A landmark data protection case in Europe last month has the potential to impact how personal data flows from the EU to the Middle East. This is relevant to any business that shares personal data with affiliates or business partners in Europe or targets customers who are resident in Europe. Our special briefing considers the judgment in the case known as Schrems II and its impact on organisations outside Europe and the US.
On July 16 2020, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems II case C-311/18 (the Judgment) which invalidated the EU-US Privacy Shield (a framework for regulating exchanges of personal data for commercial purposes between the European Union (EU) and the United States) and called into question the extent to which data exporters that fall within the scope of the EU General Data Protection Regulation (GPDR) can rely on the European Commission's Standard Contractual Clauses for international data transfers (SCCs).
We explain below the effect of the Judgment on cross-border data transfers and what companies outside Europe and the US, whether acting as data exporters (if their data processing operations are caught by the GDPR) or importers of data from the EU, should consider when entering into SCCs.
Why is this relevant outside Europe (and the US)?
The rapid rise in technological developments, digital networks and global inter-connectivity has spurred an immense reliance on data. In our digital economy, data is more valuable than ever. For businesses operating on a global scale, international transfers of data are an essential element of daily business operations.
Companies located outside Europe may, for example, store personal data on cloud servers hosted in the EU, share employee data with a parent or subsidiary of their group based in the EU, or receive customer data from affiliated entities or business partners in the EU. All of these data flows potentially involve a regulated transfer of personal data that would be caught by the GDPR.
As a result of the continuous growth in the volumes and use of data and the introduction of the GDPR in 2018 – now considered as the "gold standard" of data protection laws across the globe – there has been an increase in global regulation in this area, and public and media awareness of data sharing and ownership. Sanctions for failure to comply with these rules can be severe and the reputational damage may be even more significant.
International data transfers and the GDPR
Under the GDPR, cross-border data transfers outside the EU may take place if the country to which data is exported is deemed to ensure an adequate level of data protection, as assessed by the European Commission. The few countries that have been approved to date include Argentina, Canada, Japan, New Zealand and Switzerland, but the list does not include major markets such as Brazil, India, China, Australia and most of the APAC region, the Middle East and Africa.
Personal data can be transferred from the EU to "non-adequate" third countries if the controller (i.e. the entity that determines how and why personal data is processed) or processor (which processes personal data on behalf of a controller) implements appropriate safeguards. The most commonly-adopted safeguards are the SCCs, which are a number of template forms of agreement approved by the European Commission. The SCCs are entered into between the data exporter and data importer with the aim of protecting personal data leaving the European Economic Area and ensuring that the individual data subjects have a right of redress. The SCCs have been the predominant foundation of cross-border personal data transfers from the EU for many years.
The Judgment and the future of SCCs
The Schrems II case concerns an Austrian privacy advocate, Max Schrems, who filed a complaint with the Irish Data Protection Commissioner in 2015 challenging Facebook Ireland's reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the USA. Schrems argued that due to the surveillance activities undertaken by US intelligence agencies, adequate protection was not provided to personal data transferred from the EU to the USA under the SCCs or the US-EU Privacy Shield (an approved transfer mechanism replacing the original US Safe Harbor framework that was invalidated by the CJEU in the original Schrems case). The Irish Data Protection Commissioner referred questions to the CJEU as to the validity of the SCCs and the EU-US Privacy Shield.
The CJEU invalidated the Privacy Shield framework holding that EU personal data might be at risk of being accessed and processed by the US government for US surveillance purposes once transferred, in a manner that is incompatible with the privacy rights guaranteed in the EU. Additionally, the CJEU held that there is no remedy available for EU individuals to ensure protection of their personal data after they are transferred to the US.
On the other hand, the CJEU upheld the validity of the SCCs as providing sufficient protection for EU personal data, but with some important caveats. In particular, the Judgment stressed that certain requirements will have to be satisfied in order for data exporters to be able to rely on the SCCs moving forward:
- Organisations relying on SCCs as data exporters have an obligation to take a proactive role in assessing, prior to any transfer of personal data, whether there is in fact an "adequate level of protection" for personal data in the importing jurisdiction. The CJEU noted that organisations may implement additional safeguards, over and above those contained in the SCCs, to ensure an "adequate level of protection" for personal data transferred, although it is not clear at this stage what form those additional safeguards would take. Organisations have been previously entering into SCCs on the assumption that they can be used 'as-is' to automatically provide adequate protection for personal data, without doing anything more. The Judgment makes it clear that this is no longer the case: where an organisation wishes to transfer personal data to a third country not on the adequacy list, then it has to review the data protection laws and practice of that country (and take note, in particular, if public authorities have disproportionate access to data). Where necessary, organisations must include additional safeguards "to compensate for the lack of data protection in a third country". This will be a challenging assessment for many data exporters to make.
