IMPLICATIONS FROM SCHREMS II CASE THE INVALIDATION OF THE EU US PRIVACY SHIELD REGIME AND CROSS BORDER TRANSFERS OF PERSONAL DATA

I. Introduction

The recent decision on the Schrems II case [1], in the matter of compliance with the data protection principles of necessity and proportionality in the application of US law, became the most outstanding landmark case regarding international data transfer. The Court found that US surveillance law does not ensure the essential equivalent level of data protection provided within the EU; thus, the ‘limited adequacy’ decision which was adopted in 2016, so-called “EU-US Privacy Shield Framework” regarding EU-US cross-border data transfers, was invalidated at the CJEU.

According to the Court, US surveillance law was not proportionate and went beyond what was strictly necessary by granting access and feasibility to collect non-US citizens’ personal data, and was inadequate by not offering any judicial redress against these activities. With respect to the US law, the Court’s decision, by invalidating the EU-US Privacy Shield, left any cross-border data flows on hold and in a legal void.

While the case before the CJEU involved only the US, where the decision deemed US protections insufficient, it means that data protection authorities (DPAs) will likely reach the same conclusion with respect to other trading countries such as Russia, China, India and Turkey. As the European Data Protection Board (EDPB) stated, the threshold set by the Court for third countries also applies to all appropriate safeguards under Article 46 of the GDPR used to transfer data from EEA to any country. [2] Aside from that, the ramifications of this decision do not only indicate to affect European citizens’ access to products and services worldwide, and cause European companies to be hindered in competing across the global market, but also would affect health and pharmaceutical sectors, in cybercrime, fraud, and many other aspects of their lives since it directly interferes with the data flows.

On the other hand, EDPS considers this decision a constructive step to achieve actionable rights for everyone in the scope of data protection and states that it is more than a European fundamental right, but rather a fundamental right widely recognized around the globe. [3] The EDPS also notes that it trusts the US will deploy all possible efforts and means to move towards comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards.

As a direct result of the decision, relevant businesses and organizations in the US will have to reconsider how they would comply with the European data protection laws, as well as data exporters in EU. Fortunately, there are several applicable GDPR mechanisms for cross-border data transfer, such as SCC decision in which the Court also emphasized, or binding corporate rules and derogations.

The Means of the Judgment

Under the General Data Protection Regulation (‘GDPR’) [4], cross-border data flows of personal data are limited. According to Art.44, transferring personal data to a third country takes place only if the third country in question ensures an adequate level of data protection. Even though GDPR expresses the importance of data flows in regard to international trade and cooperation, the regulation also takes concern for the protection of personal data. [5] In accordance with that, data transfers to third countries and international organizations may only be carried out in full compliance with the European data protection law. Therefore, a transfer of personal data can only occur if the controller or the processor complies with the provisions of the GDPR.

With respect to the Schrems II decision, the CJEU considered reaffirming the importance of maintaining a high level of protection of personal data transferred from the EU to third countries. [6] In that respect, the data transfer may only occur in the absence of an adequacy decision, where the personal data exporter in the EU has provided appropriate safeguards, on condition that data subjects have enforceable rights and effective legal remedies. [7]

The CJEU highlights twofold aspects as reasons for invalidation: US surveillance law provisions granting access to personal data related to European citizens that are not compatible with the EU data protection law, not requiring any independent approval from foreign individuals about whom the information will be collected. The other being that not providing a reliable judicial remedy to non-US individuals whose data are collected by the intelligence authorities. According to the Court, the lack of proportionality in US intelligence activities was concerning as they possess less clear legal standards in respect of “necessity in a democratic society to safeguard, inter alia, national security, defense, and public security.”

II. Transfers of Personal Data to Third Countries or International Organizations

There are several ways of ensuring proper personal data security in regard to international data transfer according to the GDPR.

