Series
Blogs
The Schrems judgment – Transfer Impact Assessments for international data transfers?
The Schrems judgment – Transfer Impact Assessments for international data transfers?
16 July 2020
Series
Blogs
16 July 2020
The European Court of Justice has today decided that the controller-processor Standard Contractual Clauses (SCCs) are valid but that the EU-U.S. Privacy Shield is no longer a valid adequacy instrument to enable personal data transfers to the U.S. because U.S. state surveillance powers are excessive.
The key practical points arising from this judgment are:
The General Data Protection Regulation (GDPR) contains a restriction on transfers of personal data to third countries. The rationale for this restriction is to ensure the protection afforded by the GDPR cannot be evaded simply by transferring this data to a third country. This restriction is interpreted strictly given the protection afforded to data protection under Article 8 of the EU Charter of Fundamental Rights.
There is a number of exceptions to this restriction such as where the transfer is to a jurisdiction with adequate data protection laws, the data subject has given explicit consent to the transfer, binding corporate rules are in place or certain fact-specific conditions apply.
However, for many transfers the only practical solution is the use of SCCs. These are a template contract prepared by the EU Commission and come in a number of different forms, including controller-controller SCCs and controller-processor SCCs. Most large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients, many of which will depend on SCCs.
The current judgment is a result of a challenge brought by Maximilian Schrems, a privacy activist, against Facebook Ireland Ltd’s use of controller-processor SCCs to transfer personal data to Facebook Inc in the US. Mr Schrems also challenged the use of EU-U.S. Privacy Shield to justify these transfers.
The CJEU has made four important decisions:
The basis for the CJEU’s decision is that while SCCs bind both parties in relation to their processing of personal data, they do not bind anyone else, such as any third country authorities that obtain that personal data.
Accordingly, while the personal data might be adequately protected in the hands of the data importer, there is no such reassurance in relation to any third party. This means that the data exporter must verify “on a case-by-case basis” what protections apply (where appropriate in collaboration with the data importer).
The judgment states this must include an assessment of the laws of the third country, the existence of any independent supervisory authority and any international commitments made by the country. However, in order to ensure a proper case-by-case assessment it seems likely that a broader review would be appropriate. This may include the following:
While businesses already burdened by Data Protection Impact Assessments and Legitimate Interests Assessments may not welcome the need to complete an additional Transfer Impact Assessment, it will allow a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country’s laws. For example, there is a significant difference between storing your organisation’s internal telephone directory in a third country and transferring your customer’s sensitive financial or banking records.
Finally, this Transfer Impact Assessment needs to be monitored on an ongoing basis and updated in light of any changes in the laws of the third country.
After a comprehensive review of the EU-U.S. Privacy Shield and U.S. surveillance law, the Court of Justice decided that the Privacy Shield does not ensure adequate protection of personal data, as required by the EU Charter of Fundamental Rights. There are two key reasons for this finding:
Subject to the upcoming U.S. administration and EU Commission’s official reactions to the judgment, it seems likely that it will make any future partial adequacy finding for the U.S. even more difficult.
Some transfers to the U.S. will already be made on a “belt and braces” basis under both EU-U.S. Privacy Shield and SCCs, so can simply fall back on SCCs, subject to carrying out a Transfer Impact Assessment, as set out above.
Where the transfer is made solely under the EU-U.S. Privacy Shield, it is important to put SCCs in place as soon as possible.
The judgment raises a number of questions and places a number of burdens on data protection authorities. In particular:
The current SCCs pre-date the GDPR and some versions are nearly twenty years old. The EU Commission has been working on an updated version of the SCCs behind the scenes both to update their terms to match the GDPR and in preparation of any challenge to their terms.
The Schrems judgment removes any immediate pressure to rush out the updated SCCs, but it is still likely that the EU Commission will look to issue them in due course. The new form of SCCs might “bake in” the new requirement for a Transfer Impact Assessment.
Importantly, on the upside, we expect these new SCCs to cover processor-to-processor transfers, which have long been needed e.g. to facilitate EU-based processors to use sub-processors based outside of the EU.
While it is likely that the new SCCs will not affect the validity of any existing transfers made under the original SCCs (as was the case when the new controller-processor SCCs were issued in 2010) business should factor in further disruption moving to these new SCCs in due course.
The judgment will also have a significant impact on data transfers post-Brexit when the current transitional period comes to the end at the end of the year. At that point, the UK will become a third country for the purposes of the GDPR. In relation to future transfers:
Firstly, the judgment is marginally unhelpful to any adequacy finding. The UK surveillance regime is markedly different to that in the U.S. For example, the UK regime, as set out in the Investigatory Powers Act 2016, contains numerous checks and balances. It has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law. In addition, the UK regime does not have the same distinction between UK and foreign nationals made under U.S. law. However, the judgment will undoubtedly make the EU Commission more cautious about finding the UK adequacy given the risk that decision could also be challenged in the CJEU.
Second, in the absence of an adequacy finding, the use of SCCs by EU business to transfer personal data to the UK has become more cumbersome and more onerous. While it should be relatively straightforward for EU businesses to conclude that such transfers are still permitted, some may be deterred by the additional cost and expense this assessment will entail.