgement will also affect other transfer mechanisms not explicitly covered in the judgement. For example, binding corporate rules are an alternative transfer mechanism under the GDPR where the requirements set out in Schrems II concerning ensuring adequate protection should now also be applied, as confirmed by the European Data Protection Board (“EDPB”). Furthermore, the court’s reasoning is likely to affect the use of SCCs for controller-to-controller transfers as well.
The big question: How to assess adequate protection and adopt additional safeguards for SCCs in practice?
At this stage, all data protection specialists are familiar with the key requirements identified in Schrems II concerning the use of SCCs: assessment of the level of protection of the data and adoption of additional safeguards as necessary. However, few are confident about what these requirements mean in practice.
As mentioned, it may be difficult to obtain reliable information on local privacy laws and practices in order to assess the level of protection for transferred data in a third country. One could argue that this could require obtaining costly legal reviews by counsels in the relevant third countries. As a starting point, adopting data transfer policies and conducting privacy impact assessments for transfers would mitigate risks relating to the use of SCCs post-Schrems II. In this context, collaboration with the data importer would be beneficial as a data importer could, for example, describe their previous or potential future exposure to data access requests by public authorities.
Similarly, there have been considerable discussions surrounding additional safeguards, which were required but not elaborated by the ECJ. The Schrems II judgement and current related guidance from the EDPB fall short of providing concrete examples of what could be considered as sufficient additional safeguards. However, the following have been suggested as viable options:
- Contractual safeguards: The protection provided by SCCs can be supplemented by additional provisions, undertakings and warranties agreed between the data exporter and data importer. For example, the data importer could undertake to notify the data exporter immediately of any request by a public authority to access data. As such, outsourcing agreements have already typically contained similar provisions on ‘authority request processes’. Following Schrems II, it is important that such requirements are undertaken and applied by data importers efficiently and subject to sufficient liabilities – the judgement makes clear that a mere ‘paper exercise’ is no longer sufficient.
- Technical safeguards: Data exporters can assess whether further encryption, pseudonymisation or minimisation of transferred data is feasible.
With many questions surrounding the practical implications of the judgement, many companies exporting data are waiting for further guidance from DPAs and legislators on how to proceed in the new environment of international transfers. The judgement grants no grace period for adjusting to the newly identified requirements meaning that, in principle, DPAs could take swift action against companies still using transfer practices predating the judgement. However, we estimate that many national DPAs are also waiting for uniform guidance from an EU level and will adopt a proportionate response to existing transfer practices. Ultimately, companies should be proactive in responding to the judgement and undertake documented evaluations of existing practices. Although the situation is unclear, doing nothing is a risky option.
The following step plan offers a framework for responding to Schrems II and the changing landscape of international transfers of data. Accordingly, companies should take steps to:
- Identify service agreements, data processing agreements or other agreements entailing or allowing transfers of data outside of the EU, including access to data;
- Where service providers or other processors of personal data may transfer data outside of the EU, verify who is responsible for ensuring the lawfulness of such transfers and whether the controller has the right to suspend transfers under the relevant data processing terms;
- Engage with relevant service providers and data processors to enquire what measures they have taken to respond to the judgement and to ensure the lawfulness of international transfers going forward – some service providers may have issued statements, for example on their website, concerning the judgement;
- Wherever data processing agreements or other agreements or documentation, including privacy notices, still refer to Privacy Shield, replace such statements with references to other applicable transfer mechanisms;
- Where transfers have relied on Privacy Shield, collaborate with service providers or other relevant partners to put SCCs in place (unless a more suitable mechanism applies);
- Where companies continue using SCCs or will newly adopt SCCs, evaluate the level of protection for transferred data and the need to adopt appropriate additional safeguards following further authority guidance; and
- Document everything – especially relevant internal assessments and correspondence with service providers and other partners.
A company initiating new international transfers after Schrems II, for example by procuring a new computing solution, should be particularly careful in evaluating compliance with the requirements identified in the judgement. As the future of transfer mechanisms is currently highly blurry, a viable method of risk control is to carefully consider whether data could be centralised to the EU. As it now stands, it is difficult to identify a valid mechanism to transfer data lawfully to the US but similar concerns apply to certain other third countries as well.
The (im)practical implications of the judgement
Schrems II has met a mixed response. While commended for supporting the core values of the European protection of personal data, many contend that the judgement is inherently at odds with the realities of transatlantic commercial relations and the infrastructure of modern computing solutions.
For European companies, it has been unfortunate that the conclusions in the judgement were as stringent as they were. Instead of identifying a need to update the Privacy Shield framework, it was categorically invalidated with no grace period. Many have called for more helpful authority guidance to help companies in responding to the interpretations adopted in the judgement. While the EDPB stated that it would play a constructive part in securing transatlantic transfers, it has thus far issued a frequently asked questions document containing little practical guidance as well as created a task force to prepare recommendations to assist companies in meeting their ‘Schrems II duties’. Indeed, the first recommendations of the task force are greatly anticipated.
In any case, a common European approach, including harmonised guidelines from national DPAs, is indeed welcomed in order to ensure harmonised interpretation and application of EU law. So far, several DPAs have published statements on the implications of the judgement, and their approaches are rather diverse, providing more questions than answers to the current state of affairs. While some DPAs – including the Finnish DPA – have remained all but silent on practical next steps, DPAs in, for example Berlin and Ireland, have taken a stricter stance in initiating suspensions of transfers of data to the US.
The striking feature of the judgement is that a considerable burden is placed upon controllers exporting data, essentially, in many cases, regular companies using standard computing solutions and digital services or engaging in international commercial relations. In many cases, the requirement to assess and verify the level of protection for transferred data will be highly challenging for companies. Many have referred to the fact that a similar assessment poses a considerable and time-consuming challenge even for the European Commission in connection with adequacy decisions, let alone for individual companies transferring data. With remarkable potential impacts on transatlantic commercial relations, it can be asserted that the issues underlying Schrems II should be resolved and mitigated in a political and administrative process instead of within the internal compliance processes of each European company transferring data outside of the EU. Luckily, preparations for a successor to Privacy Shield as well as updated SCCs are underway. But until then, the landscape for international transfers remains laden with uncertainty with relevant stakeholders having to keep a close eye on related developments.