EU: Practical steps post-Schrems II - Reconciling theory with reality
For many multinational companies attempting to navigate the challenges created by the COVID-19 ('Coronavirus') pandemic, the recent judgment on data transfers from the Court of Justice of the European Union ('CJEU') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) ('the Schrems II Case') has added fuel to the fire and made business-as-usual seem like an even more distant notion. Claire François, Counsel at Hunton Andrews Kurth LLP, breaks down the theoretical aspects of the CJEU's decision before moving on to outline some practical strategies that companies can adopt both in the short and long-term to meet the demands presented by the same.
Just as the Coronavirus pandemic creates the greatest economic uncertainty in decades, the CJEU's decision on 16 July 2020 in the Schrems II Case has added even further uncertainty in regards to transfers of personal data from the EU to the US and other countries1. The CJEU did not just invalidate the second most used data transfer mechanism but also significantly raised the standards of protection for personal data transferred pursuant to the most common mechanism, that of Standard Contractual Clauses ('SCC')2. Companies are now faced with the considerable challenge of reconciling the theoretical aspects of the CJEU's judgment with business reality at a time when they lack resources due to the current health crisis.
The theory: Schrems II high data protection standard
The CJEU's decision
Much has been written on the CJEU's decision in relation with the EU-US Privacy Shield Framework ('the Privacy Shield') and the Commission's SCC. Suffice it to say that the CJEU did not simply invalidate the Privacy Shield and confirm the validity of the SCC. The CJEU went far beyond its previous 2015 decision on the Safe Harbor mechanism in Maximillian Schrems v. Data Protection Commissioner (C-362/14), and required that the data exporter and the recipient of the data (i.e. the data importer) assess on a case-by-case basis, prior to any actual data transfer, the law of the destination country in order to determine whether that law allows the data importer to comply in practice with the relevant EU contractual data transfer mechanism (here, SCC), taking into account all the circumstances of the data transfer, as well as possible additional measures that the parties could put in place. If, following this assessment, the data exporter (i.e. the controller who transfers the data) comes to the conclusion that appropriate safeguards would not be ensured, the data exporter must suspend or cease the transfer of personal data to the data importer, and the data that has already been transferred to the third country and the copies thereof must be returned or destroyed in their entirety. If, however, the data exporter intends to continue transferring the data despite this conclusion, the data exporter must notify the competent EU data protection authority ('DPA'), who must then suspend or prohibit the data transfer.
By increasing the standards of protection for the personal data transferred pursuant to SCC, the CJEU's decision makes it difficult to use SCC in practice and creates legal uncertainty for businesses: their assessment may be called into question at any time, and there is no guarantee that personal data can be validly transferred pursuant to SCC, despite all the additional measures that the parties could put in place.
Apparent consistency with the GDPR accountability obligations
The SCC were issued by the Commission under the previous EU data protection framework (Directive 95/46/EC). So far, in practice, most businesses have considered the conclusion of SCC as a mere formality or checkbox exercise: the SCC were filled in as applicable, executed, and then filed for record purposes. It was sufficient to do so to adduce adequate safeguards for the transfer of personal data to third countries. Some companies even incorporated the SCC into their data processing agreement by mere reference to them, and did not even bother annexing the SCC.
The CJEU's decision reminds everyone that implementing SCC can no longer be a mere formality. Data exporters and data importers have obligations under the SCC and must verify that these obligations can be complied with in practice. At a theoretical level, the CJEU's decision appears a logical development in light of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the increased compliance obligations it creates. The verification or assessment required by the CJEU is part of the data controller's accountability obligations under the GDPR and, as such, must be documented by the data controller/exporter.
In practice, however, the CJEU requires the parties to carry out an adequacy assessment similar to the assessment performed by the Commission for the purposes of adopting an adequacy decision under Article 45 of the GDPR: the data exporter and data importer using SCC must assess the law of the data importer (or destination country) 'as regards any access by the public authorities of that third country to the personal data transferred'3 in order to check if that country ensures an adequate level of protection, taking into account the factors to be considered by the Commission when carrying out its own adequacy assessment. Other than the fact the Commission has so far recognised only 12 countries4 as providing adequate protection (outside of the US via Safe Harbor and the Privacy Shield), the Commission's assessment proved to be wrong twice in regards to the US for both the aforementioned mechanisms, making it unclear how businesses could do a better job. That said, as EU DPAs (within the European Data Protection Board ('EDPB')) refused to grant a grace period to adjust to the CJEU decision, businesses necessarily need to take remediation actions both in the immediate, short, and medium to long term, if they wish to continue transferring personal data outside of the EU.
The reality: no perfect solution and a step-by-step strategy
SCC as an 'immediate fix'
For those businesses that have EU establishments and were relying on the Privacy Shield to transfer personal data to the US before the CJEU Decision, SCC will be the only immediately available data transfer mechanism to continue transferring the data.
