In the immediate aftermath of the Schrems II judgement, Bruno Gencarelli (Head of the International data flows and protection unit at the European Commission) said that “Schrems II is data transfers from theory to practice”.  There have been several major developments over the last couple of weeks (explained below) which show this to be an accurate assessment.  Companies can no longer “do nothing” in the hope that the difficult implications will go away.  Regulators are starting to investigate.  Complaints are being submitted. A taskforce has been set up. The Swiss data protection authority (DPA) also thinks Privacy Shield is inadequate. And new Standard Contractual Clauses (SCCs) are expected by Christmas!

Finnish regulator starts investigation

There have been reports that the Finnish data protection authority has written to several major technology companies, asking questions about their international data transfers and their response to the Schrems II ruling.

This action highlights that regulators are starting to proactively engage with the practical implications of the judgement and considering how they should be providing guidance to the companies they regulate.  We expect other data protection authorities will be under pressure to follow suit, particularly given recent criticism of regulators by privacy activists who have claimed that GDPR has not been properly enforced.

Schrems II taskforce to investigate 101 noyb complaints

On 4 September, the European Data Protection Board announced that it has created a taskforce to investigate 101 identical complaints filed by Max Schrems’ NGO, none of your business (noyb).  noyb filed these complaints with multiple EEA data protection authorities against major EU organisations.  The noyb website states that the reason for this is that:  “A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect…despite both companies clearly falling under US surveillance laws, such as FISA 702. Neither Facebook nor Google seem to have a legal basis for the data transfers”.

The EPDB said that the “taskforce will analyse the matter and ensure a close cooperation among the members of the Board”.

The taskforce will also produce guidance to help controllers and processors “identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries”.

Swiss DPA confirms Privacy Shield

On 8 September 2020, the Swiss Data Protection Commissioner said that, following his annual assessment of the Swiss-us Privacy Shield and rulings by the Court of Justice of the European Union, the Swiss-US Privacy Shield “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Federal Act on Data Protection”.[1]

The Policy Paper produced by the Swiss DPA also provided some guidance for Swiss companies on the “supplementary” measures that may be applied to legitimise data transfers under the SCCs:

“If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding. If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.”

New SCCs expected by end of 2020

In an EU parliament hearing on 3 September, EU Commissioner for Justice, Didier Reynders, said that the modernisation of the SCCs is a “top priority”.  The work will also “reflect the additional clarifications provided by the court [in Schrems II] on the conditions under which SCCs can be used”.  The Commissioner said:  “We intend to launch  the adoption process for the new clauses in the coming months and I hope finalise it by the end of this year”.

The Commissioner also commented that the review of existing adequacy decisions and the ongoing adequacy talks in respect of South Korea and the UK would “fully take into account the requirements set by the Schrems II judgment”.

Our take

In the immediate aftermath of the Schrems II judgement, many organisations preferred response was to wait and see what the autumn would bring.  However, this approach is looking less tenable.  Regulatory action is starting and not just as a result of complaints submitted by noyb. A partially implemented remediation plan will make responding to such enquiries easier.  In addition, over the last couple of months, the issues and complications of the judgement have become a practical reality in the context of commercial relationships – making changes across rafts of customer and vendor agreements takes time and throws up myriad hurdles that are best considered without a gun to the head.

Organisations therefore need to starting formulating and implementing a plan (which can flex as guidance emerges) on how to address the Schrems II decision.  Our detailed analysis contains our recommended next steps, but with the caveat that a “wait and see” approach, which may have been tenable at the time of writing, is harder to justify!