International: What does the Schrems II Case mean for exporters and importers of personal data from the EU to third countries
On 16 July 2020, the Court of Justice of the European Union ('CJEU') issued a landmark judgment in the case Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') that will have far reaching effects on the transfer of personal data from the EU to so called 'third countries.' Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, provides an overview of the Schrems II Case judgment and advises what exporters and importers of personal data from the EU can do to remain compliant with data protection laws.
Under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in order to transfer personal data to a country outside of the EU which has not been recognised as providing adequate protection to personal data, such as the US, the exporter must use a mechanism recognised by the GDPR to facilitate the transfer. Prior to the date of the Schrems II judgment, the key mechanisms for this were:
- the EU-US Privacy Shield ('the Privacy Shield') (a self-certification program administered by the US Department of Commerce);
- Standard Contractual Clauses ('SCCs') (a contractual mechanism); and
- Binding Corporate Rules ('BCRs') (a governance mechanism for use by groups of companies for their intra-group transfers).
What did the Court say?
While the judgment is long and nuanced, the key points, as pertaining to private companies engaged in cross border transfers of personal data, may be summarised as follows:
- The Privacy Shield can no longer be used as a mechanism for cross border transfer from the EU to the US. This is due to the scope and extent of surveillance of non-US persons conducted by US intelligence authorities, such as the National Security Agency, under Section 702 of the Foreign Intelligence Surveillance Act ('FISA') and Executive Order 12333, as well as the lack of sufficient redress available to EU individuals from an independent authority.
- SCCs are still valid as a transfer mechanism but they can be used only if the exporter, after conducting an assessment of the circumstances of the transfer, determines that the data transferred will be protected in the destination country to an extent that is essentially equivalent to the protection provided under EU law. In order to do so, the exporter may need to implement supplementary measures. However, the CJEU did not specify these measures.
- EU Member State supervisory authorities are required to suspend or prohibit a transfer of data to a third country pursuant to SCCs if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
What did the EU Member State supervisory authorities say?
Following the judgment, a number of EU Member State supervisory authorities issued statements regarding the CJEU judgment. In most cases, the authorities acknowledged the CJEU's decision, its significance, and their role in reviewing the validity of the transfers, and indicated that they will be working together with the European Data Protection Board ('EDPB') to adopt a consistent approach. Some supervisory authorities took a more definitive position. For example, Ireland's Data Protection Commission ('DPC') stated that although the CJEU ruled 'that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid [...], it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.' In addition, the Berlin data protection authority stated that data controllers based in Berlin who transfer personal data to the US, including by using US based cloud storage providers, should stop doing so and use EU based providers until the legal framework in the US is changed.
What did the EDPB say?
On 24 July 2020, the EDPB issued frequently asked questions ('FAQs') in connection with the Schrems II Case. While the FAQs generally restate and reiterate the CJEUs decision, they also clarify the following:
- The threshold set by the court also applies to cross border transfer mechanisms under Article 46 of the GDPR, including BCRs. The EDPB will assess the consequences of the judgment on transfer tools other than SCCs and BCRs. Per the CJEU, the standard for appropriate safeguards is that of 'essential equivalence.'
- Providing access to data from a third country, for instance for administration purposes, also amounts to a transfer.
- There is no grace period for the enforcement of the CJEU's judgment. The Privacy Shield is invalidated as a transfer mechanism effective immediately.
- If you determine that the data you are transferring to a third country pursuant to SCCs or BCRs is not afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area ('EEA'), you must immediately suspend the transfers. If you do not, you must notify your competent supervisory authority.
- The EDPB is currently analysing the CJEU's judgment in order to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical, or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own, and will provide guidance on this.
- It is still possible to transfer data from the EEA to the US on the basis of derogations foreseen in Article 49 of the GDPR, and this should be done keeping in mind the EDPB's own guidance on derogations.
What to do if you are an importer of personal data?
If you are an importer of personal data into a third country, you should take steps necessary to set your client/partner, the exporter, at ease with respect to the risk associated with continued use of your services/collaboration with you. As we await further guidance from the EDPB, you can already start to do and ask yourself the following:
- Determine (with legal counsel) whether or not you fall under the scope of the relevant country's surveillance laws. For example, in the US, this would be Section 702 of the FISA. Document your findings.
- If any of your transfers (or those of your sub-processors) are reliant upon the Privacy Shield, you should implement an alternative mechanism, such as SCCs. Though requiring additional assurances following the CJEU judgement, this mechanism is still a valid one.
- Assess the risk associated with the type of data that you are handling. Is this the type of data that may/has been the subject of surveillance by intelligence authorities?
- Have you ever received requests from intelligence agencies or governmental authorities?
- Do you have a policy regarding how to respond to such requests?
- Assess the technical measures you implement (or can implement) to protect the data. Is the data encrypted? Or pseudonymised?
- Do you use processors or sub-processors to process the data? Conduct careful diligence of them: where do they store or access the data? Have they been approached by intelligence authorities? What solutions are they (especially the bigger service providers) developing to address the judgment?
What to do if you are an exporter of personal data?
If you are an EU exporter of personal data, you should assess the risks in connection with your transfers and formulate a plan. Things to start with:
- Assess your data transfers. Use your Article 30 of the GDPR records of processing to reach out to all your processors and determine which of them transfer personal data to third countries and whether or not they rely on the Privacy Shield as a method of such transfer.
- If any of your transfers are reliant upon the Privacy Shield, you should implement an alternative mechanism such as SCCs. Though requiring additional assurances following the CJEU judgment, this mechanism is still a valid one.
- Inquire with your processors (and have them inquire with their sub-processors), whether or not they are subject to the third countries' surveillance laws, and whether they have, in fact, received any requests from governmental authorities. Document all your findings and assessment of the risk.
- Assess the risk associated with the type of data that you are exporting. Is this the type of data that may/has been the subject of surveillance by intelligence authorities?
- Consider whether a solution of local storage in the EU is one which may be feasible for your needs. Note that while access of your EU data center by your processors' US based employees still constitutes a cross border transfer, this may reduce the risk of potential surveillance.
- Communicate with your processors, especially the bigger ones, as to any solutions that they have. This may include containerised storage solutions coupled with a trusteeship agreement.
- Follow closely what the supervisory authority under whose jurisdiction your business falls is saying and what you can do, in collaboration with your data processors, in order to address such concerns.
- Follow guidance from the EDPB with respect to supplementary methods and be ready to implement them.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia