Introduction – The challenge of extra-territoriality for non-EU businesses and GDPR
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, Australian businesses, like other non-EU domiciled businesses around the world, have grappled with the extra-territorial operation of the GDPR, particularly in the absence of a body of clear judicial interpretation on the point. It lead to something of a compliance conundrum for businesses without an EU establishment but who were arguably targeting individuals in the EU in the ordinary course. Local EU Member State regulatory guidance provided some indicia by which to assess this issue, but was only just that, guidance, as to whether GDPR applies.
The potential for significant penalties for non-compliance with GDPR only exacerbates an approach by Australian businesses in their capacity as controller (where they are aware of this and of the need to make a conscious self-assessment where they have no EU establishment) which has tended to the conservative insofar as GDPR compliance is concerned. This has give risen to significant cost in the absence of that clear judicial interpretation.
Of course, where the Australian businesses act in the capacity of processor for a controller who has an EU establishment (or is otherwise caught by GDPR and is aware that it is caught), the application of the GDPR is a given, and controllers flow through the standard contractual clauses (SCCs) as part of their data processing agreements (DPAs) with the processor.
The pace of international commerce, and the need for data flows to support global business models – the oil of the 21st century as we commonly hear – demand immediate compliance. In many cases, these data flows relied on the Privacy Shield (for US-based transfers), and the SCCs (for both US and non-US transfers). Consequently, this has led to GDPR becoming a ubiquitous data protection standard given the need of most businesses engaged in international trade to engage with the EU, so that what is an internal European standard has rapidly morphed into a quasi-global one. With that reach has come uncertainty and that uncertainty is reinforced by this recent decision.
The decision on 16 July of Court of Justice of the European Union (CJEU) in case C311-18 (Schrems II) presents significant issues for parties involved in such data flows. Of course, much of the interest in the decision focuses on its invalidation of the US-EU Privacy Shield. This is entirely understandable given it was relied upon by so many parties to ensure the lawfulness of data transfers to the US from the EU. So whilst Australian businesses are largely unaffected by that (save where they are using US processors in relation to the EU-originated data and who themselves rely on the Privacy Shield), they are significantly impacted by the discussion of the appropriate use of SCCs.
Schrems II raises significant practical questions about the use of SCCs to affect lawful transfers of data from the EU to countries without adequacy decisions. This has potentially huge implications for businesses based in Australia receiving EU data, and even more complex implications for Australian businesses who receive EU data but also have operations or infrastructure in other non-EU jurisdictions, especially in respect of those jurisdictions which would not satisfy the requirements for an adequacy decision or on analysis of equivalence.
The CJEU's decision is instructive (rather than welcome) to the extent it offers judicial interpretation about the validity of the Privacy Shield and SCCs but its implications give rise to such uncertainty for granular compliance that it may ultimately be the catalyst that drives a hastening of regulatory alignment around the world. In casting doubt on the sustainability of business models that involve data flows to countries without adequacy decisions, prompting uncertainty for global data flows and leading to significant work for data exporters, data importers and the supervisory authorities in charge of those parties all over the world, it inexorably will demand a response wider than merely from within the EU itself. This is the unintended consequence of such informal extraterritoriality in a digital world.
The background and the decision
As a brief recap, the Schrems cases relate to a complaint filed with the Irish Data Protection Commissioner in 2015 by Austrian Max Schrems, which challenged the legal basis for Facebook's transfers of data from Ireland to the USA.
The ECJ in the first Schrems case (C-362/14) struck down the US-EU Safe Harbour Framework (the predecessor to Privacy Shield). However, it was subsequently revealed that Facebook had in fact relied on the SCCs to transfer the data to the US, not the Safe Harbour.
Accordingly, Schrems amended his complaint to challenge the SCCs themselves (and any other basis for data export). While he did not complain about the Privacy Shield arrangement itself, the CJEU felt it necessary to provide an opinion on that mechanism. As it turns out, that was a monumental decision.
In its Schrems II decision, the CJEU made several significant findings. In summary:
- the GDPR applies to transfers of personal data for commercial purposes from a party in the EU to a party established in a third country, even if that data may be subject to processing by the government in the recipient country for public security, defence, and State security;
- the level of protection provided by the SCCs must be read in the context of the legal framework of the recipient country, including regarding any access to data by public authorities in the recipient country, and the legal rights of the data subject in that country;
- supervisory authorities are required to suspend or prohibit transfers to countries where the protection for the data does not provide equivalent protection to that in the EU;
- the SCCs are valid (but subject to the overarching adequacy of the data protection arrangements including as a result of applicable laws in the recipient country); and
- the Privacy Shield is invalid, because certain US laws which allow US Government access to data, and the absence of appropriate data subject remedies, means there is not the same level of protection as there is in the EU.
