Schrems II – what next for data transfers?
The ruling of the Court of Justice of the European Union in the “Schrems II” case saw the demise of the US-EU Privacy Shield on 16 July 2020. The CJEU held that the Privacy Shield did not offer sufficient protection to EU citizens and so was, with immediate effect, an unlawful basis for the transfer of personal data from the EU to the USA.
The CJEU commented that the European Commission’s standard contractual clauses (SCCs) would remain valid “in principle”, but re-emphasised the importance of carrying out comprehensive pre-contractual due diligence, as well as ongoing monitoring of each data importer’s compliance with the legal regime in the destination country.
Since then, there have been discussions between the European Commission and the US Department of Commerce to evaluate the potential for an enhanced EU-US privacy protection framework.
Yet Didier Reynders, the EU Justice Commissioner, told a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 3 September 2020 that there is “no quick fix” on a revised data transfer deal between the EU and US. That is due to the political nature of the issue, as well as the fact that US legislation will need reforming to bridge the divide between US and EU data protection laws.
Mr Reynders also confirmed that work has begun on modernising the SCCs in light of the CJEU’s finding that these are currently valid, but cannot be relied on unquestioningly to legitimise transfers of personal data to non-EU jurisdictions.
A Joint Press Statement from Didier Reynders and US Secretary of Commerce Wilbur Ross, released on 10 August 2020, confirmed that the Commission and the DoC have started work on an “enhanced” Privacy Shield to comply with Schrems II. It noted that both sides “recognise the vital importance of data protection and the significance of cross-border data transfers to our citizens and economies”. Both avowed “a commitment to privacy … and further deepening of our economic relationship”.
Unfortunately, but inevitably, as Mr Reynders told the LIBE meeting, while there are fewer areas of disagreement than there were when the Privacy Shield was first adopted, this will take time, given the complexity of the issue and the EU’s desire for legislative changes to US surveillance laws, specifically section 702 of the Foreign Intelligence Surveillance Act, which permits the National Security Agency to collect foreign intelligence belonging to non-US individuals located outside the USA.
As for the SCCs, while Schrems II made clear that those cannot be used unquestioningly, exactly what that meant in practical terms was less clear. Mr Reynders stressed that “it’s not just possible to use SCCs without any changes”, and that the Commission is intending to “modernise” the clauses before the end of the year.
So where does that leave us in the meantime? In particular, where does it leave data controllers like Facebook – or indeed smaller organisations – that routinely transfer large amounts of personal data to the USA or other ex-EEA destinations?
In the first instance, it will be important for organisations to carry out an internal audit to ascertain what types of personal data are being transferred outside the EEA and on what basis. In particular, it will be necessary to identify higher-risk data transfers that: (a) have relied on the Privacy Shield; or (b) still rely on the SCCs (especially to US importers). Organisations that have relied on the Privacy Shield should certainly look to switch immediately to an alternative method of transfer, if they have not done so already.
The SCCs still seem to be the most practical option for the time being, despite the misgivings expressed by the CJEU. Yet it is equally clear that reliance on the SCCs is not, in itself, a complete solution for sending data to the USA. The Schrems II ruling suggests that further practical measures should be taken alongside the use of the SCCs to try to support the validity of using them. In particular, for transfers to the USA, that might require imposing additional safeguards on an operational level. We do not have official guidance on those as yet, but it seems likely that those could include:
- conducting suitable pre-contractual due diligence on the lawfulness of the importer’s privacy practices and continuing to monitor that on periodic basis;
- requiring enhanced contractual protections under any data transfer agreement concluded alongside SCCs, such as increased oversight over the importer, e.g. so that the exporter can check that the importer has suitably robust procedures for challenging requests from law‑enforcement authorities;
- restricting the types and quantities of data transferred to the destination to a workable minimum;
- ceasing the relevant processing that requires the transfer in the first place, if feasible;
- moving certain processing activities to a processor based in another country with more adequate data protection laws, if feasible; and/or
- encrypting the data transferred to the USA using suitably robust methods of encryption.
Businesses could also explore other ways to legitimise transfers to the USA or other third countries. Given that binding corporate rules are difficult to put in place and could take between six and 24 months to get approved, this might mean having to obtain consent from data subjects where practicable (and to honour any withdrawal of that consent) and/or reconsidering the scope for reliance, where feasible, on exemptions from the general rule against ex-EEA data transfers.
Ultimately, it seems likely that some form of combination of the measures considered above may be appropriate, and it will be a question of fact in each case what form those supporting steps should take.
Risk of enforcement
In the meantime, it would be unsafe to assume that supervisory authorities will not seek to enforce Schrems II until the position becomes clearer: Max Schrems is doing his best to put pressure on national regulators. According to Schrems’ digital rights outfit, “noyb”, complaints have been filed against Google and Facebook and against 101 European companies (in 30 Member States), which noyb says are ignoring the ruling and continuing to forward data about website visitors to Google and Facebook (101 Complaints on EU-US transfers filed, noyb.eu, 17 August 2020).
Either way, there is still a good deal of unhelpful uncertainty in this area, and there is a clear need for more detailed official guidance from the European Commission so that organisations can be more confident that their data transfers will be GDPR-compliant. For now, it seems to be a question of prescribing some self-help remedies.