The legacy of Schrems II: new guidance for transfers of personal data between the EU and non-EU states
The decision of the European Court of Justice ("ECJ") in the landmark case of Maximillian Schrems v Data Protection Commissioner (C-362/14) (the so-called Schrems II decision) declared the EU-US Privacy Shield arrangements between the EU and the USA to be invalid.
The ECJ found that the protections provided for in the Privacy Shield framework, which includes an independent ombudsman mechanism for the handling of complaints relating to the accessing of EU citizens' personal data by US authorities, are not sufficient to address "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States". The court had particular concerns about the powers of access that law enforcement and security agencies have in the US and the lack of meaningful legal redress for EU data subjects.
With Privacy Shield declared invalid, businesses would now have to urgently put in place contracts based on the Standard Contractual Clauses ("SCCs") as ratified by the European Commission. However, the ECJ went further and said that the SCCs themselves may not be sufficient to protect the personal data of EU data subjects when processed in third countries. Businesses will now need to perform due diligence to establish whether the protections that SCCs are designed to provide will be respected in the jurisdictions to which the data is being transferred. This will require additional due diligence and, in particular, consideration of local laws in those jurisdictions.
The European Data Protection Board ("EDPB") followed this and on 11 November 2020 published guidance to assist controllers and processors in complying with the ECJ's decision such that businesses relying on SCCs must: (1) conduct a risk assessment of the transfer; and (2) if necessary, implement “supplementary measures” to protect the data in the recipient country.
The guidance includes six key steps:
Step 1: Know your transfers
Verify what types of personal data you are transferring out of the EU. Be particularly conscious of onward transmission by the recipient of that personal data.
Step 2: Identify your transfer tool(s)
This is likely to be the SCCs but could be one of the other safeguards such as Binding Corporate Rules.
Step 3: Assess whether the transfer mechanism is effective in practice
This is a critical step. Businesses will have to ask themselves whether the above arrangements afford a level of protection that is equivalent to that guaranteed in the EU. This will need to consider the rights of access that law enforcement and security agencies have to the personal data and whether they are necessary and proportionate. This is a complex question and the EDPB has published a test based on a set of four "European Essential Guarantees" which must be respected for this test to be met.
If businesses find that the arrangements do not provide sufficient safeguards, they must proceed to Step 4.
As regards the US, the decision in Schrems II makes this a foregone conclusion unless federal laws in the US change – businesses will need to proceed to step 4.
Step 4: Adopt supplementary measures
The EDPB separates these measures into three categories: technical, contractual, or organisational and lists examples of these measures.
The primary focus is on technical measures to prevent access by public authorities using encryption, pseudonymisation or fragmenting data between processors in separate countries. However, there will be circumstances where this is not possible, including where data moves about an international organisation or where data is held "in the clear" in a cloud service provider's infrastructure. In such circumstances, organisations can only look to contractual and organisational measures and doubt is cast on the sufficiency of such measures on their own.
Step 5: Procedural steps if you identified any supplementary measures
There may be further procedural steps if the supplementary measures identified by an organisation contradict the SCCs. The EDPB may add more requirements to this step in due course.
Step 6: Re-evaluate at appropriate intervals
As organisations may have now gathered, this is a rapidly developing area of law. It should, therefore, go without saying that they should put in place processes for monitoring developments in recipient countries (and indeed in the EU).