Implications for Australian parties (and other data recipients without adequacy decisions)
For Australian parties used to dealing with questions of extra-territoriality, there is another key area of inquiry to focus on.
It is uncontroversial that any transfer of data from the EU must be made in accordance with Articles 45 and 46 of the GDPR. Australia does not have adequacy recognition under the GDPR, and so in order for data to be transferred lawfully out of the EU to Australia, those transfers must effectively be made in accordance with either the SCCs or binding corporate rules (we acknowledge there are limited other possibilities – like contractual necessity – but they are not relevant for the purpose of this discussion).
Given that most entities do not have approved binding corporate rules, the most commonplace approach is through the use of SCCs. While the decision did confirm that SCCs can be a valid basis for transfer out of the EU, it also confirmed that this is only the case if two additional conditions are satisfied:
- the data exporter and the recipient of the data must take proactive steps to verify, prior to any transfer, whether there is an 'adequate' level of protection in the recipient jurisdiction; and
- the recipient must inform the data exporter of any inability to comply with the SCCs, and the exporter must in that case suspend the transfer of data and/or to terminate the contract with the recipient where there are no additional safeguards in place to adequately protect the data to the standard required by the GDPR.
Further, it is clear that where a controller does not suspend or cancel the transfer, competent supervisory authorities are required as part of their duties to step in and suspend or prohibit a transfer of personal data to the recipient country where they take the view that the SCCs are not being, or cannot be, complied with in that country, and that the protection of the data transferred that is required by EU law cannot be ensured by other means.
These conditions provide significant practical challenges for the parties and the supervisory authorities.
As to the first point, it is unclear in practice how a comprehensive assessment can be made. The concern with the Privacy Shield that ultimately led to its being invalidated was the fact that the US surveillance regime overrode the SCCs (because US government surveillance could happen irrespective of the SCCs being signed), the US surveillance program itself failed the proportionality principle (because it involved the indiscriminate collection of data), and data subjects did not have adequate enforcement rights, so the CJEU was not satisfied that the US law provided an adequate level of protection. For similar reasons, the use of SCCs to support transfers to the US would appear to present difficulties.
Without even beginning to start that assessment, it appears to us that there are real questions to be answered here in the context of Australia's regime. Australia itself is part of the 5-eyes intelligence community (together with the USA, UK, Canada and New Zealand) which gathers and shares intelligence material, no small part of which is gathered through various forms of surveillance. There are numerous laws in Australia governing surveillance and data access, which in the main relate back to public safety and national security. It is not immediately obvious what level of national security surveillance is acceptable without offending GDPR standards, and so clearly there are some similarities between the Australian and US regulatory landscapes which require further consideration. Separately, data subject rights under Australia's Privacy Act 1988 (Cth) do not fully align with the data subject rights under the GDPR. Clearly, there would be concerns too about the transfer of data to countries like China and business or service models which facilitate such.
As to the second point, the requirement is onerous. Not only does it impose an ongoing monitoring burden on the recipient, but it requires the exporter to have immediate contingency plans so that it can comply with its own obligation to suspend the transfer or cancel the contract (or react if a competent supervisory authority steps in). Whether this is realistic in the real world is doubtful. More likely, it makes the transfer of data to parties outside the EU a less attractive commercial option.
Finally, supervisory authorities themselves are required to be proactive in assessing and monitoring the circumstances of overseas data transfers (and presumably, the changes in those overseas laws that might subsequently make compliance with the standard contractual clauses impossible). Given the multiplicity of authorities, how they make these assessments, and whether there is coordination between them remains to be seen. Will an informal list of 'adequate' jurisdictions evolve; will there be a spate of adequacy applications?
So, who should be most concerned?
The CJEU has highlighted that the onus is on businesses and national data protection authorities to scrutinise transfers, and the parties' ability to comply with the SCCs, on a case-by-case basis. Therefore, anyone who is a party to the SCCs ought to be reviewing their data flows, data handling practices and be analyzing their ability to comply with the additional conditions. This was, admittedly, already part of the SCC regime, but we would hazard a guess that it was not uniformly complied with and many will find this focus on the additional assessment requirements to be a new challenge.
Based on what we see in data transfer arrangements, a few common scenarios spring to mind for Australian parties as being particularly high-risk.
- The Australian processor: Australian processors that provide services to EU-based controllers will face additional scrutiny and questions about the Australian regime and their data handling practices. They may see a reduction in demand for services, or a reduction in data transfers, or perhaps a detailed discussion around what other bases of transfer may exist outside the SCCs.
