In July this year, the Court of Justice of the European Union (“CJEU”) examined the validity of the Standard Contractual Clauses (“SCCs”) and Privacy Shield in the case of the Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. The case is widely referred to as Schrems II. SCCs are commonly used contractual agreements between EU organisations and international recipients to transfer personal data outside of the EEA. Privacy Shield is the mechanism EU organisations relied on (prior to the CJEU’s ruling in this case) to transfer data to the U.S.
The CJEU found that the SCCs remain valid. However, a case-by-case assessment is now required prior to any transfer in order to verify whether the level of protection afforded under the GDPR is respected in the relevant recipient country and/or whether supplementary measures are required to ensure this level of protection. The responsibility for carrying out this assessment falls on the organisation located in the EU which is sending data outside of the European Economic Area (“EEA”) under the SCCs (the “Data Exporter”) to a recipient organisation (“Data Importer”). Following this assessment, if it is determined that the SCCs cannot be complied with and there are no appropriate supplementary measures available, the Data Exporter must suspend the transfer of data and/or terminate the contract with the Data Importer.
In its judgement, the CJEU declared Privacy Shield invalid on the basis that permissible access under the legislation by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes significantly interferes with the fundamental rights of those whose data is transferred to the U.S. In addition, it was found that Privacy Shield does not grant individuals actionable rights against U.S. authorities.
Notably, the Court invalidated the Privacy Shield adequacy decision without maintaining its effect. This means that there is no grace period for organisations to keep transferring data to the U.S. without any assessment. The ICO’s initial statement on Schrems II did suggest that transfers would still be allowed under Privacy Shield for the time being, however, the European Data Protection Board has now made it clear that organisations should immediately look to an alternative mechanism to continue transferring data to the US, with transfers based on the Privacy Shield framework now being illegal, as confirmed in its FAQs on the CJEU’s judgement here.
The full judgement can be found here.
What should organisations do now?
It has been several months since this landmark decision. As organisations come to terms with what Schrems II means for their business, there are some immediate measures that should be considered:
Firstly, review your data flows to see if you are sending data to the U.S. or other recipients outside the EEA. If you are, consider what mechanisms you are using to make any transfers. If you are relying on Privacy Shield, engage with any relevant Data Importers to discuss how you want to continue to legally make this transfer. SCCs are likely the most practical option but further assessment will be needed prior to any transfer to the U.S. to ensure sufficient protection for data subjects. It is worth noting that such assessment is still needed for any other transfer to a country outside the EEA where an adequacy decision is not in place.
If you share personal data outside the EEA, develop a framework to assess whether a recipient outside the EEA or in the U.S. can guarantee the level of protection afforded under the GDPR. This framework should, for example, assess:
- any existing written agreements between the Data Exporter and Data Importer to ensure the GDPR’s Article 28 provisions are included (as a bare minimum);
- any supplementary measures, such as encryption or pseudonymisation, that can be implemented to ensure appropriate safeguards are in place;
- the organisational and technical measures that the Data Importer can evidence to show that it meets the GDPR’s requirements; and
- the recipient country’s approach to data protection. For example, are public authorities entitled to access personal data, and if so, in what circumstances? Additionally, it must be considered whether there are effective remedies for individuals in the event their information rights are breached by organisations based outside the EEA.
Are Binding Corporate Rules (BCRs) an option?
Yes, BCRs can still be used following the CJEU’s judgement in Schrem II. BCRs are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA and, as such, are another means of demonstrating adequate safeguards under the GDPR. As a result, organisations could look to implement BCRs in order to transfer data from the EU to the U.S. or any other third country. Please note, BCRs can only be used for intra-group transfers of data outside the EEA and an application must be sent to a data protection authority of your choice to demonstrate that your BCRs guarantee adequate safeguards for protecting personal data throughout your organisation.
Consider alternative relationships
For example, is there a supplier based in the EU that can offer you the same services? If so, it may be a safer option to switch to an EU-based supplier. That said, remember to carry out thorough due diligence of any prospective suppliers to ensure they have a strong track record of data protection compliance and will adhere to the GDPR.
Cease any transfers to the U.S. or other third countries where appropriate safeguards cannot be guaranteed.
In addition to the suggested steps above, it will be prudent to maintain a watching brief for updated guidance on this topic from the ICO or other supervisory authorities. The EU Commission is currently working on modernising the SCCS to reflect the GDPR requirements and it is worth keeping up with such developments.
As a specialist data protection consultancy, Evalian is well-placed to assist you with navigating the law governing your international transfers and the implications of the Schrems II decision. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.