29 January 2021
Until July 2020, thousands of businesses across European nations and the United States of America regularly transferred data amongst themselves. The Privacy Shield Agreement governed those data transfers.
However, the framework for data transfers was invalidated by the European Court of Justice (CJEU). That case has come to be known as Schrems II. In those proceedings, the court was compelled to examine standard contractual clauses (SCCs), which are mechanisms for data transfers between the EU and the United States.
Since then, organizations on both sides of the Atlantic have been left in a sort of legal limbo in regards to the transfer of personal data internationally. The implications are dire as the Schrems II case could entail consequences for businesses that go far beyond the penalties already outlined by the EU's General Data Protection Regulation (GDPR).
With that in mind, let's take a hard look at Schrems II and why it matters. We'll also go over why data transfer risk assessments are now necessary, provide some suggestions as to SCCs modifications, and what companies (especially in the U.S.) may be required to do to bring themselves into compliance with the CJEU's ruling.
It's crucial for American businesses to understand that Privacy Shield is no longer in effect.
Until July 2020, over 5,000 U.S. based organizations took part in Privacy Shield. Thousands of EU organizations also depended upon Privacy Shield when transferring personal information to their American counterparts.
Virtually overnight, however, the criteria for the transfer of data in a lawful manner lost all certainty as the CJEU's ruling constituted the Irish Data Protection Commissioner's (DPC) directive that Facebook Ireland Ltd. cease data transfers from the EU to the U.S. as reported in the Wall Street Journal headline below:
For those who don't know, Schrems II is the sequel to a case that came about when Max Schrems filed a complaint against Facebook with the Irish data protection authorities (DPAs). Max filed his complaint, arguing that Facebook had allowed the United States government access to his personal information, which was against the EU's data protection laws.
In Schrems II, a challenge was made to data transfers carried out based on the EU Standard Contractual Clauses (SCC). This choice was made since SCCs had become the alternative mechanism Facebook chose to depend on to ensure its EU to U.S. data flows were legitimate.
Ultimately, the CJEU's ruling did not invalidate SCCs for transfers to data processors. However, organizations must evaluate whether these SCCs provide enough protection considering the fact that public authorities and the legal systems in third countries may gain access to any transferred information. That's where data transfer risk assessments may need to come into play.
For companies like Facebook which have enterprises based on selling advertising space that in turn is based on user data, the CJEU's decision could be a significant setback to business activities. Indeed, that fact seems to have been lost on many organizations busy preparing to comply with the GDPR and other data privacy regulations.
Messing up and failing to bring your company in line with the GDPR can result in steep monetary penalties. However, if you ignore the Schrems II ruling, when it comes to the transfer of private information, regulators could completely prevent your business from exporting any data you've gathered within the EU.
Unless there are significant changes to surveillance laws in the United States, Schrems II clarified that sooner or later, a decision will be made to restrict continuous data flows to the United States. Tech companies like Facebook (and any others that take advantage of user data to make a profit) must therefore start working on a contingency plan that takes into account possible restrictions.
Consider the following:
For the moment, companies like Facebook Ireland Ltd. are relying on SCCs or Binding Corporate Rules (BCRs) to transfer personal, private information outside the geographic borders of EU member states. Following Schrems II, these organizations must now evaluate whether laws in destination countries ensure sufficient protection for the transferred data.
If these organizations discover that there isn't the same level of protection as guaranteed by the laws of the EU, they must implement additional measures that will, for all intents and purposes, provide that level of protection.
Check out our free tools for website owners:
As noted above, Schrems II focused heavily on concerns over access rights to data by American government surveillance practices for national security purposes and any associated rights and remedies for individuals.
Now, in essence, companies must conduct data transfer risk assessments if they wish to transfer information from a nation within the European Economic Area (EEA) to a destination within an outside country.
In that risk assessment, companies need to evaluate whether the data protection regulations in each country are adequate as well as whether BCRs or SCCs (or any other mechanisms) remain sufficient.
Binding corporate rules apply to the transfer of data within one legal entity or group of entities. However, they don't apply to the transfer of data between entities. BCRs don't necessarily protect companies against the interference of government agencies within the destination country and therefore companies might have to put additional data safeguards in place depending on the country involved.
On the other hand, SCCs are done per contract. Any time an agreement is entered into by a company to transfer data to another organization, it has to fill out an SCC as well as the adjoining annex. The annex to the SCC goes over the information these organizations will send to each other.
The issue that arises with many SCCs is that companies don't actually read the entire contract. Moreover, the annexes are rarely filled out. If the latter doesn't happen, both organizations are non-compliant.
Besides the above, after the Schrems II ruling, companies now have to prepare and fill out yet another annex. This annex must specify exactly which extra safeguards of a technical, legal and operational nature the company will put in place to protect data against potential government interference.
Additionally, these safeguards might also depend on the nature and volume of the information. However, specific regulator guidance on this issue hasn't been provided yet.
In a perfect world, the European Data Protection Board (EDPB) would evaluate the economies most relevant to international data transfers and then suggest which safeguards are most advisable to ensure safe transfers.
Since those recommendations haven't been published, it's up to the privacy industry to come up with mechanisms for safe, legitimate data transfers to ensure some kind of standardization. The reason for that is the fact that it will be practically impossible for organizations without sufficient resources to make data transfer risk assessments of the data laws within every country to which data might be sent.
Until such standardization exists, companies may be able to help prepare themselves for any final decision by doing the following:
Baden-Württemberg's data protection authority published guidance on the international transfer of personal information.
The guidance is the first thorough attempt by a European privacy supervisor to indicate how the Schrems II decision may be enforced. A checklist for Schrems II compliance is included, as well as suggestions for changing the SCCs to allow companies to document their intention to fully comply with the law.
There are two main sections within the guidance for organizations with operations that are cross-border. These sections shed light on what the DPA considers "additional measures," which companies can take to support transfers of personal information from the EU to the United States:
Examples of additional guarantees that might be considered adequate are offered by the DPA.
The guidance includes the first Schrems II checklist for organizations released by an EU supervisory authority. A brief overview of the checklist, which the DPA expects organizations to follow "immediately" is provided below.
Make a determination as to whether SCCs that have additional guarantees may be used to transfer personal data to a third country
According to the DPA, this determination ought to focus specifically on "whether you can relatively avoid access by others" to the transferred data. This could possibly be accomplished through:
In addition, companies should alter the SCCs "to document and demonstrate your intent to act in accordance with the law."
According to the Guidance, the GDPR's Article 49 exemptions are a "conceivable" foundation for data transfers if SCCs aren't available. However, they will still be interpreted "restrictively."
Nevertheless, the DPA stipulates that the GDPR's Article 49 exemptions "can in particular be considered for data transfers within a corporate group" or "within one-to-one contractual relationships" if the "restrictive character of [Article. 49] does not stand in the way of the transfer."
The guidance suggests that the DPA will enforce its recommendations by identifying providers, which have "transfer problems." The DPA will then discuss with local organizations why they are using those providers. If that local company is unable to persuade the DPA that the provider is "irreplaceable in the short- and medium-term by a provider without transfer problems," then the DPA will forbid any more data transfers to that provider.
Therefore, larger providers might want to think about materials that would help customers show aspects of services that are irreplaceable, or that provide evidence of a "lack of transfer problems."
The bottom line is that following the Schrems II ruling, if your company wishes to transfer data from a business in the European Economic Area, you must now conduct a data transfer risk assessment. It would be wise to pay close attention to the Guidance provided by the German DPA on this issue and act according to the checklist provided.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.