Post-Schrems II: the future of international data transfers
On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a landmark judgement in the field of data protection and international data transfers. This decision, known as Schrems II, invalidated the EU-US Privacy Shield Framework, in turn rendering the international data transfers to the US unlawful if based on the Privacy Shield Framework.
Irina Hedea - Partner - Advisory & Consulting - Deloitte
Georges Wantz - Managing Director - Advisory & Consulting - Deloitte
Aleksandra Suwala - Senior Consultant - Advisory & Consulting - Deloitte
Sibil Manco - Analyst - Advisory & Consulting - Deloitte
Published on 24 September 2020
At present, we are more connected than ever. For any organization operating on a global scale, the international transfer of data is an essential element of daily business operations. Organizations may, for example, store customers’ personal data in a cloud service hosted abroad or may store employees’ personal data at a subsidiary established in another country.
Today, the cloud offers flexible and affordable software, platforms, infrastructure, and storage available to organizations across all industries. However, as most cloud service providers are based in the United States (US), hosting data in a cloud service (or accessing data from a country outside of the EEA) may often qualify as international data transfer.
International data transfers are regulated by the provisions of the General Data Protection Regulation (GDPR)¹, which lists several transfer mechanisms to be followed in order to legitimize the action. Those mechanisms comprise an adequacy decision issued by the European Commission, or, in absence of such decision, use of Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
However, recent developments have caused legal uncertainty regarding data transfers to the US and other third countries², and the validity of one of the key transfer mechanisms, the SCC. A ruling by the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield³, being an adequacy decision legitimizing data transfers between the European Union (EU) and the US and commented on the validity of the SCC by requiring that organizations conduct a privacy risk assessment prior to transferring data to a third country on that basis4.
In consequence, if your organization transfers personal data internationally or relies on cloud services and service providers located outside of the E.U., you should promptly address the challenges resulting from the Schrems II judgement to ensure the lawfulness of international data transfers.
On 16 July 2020, the Court of Justice of the European Union declared the European Commission's adequacy decision regarding the EU – US Privacy Shield invalid. Now, companies can no longer transfer personal data to the US under the EU-US Privacy Shield and must use alternative methods, such as EU SCC, to avoid heavy fines. In addition, the CJEU declared that EU SCC are still valid, however may not be sufficient as a standalone transfer mechanism in certain cases as they only bind the contractual partners and do not allow for solving issues with the third country’s laws.
In its judgment, the CJEU considered several perceived shortcomings of the EU-US Privacy Shield mechanism. The CJEU concluded that US law enforcement agencies have wide-ranging access to personal data received by US entities that is not subject to equivalent protections as under EU law. In particular, the CJEU found that US law enforcement agencies’ access to transferred data is not subject to the principle of proportionality nor limited to what is strictly necessary. In addition, the CJEU found that data subjects have no right to an effective remedy regarding law enforcement agencies and national security.
VALIDITY OF SCC
Even though the CJEU declared that EU SCC are still valid, the CJEU found that any legal personal data transfer mechanism must not undermine the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) and the EU Charter on Fundamental Rights. Therefore, when using SCC, companies must verify on a case-by-case basis whether the destination country's laws comply with the GDPR (which the US does not), the SCC themselves and the EU Charter on Fundamental Rights; and if they are in any doubt, provide for additional safeguards before the personal data transfer is carried out.
IMPACT ON BUSINESSES
The CJEU's ruling means that businesses in the EEA will no longer be able to transfer personal data to a recipient in the US under the recipient's Privacy Shield certification. Therefore, current procedures and operations should be reviewed in light of this new interpretation and GDPR requirements.
As the CJEU's ruling takes immediate effect, many businesses that relied only on the Privacy Shield
as their primary justification for transferring personal data to the US will need to implement an alternative transfer mechanism (such as the EU SCC with additional guarantees) or perhaps rely on a derogation.
In addition, businesses relying on EU SCC (or similar mechanisms like binding corporate rules) need to ascertain on a case-by-case basis if additional guarantees must be put in place, for example if the transfer is to the US or another country without an adequacy decision in place.
WHAT CAN YOU DO TO SAFEGUARD YOUR ORGANIZATION IN THE CONTEXT OF THE LEGITIMATE TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES, INCLUDING THE US?
- Review the contracts in place in order to identify the relied upon personal data transfer mechanisms, paying special attention to the contracts using Privacy Shield – to do so, consult the current register of processing activities of your organization
- Consider replacing the Privacy Shield mechanism with SCC, bearing in mind the likelihood of having to amend the SCC by adding additional safeguards to strengthen the SCC
- As a general rule for transfers based on SCC, conduct a privacy risk assessment prior to adhering to the use of SCC to determine whether a third country provides an adequate level of protection of personal data (which the US does not, according to the ruling)
- Assess the risk, necessity and possibility of introducing additional safeguards to the SCC for the transfers to third countries which, according to your privacy risk assessment, may not provide adequate level of protection
- Consider whether it is technically possible to pseudonymize or encrypt data by Holding Your Own Key (HYOK)
- Perform due diligence concerning organizational set-up of your current and future cloud service providers to determine who and where will be accessing the data of your clients
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive95/46/EC. 2 A third country is a country other than the EU member states and the three additional EEA countries (Norway, Iceland, and Liechtenstein) that have adopted a national law implementing the General Data Protection Regulation (GDPR). 3 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield. 4 Judgment of 16 July 2020 in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).
The Schrems II judgement will undoubtedly influence the future of international data transfers, not only in the context of such transfers to the US (due to the use of e-mail, social networks and cloud services), but also to other countries outside the EEA.
When using SCC, organizations must conduct a privacy risk assessment and, where necessary, strengthen the SCC with additional safeguards, such as encryption or data pseudonymization. In addition, as a next step, development of an approach for due diligence for international data transfers could prove useful. Such due diligence could help to verify the laws of a country where data importer is based, whether public authorities in that country could be entitled to access the data, and the law provide effective judicial remedies for data subjects.
General Data Protection Regulation
The General Data Protection Regulation, which has been in force since 25 May 2018, aims to create a homogenous framework for all personal data processing taking place in the European Union.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.