This article provides practical guidance on how organisations should respond to the Schrems II judgement.
We have previously written about the now-infamous ruling from the European Court of Justice on 16 July 2020 ('Schrems II'), see here and the European Data Protection Board (the 'EDPB)'s FAQs issued on 24 July 2020, see here.
As was clear on 30 July, the position is still very grey and we await further guidance from governments and regulators BUT for now we set out below seven steps that we recommend EU organisations should take in light of Schrems II.
1. Map international transfers
Map your international transfers both intra-group and through your external data supply chain to understand where your personal data is going, what mechanisms are currently being relied on to transfer your personal data outside of the EEA, whether the transfers are strictly necessary and whether the data can be easily stored elsewhere within EU (although note that doesn't, according to Schrems II, necessarily mean it is out of the reach of the US NSA). Ideally, as a first step, if the data transfer doesn't need to happen, you should suspend or modify it (although we suspect in reality this is unlikely to be a viable option for most organisations).
2. Move away from Privacy Shield
Where you are relying on Privacy Shield to transfer personal data to the US, you should be looking into alternative transfer mechanisms to transfer personal data out of the EEA to the US. Note some organisations are playing a waiting game to see if the EU Commission and FTC come up with a Privacy Shield II, but the likelihood of this coming to fruition before the US General Election is very unlikely: bearing in mind the EDPB's no grace period, this would now be a risky strategy.
3. Data Transfer Assessment
Where you are relying on SCCs (Standard Contractual Clauses) or BCRs (Binding Corporate Rules) to transfer personal data generally outside of the EEA, you should review the territories into which personal data is being transferred and make an assessment as to whether the local laws limit or prevent EU data subjects from enjoying their fundamental rights under the EU charter ('Data Transfer Assessment').
Of course, carrying out a full-on Data Transfer Assessment in most case is unlikely to be realistic on a normal budget, so an element of proportionality will need to be taken. As a minimum, questions should be asked of the data importers to help you determine whether the transfer will be lawful in light of Schrems II. For certain jurisdictions, it might be worth obtaining legal opinions from local lawyers, although in reality this is unlikely to be quick one-liner, so there will be a cost. For transfers to the US, Schrems II has done some of the work by clarifying that any transfers to organisations who are subject to US surveillance laws are likely to be invalid without further supplementary measures or contractual comfort (see below for more detail).
4. Look to rely on Article 49 derogations
For certain ad hoc transfers, it might be a viable option for organisations to rely on other Article 49 derogations such as explicit consent of the data subject or necessity for compliance with a contract with the data subject. Although these might in certain circumstances be viable options, the Article 49 derogations have limited application and reliance on these derogations is unlikely to be a long-term solution for regular data transfers.
5. Supplementary measures
Where the Data Transfer Assessment is unable to give the required comfort that the fundamental rights of the EU data subjects will not be negatively impacted, if you choose to go ahead with the transfer, it will be up to you to agree with the data importer what supplementary measures can be taken to reduce/eliminate this risk. Basic steps such as an enhanced encryption is likely to be a standard supplementary measure, although it is likely other measures may also be required. This is an area that we need regulators to act promptly and swiftly to provide some much-needed guidance.
6. Obtain contractual comfort
If having carried out the Data Transfer Assessment, you decide to go ahead with the transfer, you should also try to augment the underlying contract. The SCCs do contain certain assurances already from the data importers as well as obligations to notify. For example, the controller to processor SCCs require the data importer to warrant compliance with the SCCs and notify the data exporter if it:
- cannot comply with the SCCs or the data exporter's instructions;
- is aware of any local legislation that would prevent it from complying; or
receives any requests to disclose personal data to law enforcement authorities unless otherwise prohibited by the local law.
However, we recommend you look to supplement these warranties with additional contractual provisions to provide additional legal and commercial comfort. Such additional contractual provisions should focus on giving data exporters' the right to attempt to challenge governmental requests before the data is handed over (where possible), rights to require the data importer take additional supplemental measures, rights of termination, cost allocation where the data exporter is required to suspend transfers and allocation of liability.
It should also be noted that the SCCs slightly differ depending on whether the transfer is controller to processor or controller to controller, so additional contractual provisions might be required where relying on controller to controller SCCs.
Just to add one more wrinkle, the SCCs are currently under review by the EU Commission and we understand that the EU Commission will be issuing in due course updated SCCs (including the long-awaited processor to sub-processor clauses). We have had no indication of when these are due to be released and it does not appear to be at the top of the EU Commission's agenda despite pressure from privacy practitioners. Hopefully now this case has 'approved' SCCs, the EU Commission might hurry up and release these long-awaited updated versions by the end of this year. However, bearing in mind the delays to date, the fact we are awaiting revised SCCs should not delay your decision to move to SCCs. Instead you should ensure that you have contractual mechanism to easily swap in the revised SCCs when they are eventually released.
7. Keep transfers under review
The Data Transfer Assessment should be treated like a data protection impact assessment (DPIA) and kept under continuous review. As more and more guidance is released and certain supplementary measures become common place, it is likely that your initial Data Transfer Assessment will evolve, and further steps may need to be taken to ensure compliance.
And finally, don't panic: this is a major decision by the EU and one that is likely to have serious ramifications for a long time to come. Right now, we are working with a decision that has a material economic impact but with limited guidance, so it is in our view unlikely that regulators will go in heavy handed.
However, that does not mean do nothing. Data subjects, of course, will continue to have direct rights of action and one can never truly predict the regulators. Therefore, if you are carrying out international transfers, it is important that you take steps to put a compliance narrative and paper trial in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.