The derogations under Article 49 of the GDPR referred to by the CJEU will not be a solution for most data transfers. The CJEU argued that the invalidation of the Privacy Shield does not create a legal vacuum because businesses can rely on these derogations. However, the most relevant derogations available to businesses typically include (i) the individual's explicit consent; and (ii) the 'contract' derogation. Given the high threshold for valid consent, and that consent may be withdrawn at any time, this will not be a feasible solution in practice. The same conclusion applies to the 'contract' derogation: such derogation may be used only for occasional data transfers, and when the transfer is objectively necessary for the performance of a contract with the individual, (i.e. in very limited cases).
Binding Corporate Rules ('BCRs') - the only other contractual mechanism currently used to transfer data - cannot be an immediate or feasible solution either. The preparation and implementation of BCRs can take years, and this solution is most appropriate for large corporate groups. Further, the EDPB confirmed that the CJEU's decision also applies in the context of BCRs, meaning that companies relying on BCRs must also assess the law of the destination country to determine whether the guarantees provided by the BCRs can be complied with in practice. From this perspective, BCRs are not a better solution than SCCs.
Assessing the adequacy of the transfers to the US (and other countries)
Implementing a valid (contractual) data transfer mechanism is no longer sufficient. Businesses must also ensure that the law of the destination country does not prevent the data importer from complying with that mechanism.
For data transfers to the US, the data exporter and the data importer should first determine the key types of US government surveillance and intelligence gathering mechanisms to which the data importer is subject. The CJEU focussed on Section 702 of the US Foreign Intelligence Surveillance Act of 1978 ('FISA') that applies to data collection from 'electronic communication service providers.' However, there are other laws and most of these laws are drafted broadly to apply to most businesses in the US. It is therefore not so much a question of whether the data importer is subject to US surveillance laws but whether the data importer has received in the past any requests or demands from US government authorities (such as law enforcement or intelligence agencies) that may concern personal data and how likely they may receive such requests or demands in the future.
One way to continue transferring personal data to the US pursuant to SCC is to demonstrate that the data importer, although subject to US surveillance laws in theory, has not received any requests or demands from government authorities for personal data, and has implemented appropriate additional safeguards.
In practice, EU data exporters should send due diligence questionnaires to US importers to help them carry out the above risk assessment, and US businesses should be ready to answer those questions. Due diligence questionnaires should also be sent to non-US importers that may receive personal data pursuant to SCC, and the parties should carry out a similar assessment.
Implementing additional safeguards
The CJEU made it clear that additional safeguards will have to be implemented in most cases, without specifying what these additional safeguards could be in practice. The EDPB is currently analysing the CJEU's decision to determine the types of additional measures that could be implemented in addition to SCC, whether legal, technical, or organisational, and will issue guidance in the future. Ultimately, these additional safeguards will depend on the results of the companies' risk assessment.
Some companies are already adding additional clauses to the SCC to adduce additional legal safeguards and avoid reopening data transfer agreements in the future. That additional language may however have to be revised once the EDPB will issue its guidance. Further, the Commission is still working on updating SCC in light of the GDPR; the new SCC will have to be executed, and agreements will have to be reopened anyway.
Towards data localisation?
Some commentators have suggested that one way to comply with the CJEU's decision is to use EU service providers, and as a matter of fact, on 17 July 2020, the Berlin data protection authority ('Berlin Commissioner') called for data currently stored in the US to be relocated to the EU.
Firstly, in this regard, calling for data localisation totally ignores business reality. Secondly, data localisation could be a solution from an EU data protection perspective only if personal data was to be stored in the EU and if there was no access to the data from third countries (i.e. absolutely no data transfer outside of the EU). From a practical perspective, while companies may wish to have their data stored in the EU, they also may want to receive prompt technical support (outside of EU standard business hours), which may justify access to the data by non-EU technical support locations. Thirdly, data localisation may have a cost for businesses that could be passed on consumers. Some service providers already allow their customers to select EU data centres, but at a higher cost. Finally, data localisation practices will trigger further data localisation initiatives abroad and is contrary to the Commission's objective to further facilitate international data flows and promote EU companies' competitiveness. That is why Vice-President Věra Jourová confirmed at the press conference following the CJEU's decision the importance to carry on working to ensure the continuity of safe data flows.
The CJEU's decision creates a lot of uncertainties and these uncertainties will remain for a while. Businesses should not wait for future DPA guidance or the updated SCC from the Commission to take remediation actions but should act promptly by developing and implementing a step-by-step strategy, while also bearing in mind that no safeguard now offers total legal certainty.
Claire François Counsel
Hunton Andrews Kurth LLP, Brussels
1. The European Commission ('the Commission') has so far recognised only 12 countries as providing an adequate level of data protection. This includes Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. EU personal data can continue to be (freely) transferred to these countries, but companies should closely monitor any future developments in this respect, including the Commission's review of past adequacy decisions or eventual legal challenges in the CJEU.
2. According to IAPP research, approximately 88% of companies transferring personal data outside of the EU rely on SCC, while 60% use the Privacy Shield.
3. The Schrems II Case, para. 104.
4. Supra footnote 1.