On 16 July 2020, the CJEU gave its long awaited decision on international data transfers in C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II).
The court ruled that the EU-US Privacy Shield (Privacy Shield) is invalid and can no longer be relied on to transfer personal data from the EU to the US. The court also held that standard contractual clauses (SCCs) cannot be relied on alone for a lawful international transfer. So what now for international data transfers?
International transfers under the GDPR
The GDPR restricts the transfer of personal data outside the EU to help ensure that the data protection rights of individuals are not undermined. Transfers of personal data can only be made in limited circumstances including:
• To a country which the European Commission has decided ensures an adequate level of data protection, but these are limited in number.
• Transfers governed by SCCs (also known as model clauses) between the data exporter and data importer. The SCCs have been approved by the European Commission with separate SCCs for controller to controller transfers and for controller to processor transfers.
• Transfers between group companies governed by Binding Corporate Rules (BCRs). These are bespoke agreements which have to be approved by the ICO (or relevant supervisory authority) and are less common.
• Until recently, transfers to a US data importer that is a member of the Privacy Shield. This is a framework that was set up by the US Department of Commerce and the European Commission as a mechanism to comply with data protection requirements when transferring data from the EU to the US. It is commonly used by organisations to make data transfers to the US.
The end of the Privacy Shield
In Schrems II the CJEU found the Privacy Shield to be invalid with immediate effect. The court was concerned about access to personal data by US security bodies under US law and did not consider that individuals whose data had been transferred had effective remedies. All data transfers to the US which rely on the Privacy Shield are now illegal.
The US Department of Commerce is continuing to administer the Privacy Shield despite Schrems II and has made it clear that the decision does not relieve a participating US company of its Privacy Shield obligations.
What about SCCs and BCRs?
The CJEU has clarified that SCCs are still valid to make data transfers. However, they are not in themselves enough to make a transfer lawful and so cannot be relied on alone.
Individuals whose personal data are transferred outside the EU pursuant to SCCs are to be afforded a level of protection essentially equivalent to that guaranteed in the EU by the GDPR. The CJEU set out that supplementary measures may need to be adopted by a data controller, in addition to the SCCs, depending on the “prevailing position in a particular third country” in order to ensure compliance with the level of data protection required under the GDPR.
For data transfers to the US, supplementary measures are required, given the position under US law which led to the Privacy Shield being invalid. The European Data Protection Board (EDPB) has confirmed that data can only be transferred to the US if these supplementary measures, along with the SCCs, ensure appropriate safeguards and US law does not affect the adequate level of protection that they guarantee. The nature of these supplementary measures is currently unclear (see below).
For data transfers to other countries, the EDPB has set out that the data exporter and the data importer should assess whether the level of protection required under the GDPR is respected in that country in order to determine if the SCCs can be complied with in practice. If not, an assessment is to be made on whether supplementary measures can be put in place to ensure an essentially equivalent level of protection to the GDPR and whether the law of the recipient country will prevent their effectiveness. No data should be transferred pursuant to the SCCs if it is not afforded a level of protection essentially equivalent to that guaranteed within the EU.
The EDPB has clarified that the position for BCRs is the same as for SCCs and that supplementary measures may be required in the particular circumstances of the transfer.
What does this mean for your international data transfers?
The CJEU decision leaves international data transfers in a state of uncertainty. It has brought about an abrupt end to the Privacy Shield and at the same time brought uncertainty to the use of the alternatives, SCCs and BCRs.
The CJEU decision points to the possible need for “supplementary measures”, but gives little guidance as to what these may be. However, it seems likely that they will be technical or organisational measures, such as encryption, rather than contractual. One of the main issues of concern identified by the CJEU is access to the data by security or other authorities which would not be addressed by additional provisions in the SCCs, as the authorities are not a party to the contract between the data exporter and data importer. The EDPB has promised more guidance on supplementary measures. Organisations that make US transfers should keep a look out for this.
In the meantime, the ICO has recommended that “you should take stock of the international transfers you make and react promptly as guidance and advice becomes available”. Organisations should therefore undertake an audit of their international transfers outside of the EEA to ascertain which countries data is being transferred to and the basis for the transfer, whether an adequacy decision, Privacy Shield, SCCs or BCRs. This includes for any international transfers made by processors on their behalf. For data transfers to countries other than the US, where SCCs or BCRs are used, organisations should assess the level of protection conferred in that country taking into account local law. For data transfers to the US which currently use the Privacy Shield, organisations need to urgently consider alternatives, including potentially restricting data processing to the UK or EEA.
The implications of Schrems II are difficult for businesses, particularly in the currently climate. The ICO has said that it “understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.” Nevertheless, organisations should not ignore the implications of Schrems II, in particular for US transfers which use the Privacy Shield.
Patricia Jones, Consultant, email@example.com
For further information please contact our specialist data protection team.
Amy Chandler, Partner, Amy.Chandler@pannonecorporate.com
Patricia Jones, Consultant, firstname.lastname@example.org
Danielle Amor, Senior solicitor, Danielle.Amor@pannonecorporate.com