Post Schrems II decision – what to do next to manage data transfers outside the EU

Organisations that wish to transfer the personal data of Europeans to jurisdictions outside the EEA must use an appropriate transfer mechanism to transfer the data lawfully. For example, let’s take a company based in the US that provides accounting software to Customers in the EU. These EU Customers are likely to be Data Controllers as in they are responsible for the data they collect and process relating to their clients. The US company is likely to be a Data Processor in respect of the personal data transferred by those Customers. As the EU-based Customers are essentially transferring data from the EU to the US, they must ensure that a valid data transfer mechanism is in place.

Until July 2020, organisations could rely on several transfer mechanisms to facilitate these international data transfers. These mechanisms include:

1. Transfers based on an adequacy decision by the EU commission (ie “whitelisted” countries)
2. Privacy Shield mechanism for transfers to the US.
3. Transfers subject to appropriate safeguards – including the following:
   1. binding corporate rules
   2. standard contractual clauses
   3. approved codes of conduct
   4. approved certification mechanisms
4. Derogations for specific situations which include:
   1. explicit consent of the data subject
   2. contractual necessity (for occasional transfers)
   3. important reasons of public interest
   4. transfers necessary for the establishment, exercise, or defence of legal claims
   5. transfers necessary to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent
   6. the transfer is made from a register intended to provide information to the public
   7. where such transfers are not repetitive, concern only a limited number of data subjects and are necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.

On 17 July 2020, the CJEU invalidated the European Commission’s decision enabling the EU-U.S. Privacy Shield Framework. This means that, with immediate effect, organisations can no longer rely on Privacy Shield certification as the lawful basis for transferring personal data related to EU individuals to the US.

The decision of the CJEU also affects the European Commission’s SCCs. While the judgment theoretically upholds the validity of the SCCs, it requires organisations (EU data exporters) and data protection authorities to conduct a case-by-case analysis to determine whether the protections afforded in the country of the receiving party meet EU standards for the protection of personal data. This has particular relevance for the US due to the concerns expressed by the CJEU in relation to the US government’s wide surveillance activity.

Based on the CJEU’s comments on US surveillance, it would appear that it will be difficult for an importer of personal data in the US to meet the adequacy standards, especially given that the CJEU has found that there is inadequate protection in that jurisdiction vis a vis Privacy Shield. The US based accounting software company we referred to above will want to do everything it can to solve this issue for its EU-based customers. So, what can it do

EU data exporter Controllers and Processors are being encouraged to seek an alternative transfer mechanism to Privacy Shield. The most suitable option for many will be SCCs. However, given the CJEU’s commentary on SCCs, data exporters are advised to not just enter into SCC contracts, but to also consider appropriate supplementary measures to protect personal data. We await guidance from regulators and the European Commission on what appropriate supplementary measures would meet their requirements. However, in the meantime, based on the CJEU judgment in Schrems II, we can suggest that, at a minimum, that ensures that it (and all its sub-processors) encrypt all data in transit and at rest. This may go some way to alleviate the CJEU’s concerns about US government agencies accessing data.

Our Plan to help organisations manage personal data transfers outside of the EU

We have set out below a plan of action to be undertaken by organisations who are impacted by the Schrems II decision. We are happy to assist with all elements of the plan, as required. The plan is broken into three stages:

1. 1. Assessment –Check your Record of Processing Activity (ROPA).  Identify all ex-EEA data transfers. Consider: what data is being transferred? To where? Based on what transfer mechanism? What is the status of the transferee country? Use a risk rating to highlight the highest risks as they may need immediate action.
   2. Implementation – Develop a questionnaire to ask data transferees. Ask the transferees who rely on privacy shield, what their plans are to deal with the impact of the Schrems II decision; If they are moving to SCCs, what other measures are they taking? For transfers based on SCCs, consider requiring transferees to encrypt the data in transit and at rest. 
   3. Ongoing process – update procurement processes and contracts to reflect these changes.

We have helped many organisations with their post-Schrems analysis. Please contact us below for more information and a free initial assessment. 

Get in Touch