Schrems II – what next for data transfers?

How did we get here?

Remember Safe Harbor? This was a mechanism which legitimised personal data transfers from the EEA to the US under the Data Protection Directive 1995. It was struck down by the CJEU in 2015 in what became known as the Schrems decision. The decision came as a shock, particularly because it went against the earlier Advocate General's decision. Businesses scrambled to find an alternative transfer mechanism during the hurriedly announced enforcement holiday, most of them turning to Standard Contractual Clauses (SCCs). In the meantime, the EC was busy negotiating a partial adequacy agreement with the US, adopted in July 2016, which set up the Privacy Shield.

The Privacy Shield was controversial from the outset with the EC seemingly hoping to improve it during the annual review process, but privacy campaigner Max Schrems did not, as might have been expected, set out to challenge it. His reformulated complaint submitted to the Irish Data Protection Commissioner, was based around the powers of the regulator to intervene to prevent personal data flowing from Facebook Ireland to Facebook Inc. under their SCCs. How this became a case which culminated in the CJEU striking down the Privacy Shield is somewhat tortuous and you can read more about it here.

We breathed a collective sigh of relief when the Advocate General upheld the use of SCCs and did not consider the validity of the Privacy Shield adequacy decision, but that turned out to be premature. In the so-called Schrems II decision, the CJEU went on to invalidate the Privacy Shield. It also cast serious doubt over the use of SCCs (and by extension all export mechanisms) for data transfers to the USA and, potentially other third countries which do not offer equivalent levels of protection to that in the EEA in terms of access to personal data by intelligence agencies.

What happened in Schrems II?

The CJEU was asked to consider 11 questions but boiled them down into consideration of whether data transfers to the US under SCCs and under the Privacy Shield, afford EU citizens protection which is essentially equivalent to that in the EU under the GDPR, read in light of the EU Charter of Fundamental Rights.

The CJEU said that the Privacy Shield adequacy decision was invalid because it failed to protect EU personal data from unnecessary and disproportionate access by US intelligence agencies. While it upheld the adequacy decision on SCCs as a data export mechanism, the same issues regarding access by intelligence authorities in the US apply to transfers made from the EEA to the US under them.

Going forward, the CJEU placed the onus on data exporters and importers to decide whether the data transferred to third countries under SCCs is adequately protected and to use enhanced protections if needed. If they do not, transfers may be open to challenge and to action by supervisory authorities (SAs) which can prohibit the transfers on a case by case basis.

What does this mean for you?

The CJEU's decision effectively put an immediate end to lawful transfers of personal data under the Privacy Shield.

Although SCCs remain a valid transfer mechanism, exporters and importers are now required to make their own assessment as to whether data is adequately protected in all third countries for which they use SCCs, and put supplementary measures in place if they think the data is at risk. Failure to do so could lead to the suspension of the transfer by the SA, and, potentially, to sanctions.

What does this mean in the context of Brexit?

For businesses concerned about the impact of Brexit on data transfers from the EEA to the UK, the outcome of the CJEU decision is positive as SCCs remain valid. In the absence of an adequacy decision for the UK from 1 January 2021, SCCs look to be a good solution for those seeking to import personal data from the EU, at least as long as the EC or individual SAs do not take issue with access to EU data by UK intelligence and law enforcement agencies. See our article for more on Brexit and data transfers.

What next?

The CJEU decision took effect immediately without an enforcement holiday. The Irish Data Protection Commissioner has ordered Facebook Ireland to suspend data transfers to the US although Facebook is appealing and the legal process rumbles on.

In practical terms, the situation is far from clear. Regarding EEA-US transfers, the EDPB and US Department of Commerce have started talks on a possible enhanced privacy shield. This is all very well but it's hard to see any meaningful solution to the issue of transferring EEA data to the US unless the US changes its own law – something particularly unlikely under the current regime and in the run up to an election.  The US government has published a white paper dealing with the impact of Schrems II and its effect on SCCs. It argues that the vast majority of EEA data is of no interest to the US intelligence agencies and that data obtained under FISA is regularly shared with the EEA. It goes on to outline protections that do exist. It is unlikely to prove persuasive though given the views of the CJEU – Max Schrems, although far from neutral, called it "laughable".

In the meantime, the EDPB has promised revised SCCs by the end of the year which we expect to include examples of enhanced protections.

We've had some indication as to what enhanced SCCs might look like from the reactions of SAs, notably the regulator for Baden-Württemberg in Germany who has gone so far as to put out guidance. Anonymisation, pseudonymisation where only the exporter can re-identify the data, and encryption are all suggestions which come up repeatedly. And of course, the other solution – don't export the data but localise it in the EEA or countries with adequacy decisions.

Making matters more complicated is the issue that using SCCs for any third country (whether or not they include enhanced provisions) now involves the importer and exporter in a decision making process which requires them to: have an understanding of the kind of access to the data which intelligence and law enforcement agencies in that country may have; compare it to EU standards; decide what, if any, enhanced provisions need to be included in SCCs; and to work out whether or not they then afford the data sufficient protection to allow the export to go ahead.

What we really need is clear, EU-level guidance about which enhanced provisions under SCCs will address issues in particular countries, and which countries are 'unfixable' or potentially blacklisted. That is unlikely to happen soon if indeed at all. It would also help if adequacy decisions were made more quickly and transparently as the process is currently long and drawn out.

On the upside, the GDPR has acted as a standard-bearer for data protection and we are seeing other countries implement GDPR-style laws which may make a path to adequacy easier to forge. The UK's position outside the EU may also make it easier for it to grant its own adequacy decisions although that could, in turn, make it harder for the EU to grant the UK adequacy if it becomes concerned about onward transfers.

What should you do now?

In the absence of further clarity, there are things businesses can do to minimise potential exposure, if little they can do to eliminate it.

Those relying on the Privacy Shield must act immediately (if they haven't already), to begin transferring personal data on an alternative basis, or stop transferring the data to the USA. This will involve mapping data flows, understanding what data is transferred to the US and why, and under what transfer mechanisms.

Those relying on SCCs for data transfers to any third country should undertake a similar review process. They should try and understand what sort of access intelligence authorities may have to the data. This information may not be readily available for many countries, but it is established in the case of the USA so it would include understanding whether the data is accessible under FISA and PRISM.

Exporters should also consider what they can do to ensure their importers are adhering to SCCs, and whether they can take further steps to minimise the amount of data being transferred or to anonymise, pseudonymise or encrypt it. The entire process should be carefully documented.

For the impact on BCRs, see here.

Even though the only completely risk-free solution is to keep personal data in the EEA or transfer it only to countries with adequacy decisions, a more practical approach is to adhere to a thorough and regularly reviewed GDPR compliance plan until there is more concrete guidance from regulators and legislators.