Legal Practice | 23.09.2020

International Data Transfers after Schrems II

Introduction

On 10 September, the UIA held a Capsule entitled “International Data Transfers after Schrems II”. The Capsule explored the background to and practical effect of the European Court of Justice’s (CJEU) landmark ruling in the Schrems II case in July 2020 on cross-border transfers of personal data. 

The discussion was moderated by Ian De Freitas, a partner specialising in data protection issues at Farrer & Co in London. The international panel of speakers featured other data privacy specialists: Elisabeth Thole from law firm Van Doorne in Amsterdam; Axel von Walter from Beiten Burkhardt in Munich; and Grant Davis-Denny from Munger Tolles & Olson in California. The panel provided a fascinating perspective on the different data protection issues across a range of jurisdictions and engaged in a spirited exchange of ideas regarding the underlying geopolitical concerns in this area. A running theme throughout was that organisations should not wait to deal with the CJEU’s ruling – they should be taking steps now to address it as regulators will expect a proactive approach to recalibrating how personal data transfers from the European Economic Area (EEA) are taking place.

The legal framework of data transfers from the EEA

The discussion began with Elisabeth explaining the position in relation to organisations transferring personal data from the EEA to “third countries”. To make transfers to third countries, EEA based organisations have to rely on a “gateway” to do this. These gateways are designed to ensure that when the personal data arrives in the third country it receives essentially equivalent protection to the rules that apply in the EEA under the EU General Data Protection Regulation (GDPR). Elisabeth said that gateways that an organisation can rely on are: Adequacy Decisions in respect of third countries issued by the EU Commission, under which personal data can flow out of the EEA with no further safeguard because the third country is deemed to provide sufficient protection under its own laws as assessed by the EU Commission; Standard Contractual Clauses (SCCs) designated by the EU Commission (of which there are three sets), which impose contractual obligations on the transferring and receiving parties designed to ensure the personal data is adequately protected in the third country; and Binding Corporate Rules (BCRs), allowing transfers within groups of commonly controlled companies based in the EEA and third countries. In addition, there are GDPR Article 49 derogations, which allow data transfers to take place in specific circumstances where no other gateway is available. Elisabeth said organisations are often not aware that they are making transfers to a third country. For example, a very common one is a company outsourcing data storage to servers based in a third country.

EEA-US data transfers and the Schrems decisions

Grant then set out the history of data sharing between the US and the EEA. The overall narrative is one in which the two blocs have struggled to arrive at a satisfactory structure under which US companies can abide by stricter regulations than is typical in America. The first such attempt was “Safe Harbor”, under which US companies agreed to abide by seven “privacy principles” regarding treatment of personal data. While the EU Commission issued an Adequacy Decision in 2000 stating that American organisations adhering to Safe Harbor were offering sufficient protection to transferred personal data, in the wake of 9/11 the increasing surveillance programme in the US raised concerns about whether privacy was sufficiently protected. The Edward Snowden revelations in 2013 about the extent of these surveillance programmes (particularly two called PRISM and Upstream), allegedly allowing US authorities to covertly collect huge amounts of data, fuelled those concerns.

Based on this, a challenge was then launched to the Safe Harbor regime by a privacy advocate, Max Schrems, who complained about Facebook’s reliance on Safe Harbor for transfers to America. In 2015, Mr Schrems was successful before the CJEU in invalidating Safe Harbor. and it was no longer possible to rely on it as a gateway to transfer data from the EEA to the US. The US Government and EU Commission then negotiated a replacement for Safe Harbor, called Privacy Shield. This received an Adequacy Decision from the EU Commission in 2016. Over 5,000 US organisations subsequently registered under this scheme, with some of them receiving transfers of data from thousands of organisations in Europe.

In the meantime, Mr Schrems launched another challenge to Facebook, who had switched to reliance on SCCs for transfers to America after the invalidation of Safe Harbor. Mr Schrems claim was later supplemented by a challenge to Privacy Shield as well. Accordingly, the issues now before the CJEU in the Schrems II case were whether SCCs and Privacy Shield were valid.

Axel explained that in July 2020, in the Schrems II judgment, the CJEU invalidated Privacy Shield with immediate effect, based on three main points: the extent of, and lack of limitations on, US surveillance measures; the inability of individuals based in the EEA to challenge the exercise of those powers: and the lack of independence from the US Government of the Privacy Shield Ombudsman (an arbiter who had been intended to play a quasi-judicial role and be a source of complaint for those wishing to challenge the exercise of US Government powers).