- The Australian controller with an EU establishment: Australian controllers with European presences who engage processors in countries without adequacy, will need to conduct the adequacy analysis and be prepared to be able to suspend or cancel transfers where the level of protection is not sufficient.
- Australian processors and controllers who themselves use US vendors: The use of US-based cloud services that provide storage, computing and analytics on demand through the cloud is commonplace. Many, but not all, of the large players have publicly confirmed in the wake of the decision that they intend to keep using SCCs. Depending on the nature of services used, the jurisdiction selected (including whether a fixed location has been specified), and the data flows, both controllers and processors may find that the Privacy Shield invalidity and ongoing questions about SCCs mean that further inquiries need to be made into the sustainability of these arrangements.
- The Australian multi-national corporate group: Possibly most complex of all, any Australian corporate group which relies on SCCs to export data from its EU entities to its Australian (or other non-EU domiciled) entities, will be affected. We see this as being potentially the most complex, because there is a likelihood for complex corporate groups that there are activities and infrastructure not only in Australia but also in other countries around the world. This is where the sheer enormity of the post-Schrems II task becomes apparent, because it may be that more than one countries' adequacy needs to be considered.
For a multinational group, it is more crucial than ever to understand its data flows, bases for processing, and supporting business practices. It is also fundamentally important to understand the broader legal landscape that may operate to undermine the literal meaning of the SCCs.
There are so many issues to address. To the extent data is being transferred to Australia, does the Australian legal landscape provide adequate protection? If not, are there other measures that can be taken to address that shortcoming? To the extent data handling (including through subprocessors) involves other jurisdictions, then the same questions arise in connection with those jurisdictions' laws. Do you have infrastructure overseas, or do you engage sub-processors in other jurisdictions which do not have adequacy? If you do, what are those legal regimes like and do they have deficiencies that need to be addressed? Can they be?
It is foreseeable that it might be necessary to stop sharing data with certain countries altogether if the deficiencies in local laws cannot be overcome, and this may require data handling practices to be restructured. While the GDPR speaks to an analysis of the laws in the recipient country, we wonder if broader multi-jurisdictional considerations become relevant for multinational groups. For instance, in extreme cases, even if data is not transferred to a given country, particularly expansive overseas laws may seek to allow government access to data held outside a particular jurisdiction if an entity or group has operations or infrastructure in that jurisdiction. Could this mean that Australian operations become subject to overseas government access rights as a result of non-Australian operations, and would this be an issue relevant for the assessment of the adequacy of protections in Australia for that corporate group? That would provide another layer of complexity to the analysis and undermine data sharing practices and also potentially other aspects of corporate structuring. It is clear that data sovereignty and national security and intelligence laws will be under the microscope, with potentially huge consequences for global data transfers. Those with complex data transfer regimes and operations in multiple jurisdictions will require prodigious knowledge of – or extensive advice around – the equivalence of international data handling laws.
Should the Australian Federal Government be concerned and should it do anything?
Given the potential impact on business and relationships, yes. However, the Australian Federal Government is in the process of negotiating free trade agreements with both the EU and UK right now and should seek to clarify the position of Australian data interests in these free trade agreements so that Australian public and private interests are not impaired by Schrems II.
This is not the first Schrems decision to disrupt global data sharing practices. After all, the first Schrems decision invalidated the Safe Harbour regime between the US and the EU. There was a grace period allowed for parties who had relied on Safe Harbour to adjust to the impact of the decision. It is unclear whether the same grace will be afforded to parties who relied on the Privacy Shield, although it is hard to see how there is any other option.
Quite apart from that issue, of greater importance for Australian parties is determining how to resolve the practical uncertainties that arise from the conditions required to support the lawful use of the SCCs. There is parallel work in the EU on the SCCs, and no doubt as a result of Schrems II there will be a flurry of activity amongst all interested parties.
The free flow of data is fundamental to modern commerce, and so we are confident that interests are aligned in ensuring a practical outcome. There is a clear role for global data regulators – not just competent supervisory authorities, although especially them – to coordinate on this point, and quickly, to provide some certainty on all sides as to what jurisdictions may be workable for data exporters and data importers alike. It also tends to suggest that in the interests of protecting domestic commerce, non-EU data protection regulators like Australia's OAIC should seriously consider working to obtain adequacy (including, as that will invariably require, amendments to local laws).
So this will be an evolving landscape in the short to medium term as the world digests the impacts of the decision. In the meantime, parties relying on SCCs must get to work on ensuring adequacy of protective measures as a whole, beyond merely the contract terms, and as ever from down under, data handling practices will appear for some to have been tipped upside down and significant uncertainty will exist in connection with EU-related data transfers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.