Since the EU-US Privacy Shield has been declared invalid, it is unclear how a company can transfer personal data to the US. Anne-Mieke Dumoulin Siemens provides guidance in the twilight zone created by the Court.
The Court of Justice of the European Union (ECJ) declared the EU-US Privacy Shield invalid on 16 July 2020 in the so-called Schrems II case. This means that with immediate effect, the EU-US Privacy Shield can no longer serve as a basis for the transfer of personal data to the US. When transferring personal data to countries outside the European Economic Area (EEA), the rules of the GDPR must be followed. Now that the EU-US Privacy Shield can no longer be used as a basis for transfer, the question arises as to how transfer to the US (and to other countries outside the EEA) can be designed to be secure. This article provides guidance in the twilight zone created by the Court.
Exit EU-US Privacy Shield
The GDPR facilitates the transfer of personal data on the basis of an adequacy decision. The European Commission has issued an adequacy decision for 12 countries. An adequacy decision guarantees the third country concerned provides an adequate level of data protection. The EU-US Privacy Shield is based on an adequacy decision issued by the European Commission. The Court has annulled the EU-US Privacy Shield in Schrems II because of the lack of an adequate level of protection in the US. There are surveillance regulations in the US that allow US intelligence and security services to access personal data. Such access is not limited to strictly necessary data. In addition, US citizens have no enforceable data protection rights and no effective legal remedies.
Consequences exit EU-US Privacy Shield
The clash between the European privacy regulations and the US surveillance laws has serious consequences for the many companies and organisations that transfer personal data to the US under the EU-US Privacy Shield on a daily basis. They are now acting in violation of the GDPR. Schrems II does not offer a transition period: the transfer of personal data to the U.S. on the basis of the EU-US Privacy Shield has been declared invalid as of the date of the ruling. Schrems II does not only cover future data flows, but also personal data that have been transferred in the past and are still accessible to U.S. authorities. At present, it is not to be expected that the European supervisory authorities will start immediate enforcement proceedings, but the question what is an acceptable alternative mechanism for the transfer of personal data should be at the top of your company’s action list. How to proceed?
Alternative mechanism for the transfer of personal data?
The transfer of personal data to recipients in third countries must not undermine the level of protection guaranteed by the GDPR to individuals within the EU. The recipient country must provide a level of protection for personal data comparable to that guaranteed within the EU. In short, transfers should only take place in full compliance with the GDPR.
If no adequacy decision is in place for a particular country, the data exporting company or organisation must ensure that the transfer is secured with appropriate safeguards. The standard contractual clauses (SCCs) as adopted by the European Commission provide appropriate safeguards according to the GDPR.
Can SCCs still be used after Schrems II?
Article 46 GDPR, which forms the basis for the use of standard provisions, explicitly sets two requirements for transfers to countries to which no adequacy decision applies. Firstly, the exporting company must provide adequate safeguards (through SCCs, for example) and secondly, enforceable data subject rights and effective legal remedies for data subject must be available in the third country.
The SCCs passed the test of criticism in Schrems II. In principle, personal data can still be transferred to third countries on the basis of SCCs. However, the Court emphasises the importance of requirements in Article 46 GDPR concerning the use of standard clauses. Prior to any transfer of personal data, the transmitting company must verify that the receiving country provides the data subjects with enforceable rights and effective legal remedies.
In general, companies are imposed with the almost impossible task of assessing – on a country-by-country and transfer-by-transfer basis – whether recipient countries have legal rules in place regarding the protection of data subjects and their personal data. In addition, it is not clear what criteria should be used in the assessment. The Court does not address this and Article 46 GDPR does not provide any further explanation either. We now know that standard provisions cannot (or no longer) be used as a mechanism for the transfer of personal data to the US because US surveillance legislation prevents this. However, companies are in the dark as to how the surveillance and security legislation in other third countries is to be valued.
The reality is that few companies have sufficient knowledge and resources to properly assess the data protection legislation and surveillance practices of third countries. It is also clear that the European authorities seem to be struggling with such assessments. So far, the European Commission has issued adequacy decisions for only 12 countries, and the adequacy decision for the US has now been invalidated twice.
How can SCCs be used in practice?
The European Data Protection Board (EDPB) has announced to publish recommendations on how to deal with the consequences of Schrems II. In anticipation of these recommendations, the following guidelines may help you to implement the transfer of personal data to third countries on the basis of SCCs.
- Check that the data importer is able to comply with all the provisions of the SCCs.
- Carry out a due diligence on the type of data transferred, the categories of data subjects, the processing purposes, the retention period, the type of recipient and the sector to which the recipient belongs.
- Examine to what extent the legal system of the third country allows public institutions to require disclosure of data and whether data subjects (including foreign data subjects) are aware of the disclosure and are able to take legal action before the courts. Determine the category of data affected by the laws of the third country.
- Investigate the extent to which the importer is bound by these laws and the likelihood of the importer disclosing or having to disclose the exporter’s personal data to the authorities in the third country.
- Check whether the data importer has a procedure to inform the data exporter if a government request extends to the data of the data exporter and offers the possibility of opposing disclosure.
- Check whether the risks posed by national surveillance legislation can be offset by agreeing additional safeguards with the data importer. This could include agreements on the application of proper encryption, the suspension of the transfer of data and the removal of data by the data importer.
- Make sure you document your choices and agreements. The GDPR requires you to be able to demonstrate that you comply with the GDPR.
Can Binding Corporate Rules be used?
Binding Corporate Rules (BSRs) are, in addition to SCCs, a mechanism for the transfer of personal data to third countries. BCRs are rules specifically designed for transfers of personal data within an international group of companies. Once established and approved, BCRs can only be used for the transport of personal data within the group of companies. A different mechanism must be used for transfers outside the group.
BCRs were not subject of debate in Schrems II. However, if the lawfulness of the transfer of personal data on the basis of SCCs is in question, because the regulations in the receiving third country do not comply with European safeguards, then one may wonder whether transfer to the same country on the basis of BCRs is lawful.
BCRs are drawn up by the group company concerned and must be approved by the competent supervisory authority. SCCs are a product of the European Commission. In practice, the main difference is that the burden of assessing the adequacy of protection measures lies with the supervisory authority when a company uses BCRs, whereas the user of SCCs (re Schrems II) has to make his own adequacy assessment and is responsible if he makes a mistake. This raises the question of how supervisory authorities within the EU deal with pending applications for the approval of BCRs. Approval of BCRs implies that the relevant supervisory authority considers that appropriate safeguards are in place in the receiving third country. This may be a sensitive issue, given the reasoning in Schrems II.
Can the exceptions in Article 49 GDPR be used?
According to the Court in Schrems II, the invalidation of the EU-US Privacy Shield does not create a vacuum because companies can rely on one of the derogations for specific situations (Article 49 GDPR). However, the possibilities to justify transfers using the exceptions of Article 49 GDPR are limited. EDPB has stated (Guidelines 2/2018) that these exceptions should be interpreted restrictively and that the exception should not be made the rule. In addition, the use of article 49 GDPR imposes a heavy administrative burden on the company. The data exporter must justify why each of the mechanisms for the transfer in question cannot be used and why the exception in question is suitable as a basis for transfer in the specific case. The option provided for in Article 49 GDPR therefore does not seem very attractive.
EDPB recommendations on implications of Schrems II
Schrems II shows that the application of and compliance with strict European privacy rules for the transfer of personal data in international traffic is problematic. The EDPB has set up a task force which will hopefully soon come up with recommendations on how to deal with the consequences of the Schrems II decision.
Would you like to know more about this subject? Then please contact our Privacy Desk.