It is just over two months since the European Court of Justice issued its decision in Schrems II. Now that the dust is beginning to settle, we look at what trends are beginning to emerge in relation to use of the Standard Contractual Clauses (SCCs) and other transfer mechanisms and the potential impact on EU/UK data transfers following the expiry of the Brexit transition period.
Background
The European Court of Justice's decision is the latest step in a long running complaint by Max Schrems over the transfer of personal data by Facebook to the United States and the risk to personal data from surveillance by US law enforcement agencies. In 2015, the ECJ struck down the Safe Harbor scheme for transferring personal data to the United States.
In this latest decision, the ECJ struck down Privacy Shield, the successor to Safe Harbor. While the ECJ upheld the SCCs, the ECJ said they will only be valid where the wider legal landscape of the country where the data is to be exported does not override the protections contained the SCCs and the rights and remedies that are guaranteed by the Charter of Fundamental Rights. Use of the SCCs may require organisations to put in place additional safeguards. If additional safeguards cannot be put in place then the transfer should not take place.
You can read more about the Schrems II case in our summary.
Response from regulators and industry
The European Data Protection Board (EDPB) published an FAQ on the Schrems decision on 24 July 2020. In the FAQ, the EDPB states that there is no grace period for compliance and that organisations need to immediately stop using Privacy Shield as the basis for any transfers to the United States.
The FAQ goes on to acknowledge that the court's decision will likely impact on all means of carrying out international transfers including, for example, Binding Corporate Rules. The EDPB has committed to providing guidance on what supplementary measures it expects organisations to take when undertaking international transfers.
While no guidance has yet been issued, the Irish Data Protection Commissioner is reported to have reached a draft preliminary decision to require Facebook to suspend transfers of personal data to the United States. Facebook has raised judicial review proceedings in the Irish courts.
The United States Government and the European Commission have met to discuss the impact of the court's decision and the potential for an enhanced Privacy Shield. However, given the nature of the ECJ's criticisms, any enhanced regime will likely require changes to US law to protect citizens in the EU.
Steps have also been taken by industry to seek regulatory approval for a code of conduct for international transfers in relation to the provision of cloud computing services.
Meanwhile, noyb, the privacy rights not-for-profit co-founded by Max Schrems, has lodged 101 complaints with supervisory authorities in relation to transfers of personal data to the United States.
EU/UK data transfers following the expiry of the Brexit transition period
Upon the expiry of the post-Brexit transition period, the UK becomes a third country for the purposes of data protection law. If no finding of adequacy is made by the European Commission in respect of the UK, then transfers of personal data will be subject to the same constraints as transfers of personal data to other non-EEA countries.
Given that there is no guarantee that an adequacy decision will be made by the European Commission, many organisations will be planning to put in place SCCs to ensure that transfers can continue to take place. While that is still an option, any use of the SCCs will need to comply with the Schrems II decision. This means EEA-based controllers are going to need to understand UK surveillance laws and assess the risk of any proposed transfer to the UK.
What are the key steps to take when using the SCCs?
The Schrems II case considered two US laws. Section 702 of the Foreign Surveillance Intelligence Act and Executive Order 12333. These laws enable widespread and indiscriminate surveillance of data. Similar laws exist in other countries around the world. While the US Government had implemented the Privacy Shield scheme to address the criticisms of Safe Harbor in Schrems I, in Schrems II the ECJ found that Privacy Shield did not provide individuals with an adequate level of judicial redress.
The challenge presented by both the Schrems I and Schrems II decisions is that these cases are fundamentally about the powers of law enforcement agencies in other countries. The SCCs (and BCRs) are contractual agreements between private parties. Nothing in the SCCs can limit the powers granted to law enforcement agencies under local law.
Use of the SCCs is therefore only possible where:
- the data importer is not subject to such powers; or
- steps can be taken to sufficiently mitigate the risks such that EU data protection rights are not interfered with.
Compliance cannot be delegated by a controller. We suggest considering taking the following steps:
Additional diligence
Carrying out diligence is essential in order to assess the risk:
- Understand the powers of law enforcement in the destination territory. Do these interfere with the rights of individuals under EU data protection law?
- Is the data importer/its sub-processor(s) subject to these powers/rights? If so, which ones?
- What processing will the data importer undertake?
- Why is it necessary for the data to be processed in the destination territory?
Use questionnaires to seek this information and take reasonable steps to verify the responses. Once you understand the laws in a particular country then you may be able to use white lists to simplify the process in the future.
Technical measures
If data is encrypted at rest and in transit using strong encryption, then the ability of law enforcement agencies to access the information may be limited. Consider the following:
- What technical measures are used to keep the data secure and limit access?
- Who has control of the keys?
Again, use standard form questionnaires to find out the answers.
Contractual measures
Before you add additional clauses to your contract, familiarise yourself with the existing clauses in the SCCs dealing with notification of requests from law enforcement agencies and changes in law. Supplementary measures might take the form of:
- additional rights to suspend or terminate transfers
- disclosure obligations and transparency reports and representations around previous disclosure requests
- additional mechanisms for dealing with changes in law or regulatory guidance or the risk profile
Risk assessment
Once you've conducted your diligence on the laws in the destination and the data importer and the technical measures that are in place (or can be adopted), you then need to carry out a risk assessment to determine whether the transfer is lawful. That risk assessment should consider:
- What personal data is being processed and for what purpose? What data subjects are involved? Are there any particular risks?
- What are the specific risks in relation to the underlying law enforcement powers in relation to the proposed transfer?
- To what extent can technical or contractual measures mitigate these risks?
It is essential that the risk assessment and the decision making process is clearly documented.
If the conclusion is that supplementary measures cannot be implemented to prevent local laws from impinging on the level of protection to be provided by transfer tools such as SCCs, and an Article 49 derogation is not available, then the transfer should not be made.
Find out more
We will be running a webinar on the Schrems II case on Tuesday 29 September 2020. To register, follow this link.
We have advised on a number of international transfers following the Schrems II decision and have helped clients develop pro forma questionnaires that can be issued to processors and other data importers. If you would like to discuss the Schrems II decision or your organisation's international data transfers, please contact Martin Sloan or Grant Campbell, or your usual Brodies contact.
Contributor
Partner
