News and Publications

Schrems II: what now for international data flows?

Posted: 06/08/2020


On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered its highly anticipated judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II)[1], ruling that:

  • Personal data transfers on the basis of the EU-US Privacy Shield are illegal – entities which previously used the Privacy Shield will now need to find an alternative method of transferring personal data to the US; and
  • Personal data may be transferred to the US and other jurisdictions in reliance on the safeguards provided by the standard contractual clauses (SCCs) provided that this is assessed on a case-by-case basis – in order to still be an adequate method of data transfer, parties to the SCCs must review the relevant transfer to ensure that the SCCs do in practice constitute an adequate protection when data is transferred outside the UK-European Union[2].

As the UK Information Commissioner’s Office (ICO) stated, ‘international data transfers, that are so vital for the global economy, suddenly became open to question’.[3]

The true ramifications of this landmark decision are yet to be seen but Schrems II makes clear that reliance on SCCs without further diligence will not be an acceptable approach.

The decision has an impact on any organisations transferring personal data outside the EU (and not just to the US) in reliance on the SCCs, including transfers using SaaS solutions or other technologies and intra-group transfers. 

Background and case facts

The EU General Data Protection Regulation[4] restricts transfers of personal data to third countries outside the EU unless the transfer satisfies certain limited conditions, including for onward transfers of personal data from that third country to any other third country. The conditions under which a transfer is permitted include transfer to a country with data protection laws that the EU has deemed to be adequate; or transfers carried out under appropriate safeguards such as binding corporate rules or under the terms of EU-approved standard data protection clauses (namely the SCCs). There are also other specific situations where transfers can occur, for example with an individual’s explicit consent, or where the transfer is necessary to perform a contract with that individual. Prior to this decision, EU-US transfers could also be justified on the basis of the EU-approved EU-US Privacy Shield. However, SCCs are commonly used as the condition justifying transfer of personal data.

As a result of a case brought by Austrian data protection activist Max Schrems against Facebook challenging the use of SCCs as a mechanism to transfer data from the EU, the CJEU was asked by the Irish High Court to consider the validity of the SCCs as well as the EU-US Privacy Shield.

The CJEU confirmed that SCCs may provide adequate protection and ruled that the EU-US Privacy Shield does not.

Invalidating the EU-US Privacy Shield

The CJEU’s decision means that organisations which had been relying on the EU-US Privacy Shield as a valid mechanism to comply with UK/EU data protection requirements when transferring personal data from the UK/EU to the United States can no longer do so. Interestingly, the court did not bring the principles of the EU-US Privacy Shield under scrutiny but rather focused on the level of access that US governmental agencies have to the data during and after transfer.

The US laws in question are identified as firstly section 702 of the US Foreign Intelligence Surveillance Act (FISA), which permits the surveillance of individuals who are not US citizens, located outside the US, in order to obtain foreign intelligence information. ‘702 requests’ compel ‘electronic communication service providers’ in the US to offer up the mails/communications of its foreign customers, without a warrant. Secondly, US Executive Order 12333 (EO12333) allows the National Security Agency (NSA) to access, unencrypted data in transit to the US by accessing transatlantic underwater cables. The rationale behind these requests is that they aid the prevention of terrorism although the law states that they can be used for any non-US person for a ‘significant reason’.

According to the CJEU, the use of personal data in US Government surveillance programmes is not proportionate since it is not limited to what is strictly necessary. If an individual objected to the use of their data in this way, there were insufficient means of redress available against US authorities. The Privacy Shield’s ombudsperson mechanism was not enough to counteract the insufficiencies. For these reasons, the EU-US Privacy Shield is no longer a valid method of international data transfer, effective on the date of the Schrems II judgment.

The decision does not relieve participants of the EU-US Privacy Shield of their obligations under it. An announcement made by the US Department of Commerce clarified that the EU-US Privacy Shield is still enforceable, although those that relied upon it must now find an alternative method to transfer personal data to the US. There is no ‘grace period’ provided by the CJEU. However, looking at similar events in the past such as when Safe Harbour was invalidated, data protection authorities provided for about three months before strictly enforcing the decision, allowing time for parties to make alternative arrangements. If your organisation is transferring personal data based on the EU-US Privacy Shield, alternative arrangements must be made as soon as possible as a grace period is not guaranteed.