  • Transfers on the basis of an adequacy decision; transferring the data to a third country approved by the European Commission ensures an adequate level of protection that is essentially equivalent to the European data protection laws.
  • In the absence of an adequacy decision; applying proper data protection measures listed in Article 46 of the GDPR, which are signing standard contractual clauses adopted by the Commission, using binding corporate rules, and other measures.  
  • In case neither of these measures is applicable; the companies may transfer personal data in the absence of the appropriate safeguards outlined in Article 49 of the GDPR.
  • Alternatively, making sure that the transferred data is depersonalized.

Standard Contractual Clauses

In addition to invalidating the EU-US Privacy Shield agreement, the Court also examined another widely used method for international data transfer, namely the standard contractual clauses, and considered the relevant legislation Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries valid.

SSCs are signed with the data recipients in a third country, and should only relate to data protection. [8] According to the CJEU, while SCCs are valid, the data controller is also required to assess the third country’s legislation for sufficient protection, specifically regarding judicial redress, and the possibility of access to data from governmental institutions when signing such clauses in each case. Thereby, the validity depends on whether if it includes effective mechanisms to ensure compliance with the level of protection equivalent to that guaranteed within the EU by the GDPR [9], which eventually means that companies will need to evaluate their use of SCCs.

According to the EDPB Statement of 17 July 2020, when conducting a prior assessment, the companies (the exporter) must consider the content of the SCCs, the specific circumstances of the transfer, and the legal regime applicable in the third country (the importer). If the result of this assessment is that the third country does not provide the essential equivalent level of protection, the exporter may have to consider putting in place additional measures [10] to those included in the SCCs. However, the EDPB is yet to come up with what these additional measures could consist of.

If the companies, as data exporters, intend to proceed with the data transfer outside the EEA, despite the negative assessment, then they are required to notify the competent authorities.

Another essential obligation we meet, along with this judgment, is the information obligation of both the importer and the exporter, in relation to change of legislation in the third country. While the Court recalls the importance of complying with these contractual obligations, failing that, the exporter is bound by the SCCs to suspend or terminate the data transfer or to notify the competent supervisory authority if it intends to continue with the process.

According to Max Schrems [11]; the Court’s decision aims to be a call to data protection authorities to become more proactive, and that SCCs can be valid if the Article 4 of the Commission Decision is applicable, where the competent authorities have the power to prohibit or suspend data flows to third countries, which only constitutes an adequate tool if the DPA has a duty to take action. The EDPB also notes this provision in case the SCCs are not or cannot be complied within the third country, and the protection of the data transferred cannot be ensured by other means, in particular where the controller or a processor has not already itself suspended or terminated the transfer.

Binding Corporate Rules

The EDPB states that based on the fact that EU-US Privacy Shield was also designed to bring guarantees to data transferred with other tools such BCRs, therefore, US law will also have primacy over this tool, the Court’s assessment applies as well in the context of BCRs. This means that companies relying on BCRs must undergo a similar case-by-case assessment as the one used for SCCs. However, since binding corporate rules do not constitute an extensible, broad-based solution compared to SCCs, it cannot be considered a definitive alternative.

Binding corporate rules constitute the only data transfer mechanism that carries individual regulatory approval, as supervisory authorities themselves participate directly in the review and approval of the BCRs. By means that, the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must make its own adequacy assessment according to the CJEU. Therefore, it becomes unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. 

According to the European Commission’s guidelines [12], companies must submit binding corporate rules for approval to the competent DPA in the EU. The authority will approve the BCRs in accordance with the consistency mechanism set out in Article 63 of the GDPR. The competent authority communicates its draft decision to the EDPB, which will issue its opinion to be finalized. In accordance with the EDPB opinion, the competent authority will approve the BCRs. In case of approval without any caveats, this will mean by implication, that the contractual safeguards are applicable for data transfer to all third countries in scope. That said, approving BCRs with the caveat that individual data transfers are subject to case-by-case assessment would render the mechanism devoid of what makes them a convenient tool that provides legal certainty.

If the authority decides to reject, the applicant may apply to national courts for an appeal.

Derogations

It is also possible to cross-border data transfer on the basis of derogations set out in Article 49 of the GDPR. The EDPB recalls, in the FAQ and later emphasized in the statement, that it issued guidelines on Art 49 GDPR derogations, and that such derogations must be applied on a case-by-case basis.