- Organisations importing data from the EU based on the SCCs must also take an active role by informing data exporters of any inability to comply with the SCCs. If the data importer is subject to local requirements that would require it, for example, to provide personal data to public authorities in its own country, this may mean that the data importer will not be able to meet its obligations under the SCCs. When non-EU data importers are unable to comply with the SCCs, and there are no additional safeguards in place that would ensure an "adequate level of protection", the data exporter is required to suspend the transfer of data and/or to terminate the contract. Data importers, therefore, will have to assess the data privacy regulations in their own countries to ensure that there are no extensive surveillance or data sharing requirements by public authorities that could affect their ability to comply with the SCCs.
- European supervisory authorities have the obligation to assess and, where necessary, suspend and prohibit transfers of personal data to an importing jurisdiction "where they take the view that the SCCs are not or cannot be complied with in that country and that the protection of the data transferred that is required by EU law cannot be ensured by other means". This may mean that European supervisory authorities will issue separate lists of countries they consider adequate in line with the SCCS.
Key implications of the Judgment
The Judgment raises uncertainties as to the use of SCCs for the cross-border transfer of personal data. The Judgment requires many organisations to reassess their processing of personal data that are caught under the GDPR and make immediate changes in how they transfer such data to third countries that are not included on the European Commission's adequacy list at this stage.
The European Commission, however, has confirmed that it is working on alternative instruments for international transfer of personal data, including a review of the existing SCCs.
It is likely that the European Commission views the position created by the Judgment as somewhat invidious for data controllers. After all, the European Commission itself has historically recognised that it is appropriate for assessments as to the adequacy of a third country's legal framework to be carried out by the Commission and not by individual companies. Without an objective regulatory standard being applied to a third country, the prospect is open for controllers to take differing views as to whether or not the SCCs represent adequate safeguards on a case-by-case basis, which from a regulatory perspective seems to fall short of the fundamental aim of the GDPR: to ensure consistent protection of individuals' privacy rights.
It is not practical for businesses to cease data flows immediately and there is a pressing need for the European Commission, the European Data Protection Board and the various European data protection authorities to issue clear guidance or further regulation as to the approach that should be taken by controllers.
Impact on businesses outside the EU and the US
The majority of non-EU businesses will not be directly subject to the GDPR; however it does potentially have extraterritorial effect that means this cannot be completely discounted, particularly where entities operate as part of a global business or sell to consumers in Europe. In the absence of timely further guidance from regulators, companies that fall under the scope of the GDPR should consider:
- assessing their data transfer flows which are subject to GDPR and identifying the countries to which they transfer such personal data. For countries that are not on the adequacy list, they will have to determine suitable methods to transfer the personal data to those countries: for example, using BCRs for intra-group transfers instead of SCCs, if available;
- developing a due diligence procedure and updating compliance programs that allow for the monitoring of relevant aspects of the legal system and practices of third countries to which personal data is transferred;
- considering additional provisions that may need to be included in the SCCs, generally and on a case by case basis; and
- monitoring further guidance from the European Commission, the European Data Protection Board (an EU body in charge of the application of the GDPR) and European supervisory authorities.
The above measures represent a significant burden on companies and we would be surprised if there is an immediate rush by businesses to respond to the Judgment but, as it stands, the impact of the Judgment suggests that these steps will be necessary.
Non-EU businesses that import data under SCCs may need to:
- put in place mechanisms to assess whether their countries data protection laws and practices allows them to comply sufficiently with the SCCs;
- if part of a group with operations in Europe, consider at group level whether to seek to have BCRs approved by a data protection authority;
- consider how to reassure business partners in Europe and be prepared to receive specific questions from data exporters and to provide evidence regarding practices and procedures that are in place to protect personal data, including the type of security measures that are used; and
- consider the terms of any particularly significant data importing agreements; many commercial agreements, for example, contain force majeure provisions or change in law provisions which may be applicable when there is a change in interpretation of applicable law. The Judgment may therefore allow for contractual rights to be exercised that would enable the exporting party to terminate or suspend the agreement, or revisit commercial terms to deal with the costs of compliance. If the possibility of losing a material contract exists, then the business may want to consider how it will respond and whether it is possible to have any practical workarounds available to conduct the data processing activity in question in an approved adequate jurisdiction.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.