What's next for international data transfers, post-Schrems II?
by Angeliki Tsanta on 22 Oct 2020
On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US international data transfer framework - known as the Privacy Shield - bringing personal data protection and international data transfers to the forefront of current discussions on digital policy. In this brief we look at the options for data transfers between the EU and other countries in the light of the Court's conclusions.This is the second time the CJEU has invalidated a data transfer agreement with the US, expressing concerns over its government surveillance programmes and level of protection provided for personal data. The Privacy Shield, however, was not the only option available to companies to transfer users’ personal data to the US. Many companies chose to use a set of Commission-approved standard contractual terms and conditions, and contractually bind themselves to protecting the data of their clients when transferring data outside the European Economic Area (EEA).
The CJEU upheld the validity of this second mechanism but placed substantial obligations on the companies that use it to ensure that the destination country truly offers a level of data protection equivalent to that guaranteed by the EU. Following the Court’s decision, the EU has failed to provide further clarifications on the future of data transfers towards the US, prolonging the uncertainty not only for the European operations of large tech firms, but also for European SMEs which benefit from global trade and US-based cloud services.
In this context, we clarify the current European data transfers framework, as well as the developments following the CJEU’s decision – widely referred to as ‘Schrems II’.
INTERNATIONAL DATA TRANSFER OPTIONS FOR COMPANIES
The General Data Protection Regulation (GDPR) sets out three different mechanisms for companies that transfer the personal data of their clients outside the EEA:
1. EU Adequacy Decisions
The European Commission has the power to review a third country’s legal system, domestic law and international commitments to determine whether it ensures an adequate level of protection for personal data.
Once a Commission adequacy decision is adopted, companies may transfer personal data towards a third country without any prior authorisation.
2. Appropriate Safeguards
In the absence of an adequacy decision, a company may still transfer the data of its clients outside the EEA, only by providing appropriate safeguards to ensure that the protection guaranteed by the GDPR will not be undermined by the transfer.
In addition, the company in question must ensure that data subjects have enforceable rights and effective legal remedies in the third country.
Appropriate safeguards may be provided by means of:
- Standard Contractual Clauses (adopted or approved by the Commission)
- Binding Corporate Rules (approved by a competent supervisory authority)
- Codes of Conduct (approved by a competent supervisory authority)
- Certification Mechanisms
With the appropriate safeguards in place, data transfers can go through.
3. Derogations for specific situations
In exceptional circumstances, a transfer outside the EEA may take place, even if no adequacy decision and no appropriate safeguards are in place.
Such transfers may take place occasionally and only under specific circumstances:
- If the data subject has explicitly consented to the transfer
- If the transfer is necessary for the performance or conclusion of a contract between the data subject and the company, at the former’s request and interest
- If the transfer is in the public interest
- If the transfer is necessary for the establishment, exercise or defence of legal claims
- If the transfer will protect the vital interests of the data subject
In those cases, however the company must prove that all the conditions for a derogation are met.
US DATA TRANSFERS AFTER SCHREMS II
In the wake of Schrems II, companies can no longer benefit from a European Commission adequacy decision to transfer data to the US. This means that transatlantic data transfers on the basis of the Privacy Shield are now illegal. In theory, companies that wish to continue transferring data to the US, may still benefit from the other two mechanisms provided for in the GDPR.
However, the CJEU emphasised that even when using standard contractual clauses, companies must assess the level of personal data protection offered in the US, taking into account the circumstances of each particular transfer and any supplementary protection measures they take themselves. In light of the court’s observations on US surveillance programmes and lack of redress mechanisms for data subjects, it is uncertain whether companies can guarantee that the safeguards envisioned by the standard protection clauses are upheld and such protection is granted.
It is apparent that without further clarification on the future of EU-US data transfers, the usefulness of standard contractual clauses is questionable, especially for small companies that do not have the capacity to assess the level of protection offered by the destination country, or determine the measures they must take to assure it. Thus, by continuing transatlantic data transfers, companies risk the imposition of administrative fines by their national Data Protection Authorities (DPAs), as well as liability for any damage caused by such transfers to data subjects.
Case in point, following the CJEU’s judgment, the Irish Data Protection Commission (DPC) launched an investigation into Facebook’s data transfer practices and initially concluded that the social media platform had to stop all transfers of EU data to the US. Facebook, which used standard contractual clauses as the legal basis for transatlantic transfers, appealed against this initial decision before the Irish High Court, asking for a judicial review of the investigation. The company’s argument is that the DPC has not received regulatory guidance from the EU – specifically from the European Data Protection Board (EDPB) – and thus any decision will lead to more uncertainty.
To clarify the uncertainty, the European Commission and the EDPB intend to modernise standard contractual clauses and provide companies with further guidance that will reflect the court’s conclusions. In that regard, the Commission has announced that it plans to publish a proposal for new standard contractual clauses within the year. At the same time, a third agreement between the EU and the US focusing on US surveillance laws is possible but will take time to finalise.
Topics: Data policy
Written by Angeliki Tsanta
Angeliki provides policy analysis and monitoring for clients in the emerging technology sector on the regulation of online platforms, data protection and cybersecurity.