Derogations are only applicable in specific situations; therefore, they have a limited scope of applicability. Moreover, derogations only apply where there are not any other transfer mechanisms available, and they serve as the last resort. By that means, derogations only serve as an exception to the requirements for international data transfers. In particular, they are only possible if these three key considerations are met; consent, necessity, and compelling legitimate interests. 

According to EDPB, when transfers are based on the consent of the data subject, the consent should be taken explicitly, specific for the particular data transfer, and informed on the transfer’s possible risks. Aside from that, when the transfer is necessary for the performance of a contract between the data subject and the controller, it is only possible when the transfer is occasional. Lastly, for the legitimate interest criteria, the transfer must be necessary for important public interest reasons. The essential requirement for this derogation’s applicability is that the reason must be “important public interest,” which must be recognized in the EU or national legal framework, not the nature of the organization.

Even though the Court points at Article 49 to avoid creating a “legal vacuum” [13], derogations are not the ideal instrument for international data transfer, given their limited applicability and key criteria, and the necessity to be reviewed carefully before being relied upon as an alternative mechanism. Therefore, it is unlikely that derogations would be in use to fill the gap that comes from the judgment.

Supplementary Measures

The Court highlighted that following an assessment, providing necessary supplementary measures is the primary joint responsibility of the data exporter and the data importer. Moreover, the supplementary measures will be envisaged where they would have to be provided on a case-by-case basis as necessary, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection. By that means, the EDPB considers that companies to assess the supplementary measures to ensure that the law of the third country does not impinge on the adequate level of protection.

The EDPB also underlines that in a case where the assessment reveals that such protection is not guaranteed, it is required to stop or suspend the transfer.

However, the EDPB is still in the process of analyzing to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own. Therefore, companies and organizations are required to find supplementary measures by themselves, pending future guidance from the EDPB.

III. Companies’ and Organizations’ Viewpoint

Companies are undeniably the most affected parties from these recent developments. Without EU-US Privacy Shield to facilitate them, how to maintain cross-border data transfer and relevant complications to these flows brings along a constrained process of evaluating their responsibilities. To establish a lawful transfer, companies now have to conduct a thorough analysis in order to meet the accountability requirements.

The EDPB stated that it would not be providing a grace period for companies to continue to rely on Privacy Shield, indicating that the Court has invalidated the EU-US Privacy Shield decision without maintaining its effectiveness. By means that, companies and organizations will have to be more aware and precautious of their responsibilities and obligations due to international data transfer during this transitional period.

The Court had already pointed to SCCs as the essential substituent data transfer mechanism and confirmed its validity. According to the EDPB, whether or not the company can transfer personal data on the basis of SCCs will depend on the assessment. This means that companies must assess the SCCs relevant to the data transfer taking into account the circumstances of the transfers and supplementary measures that could be put in place. This assessment process would have to ensure that neither US law nor any other third country that data transfer would take place, impinges on the adequate level of protection.

As stated above, in case the company concluded that taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, then the company is required to suspend or end the transfer. However, if the company intends to keep the data transfer to occur despite this conclusion, then there is an obligation to notify the competent supervisory authority.

Conducting Case-by-Case Analysis

With respect to the Schrems II case, the Court imposes on companies an obligation to assess if the level of protection in the recipient country is essentially equivalent to the level provided within the EU by GDPR. As stated by the Court in its Press Release No.91/20[14], “the assessment of that level of protection must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country.”

According to this provision, companies are now under the obligation of conducting an assessment when using other data transfer mechanisms since the Privacy Shield is no longer an option. Evaluating each and every third country’s laws for international data transfer is not only a challenging burden, but also practically troublesome for any organization from large corporations to smaller businesses. How could it be expected that a company assesses the national security laws and the practices of their intelligence services accurately in order to send their HR data is another issue that needs to be solved arising from this situation. To find a solution to that question, detailed guidelines must be published from the competent authorities.

