International Data Transfers just got more complicated

A decision by the European Court of Justice (ECJ) (the so called Schrems II decision) on Thursday last week will have a significant impact on all businesses and organisations involved in international transfers of personal data. Which is most of us.   Even if you’re a small organisation, chances are you will use a third party technology platform based outside the EU.

So what happened and what are the implications?

What happened?

As a result of a complaint made by privacy campaigner Max Schrems to the Irish Data Protection Commissioner, the ECJ examined the validity of two widely used mechanisms for transferring personal data outside the EU – Standard Contractual Clauses (SCC) (in this case, controller to processor clauses) and the Privacy Shield (for transfers to the US only).  These are mechanism recognised as lawfully permitting data transfers outside the EU.  However, the ECJ decided that:

• The Standard Contractual Clauses, while remaining valid, requires quite a bit of careful handling. In fact, organisations will be expected to carry out additional assessments in order to rely on the SCC – further work that organisations used to relying on SCC are unlikely to have been involved in before.
• The Privacy Shield is invalid. This won’t be a surprise to those who have closely followed the debate on the Privacy Shield over the last few years (it was only born in 2016). However, it will be disruptive to the many US companies that have registered with the Privacy Shield and rely on their certification to receive personal data from the EU. Likewise, EU organisations exporting data to Privacy Shield registered companies in the US will now need to implement a separate mechanism to lawfully make those data transfers.

Standard Contractual Clauses remain valid but as a sticking plaster

For many years, organisations have relied on the SCC for a relatively quick and easy solution to international data transfers. Knowing that we’re discouraged from amending the SCC, they’ve often been signed and put away without much further thought or examination.

A key concern that the ECJ highlighted is that the SCC is a contract between two commercial entities – the exporter and the importer – so that the public authorities of the third (non-EU) country are not bound by the SCC at all. So although there are provisions in the SCC which require the importer to notify the exporter about legally binding requests for disclosures of personal data by a law enforcement authority (unless otherwise prohibited), there is nothing in the SCC which prevents public authorities’ access to data.  However, this omission in itself did not mean, to the ECJ, that the SCCs are invalid as a data transfer mechanism.

But, according to the ECJ, the exporter and importer should assess on a case-by-case basis whether the law of the third country can properly and adequately protect the personal data to be exported. If not, it may be necessary for the parties to include additional guarantees in the SCC. But, if it’s not possible to implement adequate additional measures, the ECJ indicated that the parties (or the relevant EU data protection authority) should suspend or end the data transfer.

This presents the exporter and importer with a challenging legal puzzle. They are expected now to understand the legal framework of the third country (be it the US, India, the Philippines or China) to which the personal data is being transferred including how public authorities can access data, and then form a view concerning whether that legal framework provides sufficient protection as required under EU law for the personal data being transferred. This applies to all exporters regardless of their level of legal knowledge, expertise or resources.

Certainly there was always a weakness that in relying on the SCC, few parties actually considered the implications of what they were signing up to. Going forward, more due diligence and accountability measures will be expected when making data transfers in reliance on the SCCs.

Hopefully further guidance from the European Data Protection Board and the Information Commissioner’s Office will give organisations a steer concerning what is expected of them in order to be able to rely on the SCC.  Additionally, the European Commission is due to publish revised versions of the SCCs which should take account of this ECJ ruling.

The demise of the Privacy Shield

In its examination of the Privacy Shield, the ECJ ruled that the framework was not good enough to meet the requirements under EU law in order for the adequacy decision to be valid. Consequently, just like its forebear – Safe Harbor – the Privacy Shield is no more.

The Privacy Shield was an elaborate and finely balanced framework held together with certain assurances from the US Government. However, there had been criticisms over the years (from the European Parliament and European Data Protection Board in particular) that it fell short of what was required for an adequacy decision. Privacy Shield was required to comply with certain key European legal standards – effective and enforceable rights for individuals, judicial redress and certain requirements under the Charter of Fundamental Rights and Freedoms (the Charter). The ECJ concluded last week that it failed to do so.

The main sticking points for the ECJ were:

• Lack of limitations on the powers of US public authorities to access personal data under US law (which permits surveillance programmes) and lack of proportionality plus the failure to grant EU individuals’ actionable rights – this echoed the concerns expressed in the ECJ’s decision concerning Safe Harbor back in 2015.
• Weaknesses of the US Privacy Shield Ombudsperson position – questions were raised about the independence of the Ombudsperson from the US Government and whether it could satisfactorily act as a tribunal (as required under the Charter).

Consequently, from 16 July 2020, the Privacy Shield is invalid as a data transfer mechanism under the GDPR.  Organisations relying on it will need to consider an alternative – quite likely the SCC (see comments above).

Of course, other options under the GDPR to transfer personal data remain available. However, given that the derogations under Article 49 (e.g. explicit consent/ necessary for performance of a contract) must be strictly interpreted, there are no approved codes of conduct or certification mechanisms yet, and comparatively few companies have embraced binding corporate rules, the SCC will remain the most popular mechanism. 

Can we still transfer personal data to the US?

The ECJ’s ruling indicates that the US legal framework does not provide proper protection for data transfers. However, that can lead to the absolutist position that most personal data transfers (apart from those permitted under Article 49 derogations) from the EU to the US should cease immediately.  Quite a draconian interpretation. It’s worth considering that the specific US laws in question that permit US public authorities to access personal data tend to be focused on seeking access to data held by telco’s, cloud storage and hosting providers.  Therefore, if you’re transferring personal data to a US company that doesn’t fall within that grouping, it’s less likely US public authorities will seek to access the transferred data.

Much will depend upon the response of data protection authorities to the ruling. Significantly, just days after the ECJ’s decision, the Berlin data protection authority has reportedly asked German based controllers transferring data to the US (especially using cloud service providers) to cease transfers to the US and re-procure services either in the EU or in a country that has received an adequacy finding from the European Commission (other adequacy findings remain valid currently). Whether or not most controllers will comply, and what the Berlin data protection authority will do if they don’t, remains to be seen.

So what should organisations do now?

 Organisations should:

• Identify the data transfers to the US where you’re relying only on the Privacy Shield – for these transfers you need to implement an alternative mechanism such as SCC to make data transfers to the US. Most mature US service providers will themselves be considering an alternative for their EU customers and may reach out to you with their solution (potentially including offering storage on EU based servers).
• Identify the data transfers where you’re relying on SCC (both controller to processor and controller to controller) including any new ones in view of the demise of Privacy Shield. You need to consider what due diligence you should now carry out to assess the risks involved in transferring that data to that third country.
• Review your obligations under the SCC. Can you demonstrate that you can comply with these obligations? It is prudent to document your evidence.
• Exporting controllers should contact importing controllers/ processors to ask whether there are any laws in the third country which could prevent the importer from complying with their obligations. Where public authorities in third countries can request access to data, what processes are available to the exporter/ importer to challenge such access requests? Be aware that if there is no satisfactory answer, the ECJ ruling would expect controllers to cease making such data transfers.
• Update existing SCC and enter into new SCC which include provisions that provide additional safeguards to ensure personal data is protected when handled by the importer in the third country.
• Key an eye on developments from data protection authorities and any further guidance issued by regulators.
• Also watch out for the revised and reworked standard contractual clauses that the European Commission are due to publish.

Should you have any questions or require any support, please contact Victoria Hordern.