In contrast, Elisabeth explained that the SCCs were upheld by the CJEU. However, the CJEU made it clear that imposing the SCCs was not enough on its own to adequately protect transferred data. An organisation transferring data must additionally assess whether the laws of the receiving country will respect, and not ignore or override, the SCCs so that the level of protection for the data transferred is still essentially equivalent to that guaranteed within the EU. If this cannot be assured then additional measures must be considered to protect the transferred data. However, if no such measures can be put in place then those transfers cannot occur, and EU privacy regulators must suspend or prohibit them. It should be remembered that transfers without a gateway can attract regulatory fines for the transferring party of the higher of up to €20Million or 4% of annual turnover. Elisabeth pointed out that this is not just about transfers to America. Transfers to any third country using SCCs will now need to consider this issue. So, the CJEU’s decision has a global impact. Axel emphasised this in the context of transfers to countries such as China and Russia.

Axel explained that the collective organisation of EU regulators, called the European Data Protection Board (EDPB), had provided initial guidance on Schrems II.  The EDPB emphasised that transfers based on Privacy Shield must stop immediately. However, there has been no more detailed collective guidance to date in areas like the additional measures that might be required to protect transfers at risk which are using SCCs (or BCRs). Frustrated with the lack of activity from regulators, on 17 August, Mr Schrems’ organisation, called None of Your Business (NOYB), issued 101 complaints with regulators in 31 European countries complaining about continued transfers to Google and Facebook in America. The complaints are made against a very wide range of EEA based organisations. The Irish Data Protection Commissioner then issued an interim order to Facebook to prevent it relying on SCCs to transfer data from Ireland to the US. (Note that since the Capsule, this interim order has been suspended by the Irish High Court, with Facebook seeking a judicial review of the Irish regulator’s preliminary decision - Facebook is complaining that without clear regulatory guidance from the EDPB it is too early for regulators to take enforcement action).

Grant explained that, in the immediate aftermath of the Schrems II decision, the US government sought to reassure businesses that transatlantic data transfers would continue. However, he noted that a joint EU Commission/US Government statement issued on 10 August 2020 was heavily qualified. This suggests that it will be difficult to have a Privacy Shield-like approach that satisfies both European privacy requirements and America’s intelligence programmes.

Implications of Schrems II: practical and political

The discussion then moved on to practical steps for organisations to take regarding transfers of personal data to third countries. Elisabeth noted that her firm is assisting clients to map data transfers, emphasising that the first step should be to document what an organisation’s current situation is. The laws of the recipient country are then going to need to be assessed in the context of the data being transferred.  Axel discussed technical measures that might address privacy concerns that remain after this assessment. He said encryption of data is one possible option, or alternatively anonymising data with the “key” to the data remaining in Europe. More guidance on this is hoped for from the EDPB, but Axel noted that “NSA-proof” measures might be difficult to implement in practice.

Referring to the issue that contracts between transferring parties cannot govern US government surveillance practices, Grant said this is in reality a foreign affairs problem being played out in the commercial arena. The secretive nature of government surveillance means that organisations are unlikely to know if the US government is tapping into data transfers. Moreover, there is no real way of telling if a transfer from Europe to the US in fact increases the surveillance risk as the covert capture and sharing by governments of intra-EU communications may well be occurring anyway.

In this respect, Ian referred to the extensive nature of UK national security laws. These are likely to come under increasing scrutiny, given that, following the end of the Brexit transition period on 31 December 2020, the UK will become a “third country” like America. The UK is currently seeking an Adequacy Decision from the EU Commission, but its security laws might hinder this and the EU Commission could be nervous about getting it wrong again (as it has, twice, with the Safe Harbor and Privacy Shield invalidations). In the absence of an Adequacy Decision, many organisations transferring data from the EEA to the UK are likely to want to rely on SCCs. However, the assessment required here may lay bare the extent to which the UK’s national security laws may be similar to those of the US.

The future

Ian summed up by suggesting that it was surely not beyond the powers of the Europeans and Americans to find some way to accommodate the three issues discussed: protection of privacy; national security; and the free flow of commercial data. Following the CJEU’s ruling in Schrems II, he said that the burden seems to be falling on commercial and other organisations to find a way to accommodate these three issues and that seems to be a little unrealistic.  Grant thought it very unlikely that the US intelligence services will let go of their surveillance tools in the light of the Schrems II decision. He said the idea of changing security policy on the basis of a European decision would be unpopular, and also that full compliance would mean allowing EU citizens to bring a challenge against the NSA, a right which US citizens do not themselves have. Axel was similarly doubtful that European authorities would pursue any sort of compromise position if that meant departing from the text of GDPR and said that, in any event, meaningful negotiations are only likely to begin once the US election has taken place. While clearly a fraught area for regulators and businesses, the panel demonstrated the extent to which this is a fascinatingly rich area for legal discussion. As indicated by the recent developments in Ireland concerning Facebook, much of this is yet to play out.

by Ian De Freitas,
Farrer & Co,
London

91597