Image of transparent glass of RPC building.

Schrems II where next for data transfers

Published on 02 November 2020

Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems

The question
What is the impact of the CJEU Schrems II decision on international data transfers?

The key takeaway
The CJEU has invalidated the EU-US Privacy Shield arrangement and put significant limitations on the use of Standard Contractual Clauses (SCC) as a lawful international data transfer mechanism.
The background

On 16 July, the CJEU handed down a long-anticipated decision concerning the EU-US Privacy Shield, which is a scheme that companies can sign up to in order to certify they will adhere to higher privacy standards to lawfully transfer data between the US and EU. It also concerned the use of SCCs, a standard set of contractual clauses issued by the European Commission which can be incorporated into data transfer agreements to ensure safeguards on data protection. 

This follows the CJEU judgment of Schrems I which, in 2016, invalidated the Safe Harbour arrangement which governed data transfers between the EU and US, foreshadowing what has been observed as a suspected “privacy trade war".

The guidance
The CJEU held that the EU-US Privacy Shield was invalid, primarily due to concerns about the how US government surveillance programmes may restrict the privacy rights of EU citizens. In particular, it was found that US law did not place sufficient limitations on the access and use of data belonging to EU citizens by US intelligence services, and did not provide adequate remedies to EU citizens in relation to use of their personal data by US public authorities. 

Whilst the use of SCCs was not declared invalid, the CJEU placed the onus on data controllers to conduct an assessment of the privacy laws of the country to which data is being sent. It is questionable whether SCCs can still be used to transfer data to the US in light of the judgment. 

The ICO echoed guidance from the European Data Protection Board recommending that businesses conduct risk assessments as to whether SSCs provide adequate protection within the local legal framework. It also stated that businesses should take stock of their international transfers and react promptly as guidance and advice becomes available.

Why is this important?
International data transfers are vital for the global economy to function and must be carried out lawfully. Businesses which rely on international data transfers must now actively assess the privacy protections provided by the recipient country before data can be sent. Whilst the focus has been on EU-US data transfers, the principles from the judgment still apply to transfers to other third countries. It must be remembered that on 1 January 2021, save for any treaty otherwise, the UK will become a third country which will lead to an ongoing assessment of whether the UK’s GDPR will be considered adequate to receive data as it potentially diverges from the EU GDPR over time.

*** Breaking news - on 6 October, the UK's chances of obtaining a successful adequacy decision suffered a major setback. The EU Court of Justice ruled that UK surveillance laws for the "general and indiscriminate" bulk collection of data "exceed the limits of what is strictly necessary and cannot be considered to be justified within a democratic society."  This is the case even though the Court found that mass collection of data may be necessary in limited circumstances when faced with a "serious threat to national security". ***

Any practical tips?

  • Identify which data transfers rely on the Privacy Shield and may require an alternative lawful data transfer mechanism. 
  • Identify data transfers to the US under SCCs and assess which recipients of your data may be subject to US surveillance laws.
  • Conduct an audit of your data flows to third countries and the lawful data transfer mechanisms relied on in order to assess foreign privacy laws, and their compliance with the GDPR.
  • Make preparations for and generally get ready to adopt updated SCCs once the European Commission releases them.
  • Consider expanding the existing data protection obligations in your processing contracts, such that you can force your processing partners to put in place additional control mechanisms should these become necessary.
  • Above all, keep a look out for guidance from national regulators and the European Data Protection Board. In particular, maintain awareness of UK Government & ICO statements on Brexit, and the UK's adequacy status. The position on data transfers continues to develop and you may need to move quickly to ensure ongoing compliance.

Autumn 2020