Businesses which are currently sending data to the US in reliance on the Privacy Shield need urgently to replace those arrangements. The big question is "with what?". The Court of Justice of the European Union (CJEU)'s recent decision in "Schrems II" means that the alternative route – Standard Contractual Clauses (SCCs) – is open to challenge too. Short of stopping sending any personal data to the United States, data exporting controllers should be reviewing their approach to the SCCs and bolstering their due diligence and provisions, and urgently seeking to open discussion with their processors.
The decision by Europe’s highest court affects every company which sends (or uses others who send) personal data out of the EEA, especially to the US. For a general overview, the European Data Protection Board's recent guidance on the judgment is of assistance. But questions remain. These are unavoidably complex, and the answers similarly so, but the issue is of profound importance for a key aspect of global trade. In light of the decision what should businesses who need to export personal data out of the European Economic Area (EEA) now do?
This is not a question with a single answer. The situation is both complex and politically charged and we will continue to monitor legal and regulatory developments. We impress upon businesses the need carefully to assess their own position, and to take such specific advice as they feel necessary.
One thing is abundantly clear: “Privacy Shield” - the 2016 decision by the European Commission that allowed transfers of personal data by EEA and Swiss organisations to US companies which self-certified and committed to a set of principles - is struck down. Transfers which were lawful under Privacy Shield are no longer lawful under Privacy Shield. It was therefore particularly surprising that in the immediate aftermath of the Schrems II judgment, the UK Information Commissioner’s Office (ICO) was advising those organisations using Privacy Shield to continue to do so (advice which it has reassuringly now withdrawn).
But what of the SCCs – the legal vehicle by which countless thousands of data transfers have been effected, since the first set was approved by the European Commission in 2001? The CJEU held that its examination of the SCCs of 2010 (dealing with transfers from an EEA controller, to an extra-EEA processor) had "disclosed nothing to affect [their] validity".
All well and good, then?
Not quite – the CJEU was at pains to say that entering into SCCs was only part of the process whereby an international transfer can be made using them. In addition, the parties must also consider the risk of access to the personal data by the public authorities of the third country to which the personal data is transferred, by taking into account, among other things:
- that third country's rule of law and respect for human rights and fundamental freedoms;
- whether that country has an independent supervisory authority with responsibility for ensuring and enforcing compliance with the data protection rules; and
- the international commitments the third country has entered into in relation to the protection of personal data.
In short, before relying on the SCCs, the parties in effect need to make their own assessment of the general adequacy of the third country's legal and regulatory regimes for protecting personal data. This is an assessment which is not unlike (indeed, which is broadly similar to) the assessment the European Commission must make before making a finding of adequacy in respect of a third country (something which it has, in the 25 years since it was required to consider these issues, only so far made in respect of thirteen countries).
If the parties cannot, on the evidence, assess the third country as having a level of protection essentially equivalent to that guaranteed within the EU, they must suspend or end the transfer. And if they don't, it falls to the competent supervisory authority to do so (in the UK, the supervisory authority is the ICO).
So, although the SCCs remain valid, the CJEU stressed that the parties' obligations go far beyond merely entering into the SCCs, and put them (and supervisory authorities) effectively on notice that they must cease, or not begin transfers, to countries which cannot offer that level of protection essentially equivalent to that guaranteed within the EU.
The question which then arises is this – if the European Commission itself has not given a country an adequacy determination to the effect that it offers a level of protection essentially equivalent to that guaranteed within the EU (or, in the case of the US, if the CJEU has essentially said that a country does not have the requisite level of protection), can parties to a private law contract reasonably decide that such protection exists? Notably, though, the CJEU did not go so far as to say in terms that the absence of an adequacy determination by the Commission in respect of a country renders all transfers to it impossible. A key challenge, though, remains with the US: the CJEU has decided, in the context of its views on Privacy Shield, that the US does not afford the requisite protections. And whilst a small crumb of comfort might lie in the sections of the judgment which note that the "adoption of supplementary measures" (above and beyond the SCCs) might ensure compliance with the requisite level of protection, particularly if the country's laws can provide additional safeguards to those offered by the SCCs, it remains hard to see how that can work relative to transfers to the US. Such questions must be approached, though, on a "case by case" basis – perhaps, since the coming into force of the Californian CCPA privacy law, a transfer into California might be afforded a different outcome (although that is far from certain, and we await guidance from the regulators on this sort of thinking). In the case of countries other than the US, it might be, for instance, that relatively low risk transfers, conducted with robust end to end encryption, to a country which has a reasonable standard of data protection or privacy laws, might pass muster.
For now, then, those wishing to transfer personal data out of the EEA, by means of SCCs, should, at the very least, undertake a case-by-case and sufficiently detailed assessment of the transfer, and of the level of protection in the recipient country, and adopt (or, at least, give serious, documented consideration to adopting) supplementary, extra-contractual, measures and safeguards to ensure compliance with a standard of protection of personal data essentially equivalent to that in the EU. Failure to do so puts the parties:
- at risk of dispute with each other;
- at risk of regulatory action including, but not limited to, a stopping of the transfer; and
- at risk of complaints and claims by data subjects.
We emphasise the third of these: in addition to the regulatory risk, transferors of data out of the EEA will need to consider their risk profile in respect of private damages claims for failure to comply with the protective provisions of GDPR – there will be many data subjects wishing to pursue a damages claim.