On 16 July 2020, the European Court of Justice issued the Schrems II judgement with significant implications for the use of US cloud services. Customers of US cloud service providers must now themselves verify the data protection laws of the recipient country, document its risk assessment and confer with its customers. This article will explain what the Schrems II judgement entails for your business. Updated with new resources for your Transfer Impact Assessment. Reading time: 14 minutes
Summary of Schrems II
On 16 July 2020, the Court of Justice of the European Union (ECJ) in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”) invalidated the EU-US Privacy Shield. The Court cast doubt over the extent transfers can be legitimised by the European Commission’s Standard Contractual Clauses (SCC) for personal data transfers to the US and globally. The SCCs were still valid as a transfer mechanism in principle but would require additional work.
To study the case in its entirety, see the ECJ’s full judgement in Case C-311/18.
Background of Schrems II
The case originated from activist Maximilian Schrems’ call for the Irish Data Protection Commissioner to invalidate the SCC for Facebook’s use of transferring personal data to its headquarters in the US. The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU law.
The main rule in the GDPR is that transfers outside of the EU and EEA are prohibited unless an adequate safeguard can be used. First and foremost, there are the EU Commission’s adequacy decisions, where the EU Commission after thorough evolution of national laws have concluded that a country’s data protection laws are essentially equally good as the GDPR. Then the mechanisms for secure transfers outside of the EU/EEA, prior to Schrems II: Privacy Shield, the EU Standard Contracting Clauses and Binding Corporate Rules (only for intra-group transfers). There are also possibilities for exemptions from the general principle that a recipient country must have an adequate level of protection in Article 49 derogations.
Expert Legal Advice that strengthens your digital strategy
Connect with our experts in technology and data protection law. SaaS. License agreement. Cloud services. Business-minded.
Get a quote today from the business law firm Sharp Cookie Advisors
What was tried, and what was decided?
Privacy Shield invalidated due to shortcomings in US laws
US laws had several shortcomings that impede the protection of personal data and violate the GDPR. In essence, the Court pointed to the far-reaching possibilities of surveillance that exists under the US national security laws (namely US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333 and Presidential Policy Directive 28). These laws regulate US authorities’ access and use of personal data imported from the EU into the US and do not have the controls to adequately protect EU data subjects that may become the target of national security investigations.
In detail, the Court found that data subject rights were not actionable before the courts against US authorities. The Privacy Shield had contemplated a protection mechanism in the form of an Ombudsman. Still, the role did not have the power to adopt decisions that would be binding on US intelligence services.
Companies must now verify the privacy protection in the recipient country in order to use the SCCs
Schrems II also dealt with standard contractual clauses (SCCs). It begged the question if the SCCs decided by the European Commission were valid in the context of transfers to the US. The court decided that, while SCCs are still valid, they require additional work. Companies must ensure that the recipient country has equivalent data protection to that of the EU. They cannot rely on SCCs alone – the time to “sign and forget” is over.
“Since by their inherently contractual nature standard data protection clauses cannot bind the public authorities of third countries…” (Judgement, paragraph 132)
“In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. (Judgement, paragraph 134)
Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” (Judgement, paragraph 135)
A company that makes data available for potential cross-border transfer (including common cases when using a non-EU supplier) shall inform themselves of and assess the recipient country’s level of compliance with the GDPR.
The Court emphasised the existing obligation of the data exporter to ensure adequate protection of the data before exporting any data. The recipient is obliged to inform the exporter of any impediments to its compliance with the SCCs. If the existence of local surveillance laws would impede the alignment with the GDPR, then the exporter (read your customers) must stop the transfer and end the contract. If the data exporter fails its obligations under the SCC, the lead supervisory authority must intervene and may prohibit the transfer.
Analysis of the current situation using US service providers
Organizations should without delay confirm that cross-border data transfers it is responsible for complying with the GDPR and this recent CJEU’s judgement.
Acting on the invalidation of the EU-US Privacy Shield
- There will likely not be any broad enforcement of the case in the coming months, just like the last time when the prequel to Privacy Shield, the EU-US Safe Harbour mechanism, was invalidated.
- If your company has business interests in the markets with more immediate strict enforcement, e.g. Netherlands and Germany.
- Do not start using the EU–US Privacy Shield during this period.
- Consider switching to an alternative safeguard (such as the SCC).
- Standard data protection contractual clauses (SCCs).
- Binding corporate rules (BCRs).
- Codes of conduct.
- Certification mechanisms.
- Ad hoc contractual clauses.
- Additionally, it may be possible to use the exemptions that are listed in article 49 of the GDPR.
- Consider whether there are non-US alternative suppliers
Work required to continue to use Standard Contracting Clauses (SCC)
- Identify the cross-border transfers under your responsibility.
- Perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Are any countries in the Five Eyes Alliance involved (Australia, Canada, New Zealand, the United Kingdom and the United States), then an in-depth analysis is required.
- Help your customers and suppliers verify the level of data protection that applies to any data exports under your responsibility. Compile your privacy documentation, adherence to relevant ISO or other standards, codes of conduct, and any previous prior consultations from your supervisory authority?
- Keep track of any new and updated guidelines from the European data protection regulators on how to use the SCCs and their statement of the legality of any data transfers in certain countries.
- Monitor any new release of a set of updated SCCs by the European Commission that will come shortly that address the risks identified by the Court for export into the US.
- Add additional safeguards to the SCCs (called SCCs plus) where the exporter and importer regulate any remaining risks associated with the data transfer. Such other safeguards can involve additional technical controls and contractual obligations on how to manage onward transfers and compelled disclosures to authorities.
