Data Protection Report - Norton Rose Fulbright

Just when we thought our summers might have been looking a bit dull, it was announced that the Court of Justice of the European Union (CJEU) will be making its final ruling in Case C-311/18, Data Protection Commissioner v Facebook Ireland & Schrems on 16 July 2020.  This judgement concerns the legality of the European Commission approved Standard Contractual Clauses (SCCs) which many organisations rely on to transfer personal data outside of the UK and the European Economic Area (EEA), particularly in relation to outsourcing services.

On 19 December 2019, the Advocate General (AG) gave his non-binding opinion on the questions raised in the case.  He concluded that the SCCs are a valid mechanism to transfer personal data outside of the EEA, but that this will not be the case automatically or necessarily for every transfer.  The opinion suggested that parties using the SCCs need to make an assessment of whether the national security, communication and surveillance laws of the country of the data importer are “essentially equivalent” to those in the EU, i.e. they respects privacy rights and freedoms, provide effective remedies, etc . If they do not do these things, then SCCs will not be able to be used to make the transfer. Our previous blog post explains the opinion in more detail.

The question now is to what extent the CJEU will agree or disagree with the AG.  Those involved in outsourcing deals should start considering what the implications could be for their transactions, since many customers and service providers rely on the SCCs to enable services to be provided internationally.

  1. The first thing is to understand exactly where the outsourced services are being provided from.  This doesn’t just include where the data centre is located, but where the data is accessible from.  For example, a data centre may be located in the UK, but customer support may be provided from the US.  Once this has been established, a “simple” option may be for the parties to explore whether data can be kept within the EEA and not accessed by anyone outside of the bloc.  This may come with cost implications so the parties will need to judge this against the potential raft of issues that may otherwise arise as described below…
  2. The second thing to understand is your data.  What is it and could it be of interest to public authorities?  The AG’s opinion said that the data exporter will need to consider “all the circumstances characterising each transfer” before making a transfer.  This suggests that when making their assessment, the parties can take account of the “type of data and whether they are sensitive” and “the nature and purpose of the processing by public authorities in the exporting country”.  This suggests that some types of transfers could be considered not to be of particular interest to public authorities and therefore may be valid without making a detailed assessment of the national security, communications and surveillance regime of the data importer. On the other hand, other transfers could be considered to be of great interest to public authorities and therefore only viable if such an assessment has been carried out.   However, this exercise may not be that simple as what intelligence agencies are interested in is not meant to be well signposted and the laws governing their activities can be opaque and very specialist.
  3. The third thing to consider is your position.  Parties to outsourcing transactions will need to decide who is best placed to make a definitive assessment of the national security, communications and surveillance laws that the data importer is subject to.  They also need to determine liability for the implications arising out of this. Whatever the answer to these questions, making this type of examination will not be easy in most circumstances. It will a time-consuming and complicated exercise when assessing countries that have a relatively transparent surveillance regime, but it will be even more complex for countries where there is little known about the  national security, communications and surveillance practices or where there are no laws that clearly limit state powers.  Parties will need to be mindful that this assessment could delay the deal as they attempt to unravel these complicated issues.

One other question to be considered is whether the CJEU judgement could impact other data export mechanisms, such as Binding Corporate Rules (BCRs), Code of Conduct / Certifications etc.  These mechanisms are all under the same article 46 GDPR umbrella as safeguards to protection personal data that is exported and as such, it is possible they could be affected too.

Our take

Whilst the judgement is pending, customers currently negotiating outsourcing deals should exercise caution about where they agree personal data may be stored and accessed.  They should ask outsourcers what their plans are if the judgement follows the AG’s opinion or invalidates the SCCs entirely and/or if the legality of certain transfers under BCRs also becomes questionable.

Service providers should also take similar practical precautions.  They should consider which data centres or centralised access points are potentially affected and how data storage / access rights could be reconfigured to better suit the needs of UK/EEA customers.

Please feel free to register for our webinar on the Schrems II CJEU judgement on Thursday 23rd July at 4pm BST where we will analyse the outcome and its implications for industry.