In waiting for the guidelines and key aspects from the authorities on how the assessment should occur when transferring data to third countries, there are certain outlooks to handle the issue in a comprehensive manner. In order to achieve that, the first step would be to carefully go around the SCCs and cooperate with the importer to ensure to address all the provisions partaking in the clauses. Subsequently carrying out due diligence in following matters; the type of data subject to transfer, type of data subjects themselves, the purpose of data processing, the industry sector of the recipient, retention period, the law of the recipient country, and whether these laws bound the importer, and whether and to what extent the governmental agencies may require disclosure of data. It is also practical and convenient to place additional measures of protection if necessary, to cure any deficiencies identified in the due diligence. Aside from these procedures, data minimization or encryption is also subsidiary vice options to take into consideration.

The Activities of the Contractually Bound Processor

Current challenges after the Schrems II judgment also call for attention to controller-to-processor transfers of data. Fortunately, the EDPB pays attention to processor activities in its FAQ, and further states that, the contract the controller has concluded with the processor in accordance with Article 28.3 of GDPR provides whether data transfers are authorized, or not. In case of a matter relating to the processor’s cross-border data transfer, authorization has also to be provided per purpose of processing and transfers.

Suppose the data may be transferred to the US, and neither supplementary measures can be provided nor derogations under Article 49 apply. In that case, the only solution is indicated to be to negotiate an amendment or supplementary clause to the contract between parties to forbid transfers to the US. The EDPB further elaborates that data should be stored but administered elsewhere than in the US. If the data may be transferred to another third country, the controller should also verify the legislation of that third country to check if it is compliant with the requirements of the Court, and with the level of protection of personal data expected. If no suitable ground for transfers to a third country can be found, personal data should not be transferred outside the EEA territory, and all processing activities should take place in the EEA.

Conclusion

While it is still an issue of concern how the consequences of this judgment will manifest in practice, companies that export and import data, will bear some residual risk for now. The Court sets out quite a burden on businesses exporting data to other countries that wish to use SCCs; they must consider the law and practice of the country in which data will be transferred, especially if public authorities have access to the data. Additional safeguards, beyond the SCCs, may be required. The EDPB also presses the competent authorities’ part and duty to diligently enforce the applicable data protection legislation and, where appropriate, to suspend or prohibit transfers of data to a third country.

Companies can no longer treat contractual clauses as a mere formality; instead, they are now compelled to treat with care, and monitor their ability to comply with the contractual terms.

Apart from that, on a broader scope, concerning Schrems II decision, EU now possesses a quite narrow scope of movement in regard to international personal data transfer, and eventually, inflows international trade and communication. Especially when it comes to relations with authoritarian countries such as Russia and China, it is not foreseeable to find a lawful basis for data flow to occur. Considering the main remaining concerns of the absence of substantial checks and collection and access of personal data for national security purposes regarding US surveillance law [15], any other third country which may not be authoritarian in nature, but performs similar practices in surveillance enforcements such as Turkey, might also fall under the same scope of the evaluation.

In the meantime, the EDPB intends to continue playing a constructive part to provide assistance and guidance in building a new framework in the US that fully complies with the European data protection law, securing a transatlantic transfer of personal data that benefits EEA citizens and organizations.

Att. Gokce Ergun

 

References:

1. Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems https://noyb.eu/files/CJEU/judgment.pdf

2. https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf

3. EDPS Statement following the Court of Justice ruling in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”) of 17 July 2020.

https://edps.europa.eu/sites/edp/files/edpsweb_press_releases/edps-2020-08_schrems_edps_statement_en.pdf

4. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

5. GDPR Recital 100.

6. EDPB Statement of 17 July 2020.
7. GDPR Article 46.

8. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, Recital 4.

9. Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems, adopted on 23 July 2020.

10. See, Supplementary Measures.

11. Schrems II: An In-Depth Interview with Max Schrems, Privacy Culture, 30 July 2020.  

12. European Commission – Binding Corporate Rules (BCRs) & Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01)

13. Case C-311/18 – paragraph 202.

14. Court of Justice of the European Union, Press Release No 91/20, Luxembourg, 16 July 2020, Judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems.

15. EU-US Privacy Shield – Second Annual Joint Review, adopted on 22 January 2019.