Action required: Schrems II Case invalidates EU-U.S. Privacy Shield Framework
On the 16th of July, the Court of Justice of the European Union (‘CJEU’) issued a ground-breaking judgment regarding transfers of personal data between the EU and third countries. The judgment is relevant for any organisation transferring personal data to organisations outside of the EU, even if they do so within the same international group of organisations. Therefore, immediate action is recommended to businesses conducting such transfers.
It invalidated the EU–U.S. Privacy Shield Framework (the successor of Safe Harbor, which was invalidated by Schrems I) and affirmed the validity of the standard contractual clauses issued by the European Commission for the transfer of personal data to data processors outside of the EU.
The following provides businesses with a checklist to ensure their compliance with the GDPR when transferring personal data from a country within the EU to a third country.
1. Review the legal basis on which your organisation transfers personal data to the U.S.
The GDPR sets out various grounds on which personal data can be transferred outside of the EU, such as but not limited to: an adequacy decision (of which the EU-U.S. Privacy Shield Framework was one), binding corporate rules, standard contractual clauses issued by the European Commission (SCCs) or a specific derogation.
For the U.S., the EU-U.S. Privacy Shield Framework was believed to provide businesses with a method to transfer personal data to the U.S. from the EU in a way that is consistent with EU law, as acknowledged by the adequacy decision 2016/1250 of the European Commission. However, the CJEU has invalidated this adequacy decision with immediate effect, rendering all future transfers relying on this mechanism illegal.
Consequently, businesses transferring personal data to the U.S. will need to consider another legal basis for the valid transfer of personal data to the US.
Presumably many businesses that transfer data to the U.S. will fall back on SCCs in their (existing and future) contracts. Although the CJEU affirmed that SCCs remain valid for lawfully transferring personal data from the EU to the U.S., it emphasized that simple reliance on SCCs is not always sufficient. It is fair to say that common practice for many organisations was to simply sign the appropriate SCCs without further consideration and assume that that was sufficient to validate the transfer. To ensure compliance with the GDPR, the following check will need to be performed by controllers and recipients of such data.
2. Check whether the transfer mechanism(s) in place provide(s) an adequate level of protection
The CJEU underlines that in order to meet the adequate level of protection requirement, a third country must ensure, by reason of its domestic law or its international commitments, a level of protection of fundamentals rights essentially equivalent to that guaranteed in the EU legal order. Before transferring personal data to a third country, both the EU Data exporter and the non-EU data importer will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection”.
This means that organizations will have to assess the situation of the third country to develop additional safeguards and supplementary measures. For example, in the Schrems II judgment, the Court found that the U.S. does not set sufficient limitations on the power of the intelligence services to access the transferred data and does not ensure effective judicial remedies against such surveillance. The judgment seems to suggest that businesses will need to assess carefully whether each of their transfers of personal data to a third country is protected adequately on a case-by-case basis. However, there is no guidance from EDPB and State-members supervisory authorities on this matter. It will be difficult to ask any organization to perform a comprehensive assessment of the legal system of the third country as the EU Commission does when assessing the adequacy of the level of protection. In light of the foregoing, it is expected that the Commission will also finally undertake steps to update the SCCs in view of the latest version of the GDPR. All eyes are now on the Commission for guidance on how to comply with the GDPR in light of these recent developments.
3. Take action if one knows or suspects that the level of protection is inadequate
If the recipient of the personal data discovers that the level of protection of the personal data transferred to a third country does not provide an adequate level of protection, it has the obligation to notify the EU data exporter thereof.
If and when the EU data exporter suspects or discovers the same, because of the notification of the recipient or by himself, it needs to suspend or terminate those data transfers immediately. The suspension can be lifted when the EU data exporter has taken adequate additional measures.
Additional measures can exist of additional contractual safeguards, such as additional clauses in privacy policies or data protection agreements.
Other examples of an additional measure are encryption and tokenization of the data that will be transferred. These methods render the data unreadable to anyone else than the EU data exporter and therefore protect it against snooping by third parties, such as the secret intelligence services of the destination country.
As mentioned above, it is expected that supervisory authorities will provide businesses with more specific guidelines on how to reach such an adequate level of protection for data transfers, which might not only be applicable to transfers to the U.S. but also to other third countries. The same happened when the CJEU invalidated the Safe Harbor Decision in 2015. It is recommended to monitor the announcements and decisions of the supervisory authorities closely during the next weeks.
As the Schrems II judgment has immediate effect, we recommend businesses not to wait for the guidance of the supervisory authorities to take action. It is recommended to start mapping all data transfers to third countries and to perform the above checks. When using GDPR valid transfer mechanisms (SCCs or BCRs) assess the additional safeguards and supplementary measures to mitigate the risks of access to the personal data transferred by the public authorities when the legal system of the third party does not provide safeguards, enforceable rights and effective legal remedies ensuring a level of protection essentially equivalent to that in the EU.
If it is unclear which action is required to achieve the necessary level of protection of the personal data involved, the EY Digital Law team can provide assistance.