Further complications using SCC for US services
Keep in mind that this ruling has limited impact on most companies using the SCC to legitimize their cross-border data transfers when the transfers are made via their own non-US communications systems.
For any US transfers, assess if the recipient organization is subject to FISA section 702 and Executive Order 12333, which typically applies where the recipient is a communication service provider.
Add additional safeguards to the SCCs (called SCCs plus) where the exporter and importer regulate any remaining risks associated with the data transfer. For US transfers, it will be crucial to include in the agreement; for example, how government requests for access to personal data must be handled to ensure that your organization has enough control. And also, technical controls to limit the use of the data could be implemented.
The broader significance of the Court’s criteria for global data export
Applying the Court’s criteria for determining the recipient country’s privacy legislation, it appears likely that the regulator holds the surveillance laws in the countries of the intelligence alliance the Five Eyes as not adequate to the GDPR. Note that the Five Eyes alliance comprises Australia, Canada, New Zealand, the United Kingdom and the United States). Companies active in these markets may consider implementing additional technical safeguards to their data transfers to be on the safe side of enforcement.
Currently, the EU Commission is assessing the UK’s privacy legislation to decide whether to provide an adequacy decision or not by the end of 2020. In the absence of an adequacy decision come 2021, we recommend implementing additional safeguards for any UK data transfers.
Will there be a grace period for Schrems II judgement?
The invalidity of the Privacy Shield was immediate. As of 16 July 2020, the Privacy Shield was null and void and should not be used. As of now (23 November 2020), there is no proactive enforcement from the regulators. The regulators appear to be taking a measured stance allowing organizations to adapt their processes and infrastructure. Especially awaited is the guidance from the EU Commission and the European Data Protection Board on how to act after Schrems II, which will provide more clarity.
Notably, the activist group behind this judgment (noyb) has during the autumn sued 101 European companies (including market-leading Nordic and Swedish companies) seeking enforcement of their use of Google Analytics and Facebook Connect integrations in their websites. The use of Google Analytics allegedly violates the data transfer mechanisms since Google relies on the SCC for onward transfer to Google in the US.
Can our organisation use Privacy Shield as a mechanism to transfer data to the US?
No, the CJEU invalidated the Privacy Shield with immediate effect on the 16 July 2020, the day of its Schrems II judgement. If there is a need to transfer personal data to the US, consider an alternative legal basis.
Can we continue to use Binding Corporate Rules as a mechanism to transfer data to the US?
The Schrems II judgement may affect transfers that take place based on binding corporate rules (BCR). The recipient country outside the EU/EEA’s legislation must be analysed to see whether the country offers equivalent protection for privacy such as the GDPR.
It is up to the organisation to export data to the US or another third country to perform a Transfer Risk Assessment. In such an assessment, an analysis of the data flow, supplier’s access to the data, recipient country’s legislation, if additional safeguards are applicable to the SCCs and alternatives to the supplier are documented.
When the national supervisory authorities approve binding corporate rules, control of the BCRs is made to make sure that the rules meet the GDPRs requirements. The BCRs contain rules on how a certain company group follow fundamental data protection principles such as example purpose limitation, data minimisation, the data subjects’ rights and how to manage complaints. It is up to the company group to make sure that the recipient countries’ national legislation respects the GDPR.
Approval from a national supervisory authority does not mean that all transfers are automatically approved. The national supervisory authority does not make an analysis of if the recipient country’s legislation meets the GDPRs requirements.
Checklist and considerations for compliance with Schrems II
- Make an inventory of all non-EU suppliers and sub-suppliers and partners (which involves data transfers outside of the EU/EEA). Review your records of processing that should include this information. Do not forget to investigate the sub-processors of your processors.
- Assess the laws of the country you are transferring personal data to.
- To be able to use transfer data using the SCC, you should document your risk assessment of the suppliers/recipients of data. Review if there are exceptions to the strict requirements of cross-border transfers for you, review the effectiveness using of technical controls and, where possible, construct additional safeguards and request those supplements to the SCCs in place.
- Review any supplier relationships that involve data transfers to the US, is the supplier and its solution necessary or can you change the solution and/or supplier?
- Public sector customers may require an alternative infrastructure setup due to the further restrictions of data transfers that apply for public sector classified personal data (like encryption and other technical controls may not be enough according to case law to allow for continued use of such supplier and service).
- Evaluate hybrid cloud solutions. Review to what extent your organization can commit to cloud and infrastructure solutions provided by American-, global-, European- and Swedish cloud services suppliers, respectively.
- Make plans to engage in prior consultation with the Data Protection Authority to get acceptance of your transfer impact assessment and alternative set-up.
- Update any data processor agreements as applicable, and change processor if your analysis comes to that conclusion.
- Update any internal data protection policies to keep your organisation in line with this new situation.
- Update your external privacy notices to inform your visitors and customers of how you are meeting your responsibilities as controller/processor.
It is important to document the steps taken. It is also important to re-evaluate these measures at appropriate intervals. All in all, the courts’ decision does not mean that transfers of personal data to the US have been made impossible, but more restricted.
Update: Resources for your analysis
The transfer impact assessment you make must reference the level of protection from local laws. You will need to read up on and assess the laws of the recipient country and read our summary of EDPB’s recommendations on European Essential Guarantees.
With any subprocessors, you shall use the new Standard Contractual Clauses, they exist in four different modules, depending on the situation. You may read our post on the New SCCs from EU – the Definitive Guide.
For some situations, when you have taken extra care and you e.g. have the consent of the customer, exemptions to the international rules on transfers apply, please read our post on GDPR article 49 derogations applicable to international transfers.