On 16 July 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark case Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (known as the Schrems II case). While the EU-US Privacy Shield (Privacy Shield) has been completely invalidated, the Standard Contractual Clauses (SCCs) remain valid, but with strict conditions.
Our recent briefing provides a detailed analysis on the judgement, but here are our recommendations on what organisations should consider doing next:
- Monitor guidance updates from the European Data Protection Board (EDPB) and Data Protection Authorities (DPAs): the judgment is not clear as to how satisfactory compliance should be achieved. This guidance will be crucial in determining whether any of the following measures are sufficient.
- Carefully map international data flows and existing transfer mechanisms: data flow mapping may have been less rigorous in the past if the assumption was that if SCCs were put in place personal data could be transferred anywhere. A first step therefore is to map precisely which personal data is transferred to, or accessed from, which country outside of the EEA and determine which export mechanism was previously being relied on to legitimise that transfer (i.e. the Privacy Shield, SCCs or binding corporate rules (BCRs)) or a derogation). The mapping should note the quantity and sensitivity of the data so that this can be assessed against likelihood of government access and consequential harm to the individual, and how easily the processing activity could be relocated if necessary.
- Transfers to the US will require assessment; other countries will follow: so far the US is the only country that the CJEU has actually ruled on the equivalence of its surveillance practices and law and has found it to be wanting. Although other countries might have wider and less controlled regimes, these have not been the subject of a finding or ruling of a DPA, EDPB or the CJEU in this context. Therefore, doing nothing until guidance is published in relation to these countries would appear more defensible.
- Put SCCs in place if you were previously relying on the Privacy Shield: The Privacy Shield is no longer valid. It is therefore prudent to implement SCCs at this stage to ensure that a valid export mechanism is in place (albeit one that gets updated by the EU Commission or to which you have to add additional safeguards). BCRs might be a long term solution but will not be approved overnight (more likely approval will take between 6 and 24 months).
- Consider how you are going to approach the assessment required when using the SCCs: Where SCCs are currently in use or are intended to be used, the judgment requires parties to evaluate the laws applicable to public authority access of the data importer’s jurisdiction. The judgment does not provide a solid framework for organisations to use and guidance from the EDPB and/or DPAs will be required to assist with this. In the interim, it may be prudent to review the non-EEA and non-Commission approved countries to which data is exported (both on an intra-group and extra-group basis). You should consider whether any of these countries’ laws could be problematic and whether additional safeguards may be required. A similar exercise is advisable in relation to BCRs. BCRs are also a contractual mechanism and therefore subject to any deficiencies in the importer’s surveillance regime (although depending on the BCRs’ content they may already incorporate measures equivalent to the additional safeguards required for SCCs).
- Consider what additional safeguards could be applied: these could be technical, contractual or involve a throttling back of certain transfers. Technical safeguards will include:
- encryption of the data flow (remember the adversary here is a nation state so the measures will need to be robust – which may mean cumbersome or expensive to use). U.S. companies should use commercially available encryption, or else they may need a special license to export the software, since U.S. export laws regard such unique software as a “munition” under 15 C.F.R. 742.15;
- contractual measures that might include increased transparency from, and control over, the data importer so that the data exporter can satisfy itself that the importer has a robust process for challenging requests;
- minimising the amount of data disclosed;
- notifying the exporter of requests from law enforcement authorities so it can intervene unless truly prohibited by law from doing so, together with statistics as to how often and what types of requests have been complied with in the past 24 months so the exporter can assess the likelihood of its data also being accessed; and
- the ability to relocate certain data types or data processing activities to other countries or ultimately ceasing processing (on acceptable commercial terms).
- Consider if a derogation may apply: There are a number of derogations available (discussed in more detail below). We consider these to be of limited assistance with respect to “usual” day-to-day transfers. However, they may be useful as a fall back in terms of assessing how quickly an additional safeguard should be implemented or processing activity relocated if necessary.
- Ensure key stakeholders are aware of the implications of the judgment: Senior management should be made aware of the decision as there will likely be cost implications (e.g. around assessing importer jurisdiction legal systems and updating contracts) and impacts to key business decisions (e.g. around whether data should remain in the EEA going forward).
- Consider delaying transactions involving the export of personal data to non-EEA or Commission approved jurisdictions: The impact of the judgment in practice remains to be seen, but it is clear that parties will be required to make and sign-off on assessments of non-EEA legal frameworks. Where a transaction is in progress the parties will need to consider allocating the risks and responsibilities around this. These requirements may also result in decisions to restructure transactions to retain personal data within the EEA or a Commission approved jurisdiction (e.g. Canada).
Read the briefing for our detailed analysis of the ruling