Schrems II: What Next for Businesses?

Whilst privacy experts reflect on the fall of the EU-US Privacy Shield framework following the decision of the European Court of Justice (“CJEU”) in Schrems II (Case C-311/18- Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems), businesses that rely on Privacy Shield to transfer data are left wondering what the decision means for them in practice. Can any personal data now be exported from within the European Economic Area to a country outside it

This is the latest round in the long-running battle between Austrian lawyer Max Schrems and Facebook Ireland over Facebook’s transfer of personal data to the USA where it is subject to access by the U.S. intelligence services. There has always been a tension between the U.S. approach to data, that it is subject to the primacy of U.S. surveillance laws and individual’s privacy rights are not recognised – the polar opposite of the EU approach to data protection – the EU’s approach based on the primacy of the individual’s rights over their personal data. In 2015 Mr. Schrems saw off the so-called “Safe Harbour” scheme agreed between the US Department of Commerce and the EU Commission which had operated since 2000 and now he has seen off its replacement, the “Privacy Shield”. 

Summary of the CJEU’s Decision

The CJEU kept alive the standard contractual clauses (“SCCs”) by confirming their validity but at a significant price. A business transferring data to a third country (i.e. outside the EEA) under the SCCs must, prior to any transfer, verify whether the law of that third country ensures an equivalent level of protection to EU law. Where the law of the third country does not ensure such protection, the transferring business must provide ‘additional safeguards’ or suspend transfers.

The Privacy Shield framework did not get the same treatment with the CJEU pulling the plug on it. The CJEU had its reasons: U.S. domestic law has primacy over Privacy Shield and enables U.S. intelligence services to access personal data transferred from the EU without limiting that access to what is strictly necessary and proportionate. To compound the problem, U.S. law does not provide effective remedies for data subjects. These deficiencies meant that the CJEU had no option but to declare the Privacy Shield adequacy decision invalid.

Currently, more than 5,400 companies had signed up under Privacy Shield. Ironically, the U.S. Department of Commerce has said that it will continue to administer the Privacy Shield framework including processing submissions for self-certification and re-certification and that companies signed up to it are not relieved of their obligations.

Unless the U.S.A. moves to establish privacy laws sufficient to satisfy the EU it is hard to see any programme being capable of functioning to ease transfers of data to the U.S.A.. Some States are moving in that direction. 
The SCCs which pre-date the EU General Data Protection Regulation (GDPR) are to be updated. The European Commission is in the process of revising SCCs to take into account GDPR, and confirmed that  it will modify them following the CJEU decision.

Next steps for businesses

The immediate result of the decision is that businesses can no longer rely on Privacy Shield to transfer data to the U.S.A.

Businesses do not have the benefit of a grace period (unlike when the EU-US Safe Harbour regime was struck down) so any further transfer on the basis of the Privacy Shield framework is illegal. Despite this, there is no reason to panic.

Supervisory authorities are not likely to launch investigations straightaway against businesses that transfer data in reliance on Privacy Shield. Indeed, from a UK perspective the Information Commissioner’s Office immediately issued a statement to this effect:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.

“We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.” 

Since then they have issued a statement that further work is underway to produce further guidance.
However, there are a number of important steps you should take to ensure you address the issues highlighted by the CJEU’s decision:

1. Review all data transfers to third countries and the basis for the transfer. 
   Look out for transfers to third countries on the basis of Privacy Shield, SCCs or Binding Corporate Rules (“BCRs”). These transfers can be to other organisations within your group or to third parties.
2. Assess each transfer. 
   As the business making an international transfer you should verify the following: the third country to which data will be transferred; whether domestic law enables public authorities to access data; whether such access is limited to what is necessary and proportionate; what additional safeguards, if any, should be applied to protect the data (e.g. encryption); whether domestic law provides effective remedies for data subjects. 
3. Only transfer where equivalent protection is afforded.
   If, like in the U.S., the domestic laws of the third country take primacy and do not respect the protections afforded by an appropriate safeguard then you must suspend or terminate further exports of data.
4. Develop a plan for transfers made on the basis of Privacy Shield.
   The ICO has stated that for the time being, businesses relying on Privacy Shield to transfer data to the U.S. can continue to do so but any business not currently relying on the framework should not start now. If you rely on Privacy Shield and need to continue making transfers to the U.S. you should check whether you can use an alternative mechanism such as SCCs or BCRs (but BCRs may be unattractive as difficult  and slow to implement). 
5. Evaluate whether any derogations are available. 
   Where appropriate safeguards such as SCCs and BCRs are not viable alternatives you may be able to rely on a derogation under Article 49 GDPR for limited transfers.
6. Continue to monitor developments.
   Guidance is expected from supervisory authorities and from the European Data Protection Board (“EDPB”). Make sure you stay closely aligned with such guidance and be prepared to update your assessments and plans accordingly. 

In essence, what is really needed is a TIA – a Transfer Impact Assessment – but the Data Protection Authorities across the EU may struggle to create a uniform approach, just as they are not currently in response to Schrems II. 

The message is clearly not “Keep calm and carry on” but equally, “Don’t panic” and…

all businesses which transfer data outside the EEA (and not just to the USA) need to obtain legal advice to help them navigate this new privacy landscape and to support them with their international data transfers. Boyes Turner’s commercial & technology team advises many international businesses on their data protection obligations.