Impact assessments and standard contractual clauses

Thankfully, Schrems II reinforced the validity of standard contractual clauses (SCCs). However, a new case-by-case requirement to assess the use of SCCs has been introduced on both parties to the transfer, in part to ensure that the recipient of the data is able to comply with SCCs in a practical sense, particularly with regard to their obligations under the laws applicable in their jurisdiction. If there is anything in the domestic law of the recipient which conflicts with the obligations of SCCs and cannot be resolved, then SCCs will be an invalid mechanism to transfer data to that country. As mentioned, this decision has a wider impact than purely in relation to transfers to the US.

If there is a conflict, meaning that the recipient cannot comply with the SCCs in full due to its obligations under domestic laws:

  • the recipient is obliged to inform the data controller;
  • the data controller is then obliged to suspend the data transfer and assess the circumstances;
  • if, after assessment, the controller concludes that it does not need to suspend the data transfer, despite the recipient’s notification, then it must notify the competent Data Protection Authority (DPA) of its decision; and
  • if the DPA considers that the SCCs cannot be adequately complied with, it has the authority to suspend the transfer.

Further guidance on what additional supplementary measures to consider in safeguarding personal data when using the SCCs is expected to be issued by the European Data Protection Board (EDPB). This will be particularly important to ensure that a consistent approach is taken by member states in relation to the use of SCCs to enable transfers to particular third countries.

Key takeaways

The EDPB guidance is eagerly anticipated, and the EU Commission has also stated that it is working on updating the SCCs[5]. In the meantime, the following are some key takeaways to consider from the recent judgment:

  • Review current data flows and identify what data is being transferred outside the UK-EU and on what basis. As part of this exercise, it will also be helpful to identify transfers between the UK and the EU, since the UK will be a third country under EU laws from expiry of the Brexit transition period on 31 December 2020.
  • Identify data transfers from the UK-EU to the US that rely on the Privacy Shield Put in place alternative mechanisms (most likely SCCs, but possibly one of the other permitted circumstances set out in the GDPR might apply).
  • Conduct impact assessments in relation to existing and prospective use of SCCs, both to the US and to other third countries
    • Identify if the laws of the destination country cause concern in relation to the rights of data subjects. To identify potential risks, an assessment of the third country’s laws and potential international commitments is now necessary, and recommended by the European Data Protection Board (EDPB) in its Schrems II [6]
    • Not just an issue with US transfers. Whilst the Schrems II decision focuses on the US Government’s access to public data, the issue of government access to public data is not unique to the USA. The principles in this decision will apply to SCCs in relation to transfers worldwide, including to transfers to key trading partners such as China and India. The issue will also no doubt have to be considered as the UK seeks to negotiate its own adequacy decision with the EU to apply from the expiry of the Brexit transition period.

Questions to consider

  • Is the transfer necessary? Does it comply with the data minimisation principle?
  • From and to which country is the data being transferred?
  • What type data is being transferred? Does it include special category data or data that is not in the public domain?
  • Will the government/public authorities in the destination country be able to access the personal data? If so, on what basis? Is it likely that the data being transferred will be subject to requests for access? What are the limits on access? Are there effective judicial remedies for affected data subjects?
  • What technical measures are in place to protect the data being transferred? Is the data encrypted or (if appropriate) tokenised in transit?
  • Update records on international data transfers to demonstrate why SCCs have been regarded as appropriate for the particular transfer.
  • Ensure relevant internal data handling policies build in the requirements to carry out additional diligence when using SCCs, and to invoke suspension or termination rights under the SCCs in the event of any concerns (as well as to notify the relevant DPA in those circumstances).
  • Ensure that international data transfers are transparently addressed within privacy notices given to data subjects.

This article has been co-written with Ebi Oni, a trainee solicitor in the commercial, IP and IT team.

___________________________________________________________________________

[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II)

[2] Until the end of the transition period (being 31 December 2020 at the time of publication), EU law applies to the UK.

[3] Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/07/updated-ico-statement-on-the-judgment-of-the-european-court-of-justice-in-the-schrems-ii-case/

[4] Regulation (EU) 2016/679, Article 44 (General Principles for Transfers)

[5]EU Commission Statement https://www.europarl.europa.eu/doceo/document/E-9-2020-001120-ASW_EN.html

[6] EDPB FAQs on Schrems II https://edpb.europa.eu/our-work-tools/our-documents/other/frequently-asked-questions-judgment-court-justice-european-union_en


Return to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority.

Penningtons Manches Cooper LLP