On 16 July 2020, the Court of Justice of the European Union (the "Court") published its much anticipated ruling in the Schrems II case1 in which it considered whether the transfer of personal data by Facebook Ireland to Facebook Inc which is located in the U.S. under the EU-U.S. Privacy Shield or through the use of standard common contractual clauses ("SCC") was permissible.
The ruling has significant implications for EEA-U.S. personal data transfers but also for all other personal data transfers between EEA member states and third countries whose data protection regimes have not yet been assessed by the European Commission as offering an equivalent level of protection to data subjects.2 This will be of particular relevance to those who transfer personal data to the UK given that it will become a "third country" for data protection purposes when the transition period expires on 31 December 2020.
In this client briefing, we consider the potential ramifications of the ruling for Irish funds and their service providers.
There is no outright prohibition on the transfer of personal data from the EU to the U.S. under the Court's ruling. However it did declare the Privacy Shield, which is one of the mechanisms which has been used by EEA organisations to transfer personal data to the U.S., to be invalid on the basis that it did not ensure that EEA data subjects were afforded essentially equivalent protection to that provided under the GDPR.
In the FAQ published following the ruling, the European Data Protection Board (the "EDPB") confirmed that the Privacy Shield was invalidated with immediate effect. Therefore data exporters which relied on the Privacy Shield as a legitimate means of transferring personal data from the EEA to the U.S. will need to consider an alternative mechanism for any future transfers.
Standard Contractual Clauses
The Court held that the standard contractual clauses set down in Decision 2010/87/EU (the "SCC") remain valid.
Transfers of Personal Data to the U.S. using SCC
However, as noted above, the Court held in its ruling that U.S. law does not ensure an essentially equivalent level of protection to that afforded to data subjects under the GDPR.
The EDPB notes in its FAQ that in order to continue to transfer personal data to the U.S. using the SCC, the data controller should assess whether the circumstances of the transfer and any supplementary measures which it could put in place are adequate to ensure that the SCC offer an adequate level of protection to data subjects.
If, taking into account the circumstances of the transfer, any supplementary measures put in place are not sufficient to provide this level of protection, the SCC cannot be used as a valid mechanism to transfer personal data to the U.S.
Transfers of Personal Data to Other Third Countries using SCC
The FAQ issued by the EDPB sets down the requirements which must be met where SCC are used to validate transfers to other third countries which are as detailed in the below diagram.
Binding Corporate Rules3
The FAQ confirm that data transfers effected under binding corporate rules to both the U.S. and other third countries should be analysed using the same criteria as those applicable to SCC outlined above.
What is meant by "supplementary measures"?
The EDBP has confirmed that it is considering what types of supplementary measures could be provided in addition to the SCC and the BCR-whether same would be legal, technical or organisational measures.
It has committed to provide more guidance on this however no such guidance is available yet.
Are there any alternative mechanisms for transferring personal data to the U.S. or other third countries?
While there are a number of other derogations set down in the GDPR legitimising the transfer of personal data outside of the EEA, the most relevant of these in the funds context is consent which must be "explicit."4
It is worth noting that the ruling does not consider the issue of consent however if a fund were to rely on consent as the appropriate transfer mechanism, a few considerations should be borne in mind.
Firstly it is worth highlighting that the consent of each investor to the transfer of personal data outside of the EEA must be obtained. While it may be easier to obtain consent from investors in a new fund, it is not without risk as the investor may either inadvertently or deliberately not tick the consent box in the share application form. Obtaining consent from all investors in an existing fund may also prove challenging, depending on the size of the fund and the investor type.
It should also be borne in mind that the investor has the right under Article 7(3) of the GDPR to withdraw his/her consent to such transfers at any time meaning that reliance on consent as the valid transfer mechanism may, depending on the specific circumstances, be somewhat precarious.
What action should funds be taking now?
As noted above, the EDPB has committed to providing guidance on supplementary measures which could be used to allow data exporters to continue to use SCC or BCR to transfer personal data outside of the EU.
However, pending the publication of such guidance, we are advising our fund clients to take the following steps:
- Ensure that the inventory of all transfers of personal data outside of the EEA either by the fund itself or by any data processor it has appointed, whether intra-group or extra-group is reviewed to ensure that it is up-to-date.5 We would suggest that this inventory should include at a minimum (a) all third countries to which personal data for which the fund is data controller is being transferred; (b) the mechanism currently used for such transfer, (c) the types of personal data being transferred in each case and (d) any existing security arrangements in place to protect the personal data so that data subjects are given equivalent protection to that offered under the GDPR.
- If transfers outside of the EEA have been conducted under the Privacy Shield to date, the fund as data controller will need to ensure that SCC are put in place with the relevant US data importer as soon as possible, bearing in mind the additional requirements which should be adhered to as outlined above;
- If transfers outside of the EEA are currently being conducted under SCC or BCR, the board of directors of the fund may want to engage with their data processors (and in particular the administrator) to determine what measures the relevant data processor is taking in light of the ruling of the Court.
1 Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
2 The European Commission has issued adequacy decisions in respect of Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay
3 Article 47 of the GDPR
4 The Article 29 Working Paper Guidelines provides that "the term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future".
5 In considering the list of countries to which personal data is transferred, consideration should be given to where personal data can be accessed from as this amounts to a "transfer" of personal data under the EDPB's FAQ.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.