The Schrems judgment – Transfer Impact Assessments for international data transfers?

The European Court of Justice has today decided that the controller-processor Standard Contractual Clauses (SCCs) are valid but that the EU-U.S. Privacy Shield is no longer a valid adequacy instrument to enable personal data transfers to the U.S. because U.S. state surveillance powers are excessive.

The key practical points arising from this judgment are:

  • The EU-U.S. Privacy Shield is no longer valid and businesses solely relying on it to transfer personal data to the U.S. should rely on another transfer solution, including by putting SCCs in place.
  • While SCCs remain valid, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. because of potential access by law enforcement or national security agencies). This is, in effect, a Transfer Impact Assessment. This will be burdensome for small organisations but also large ones making hundreds, if not thousands, of transfers.
  • The EU Commission is now likely to issue updated SCCs. Those new clauses could bake in the Transfer Impact Assessment discussed above. While existing SCCs will hopefully be “grandfathered”, business should anticipate changes to their processes for new transfers.
  • The judgment could have a negative impact on any adequacy finding for the UK after the Brexit transition period. While there are material differences between the U.S. and UK surveillance regimes, the judgement will no doubt make the EU Commission more cautious in future adequacy assessments.
  • In the absence of an adequacy finding, transfers of personal data from the EU to the UK will be more difficult post-Brexit as EU businesses will necessarily have to consider the effect of UK government surveillance powers, in particular the Investigatory Powers Act 2016.
Background

The General Data Protection Regulation (GDPR) contains a restriction on transfers of personal data to third countries. The rationale for this restriction is to ensure the protection afforded by the GDPR cannot be evaded simply by transferring this data to a third country. This restriction is interpreted strictly given the protection afforded to data protection under Article 8 of the EU Charter of Fundamental Rights.

There is a number of exceptions to this restriction such as where the transfer is to a jurisdiction with adequate data protection laws, the data subject has given explicit consent to the transfer, binding corporate rules are in place or certain fact-specific conditions apply.

However, for many transfers the only practical solution is the use of SCCs. These are a template contract prepared by the EU Commission and come in a number of different forms, including controller-controller SCCs and controller-processor SCCs. Most large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients, many of which will depend on SCCs.

The current judgment is a result of a challenge brought by Maximilian Schrems, a privacy activist, against Facebook Ireland Ltd’s use of controller-processor SCCs to transfer personal data to Facebook Inc in the US. Mr Schrems also challenged the use of EU-U.S. Privacy Shield to justify these transfers.

The decision

The CJEU has made four important decisions:

  • The controller-processor SCCs remain valid.
  • However, the controllers making those transfers need to verify in advance that the personal data being transferred will be properly protected.
  • Data protection authorities must assess if the personal data transferred under SCCs is properly protected and, if not, suspend or prohibit that transfer.
  • The EU-U.S. Privacy Shield is invalid because the U.S. state surveillance powers are not properly circumscribed. In particular, the Ombudsman mechanism does not provide sufficient protection for EU citizens.
Introducing Transfer Impact Assessments (TIAs)

The basis for the CJEU’s decision is that while SCCs bind both parties in relation to their processing of personal data, they do not bind anyone else, such as any third country authorities that obtain that personal data.

Accordingly, while the personal data might be adequately protected in the hands of the data importer, there is no such reassurance in relation to any third party. This means that the data exporter must verify “on a case-by-case basis” what protections apply (where appropriate in collaboration with the data importer).

The judgment states this must include an assessment of the laws of the third country, the existence of any independent supervisory authority and any international commitments made by the country. However, in order to ensure a proper case-by-case assessment it seems likely that a broader review would be appropriate. This may include the following:

  • What personal data is being transferred? How sensitive is it? How much is in the public domain?
  • Where did that personal data originate from?
  • What technical measures are used to protect that data? For example, where customer managed encryption keys are used, the ability of third country authorities to access that data will necessarily be limited.
  • What national laws apply in that jurisdiction? How are they exercised in practice? How likely are they to be exercised in relation to the particular personal data transfer?

While businesses already burdened by Data Protection Impact Assessments and Legitimate Interests Assessments may not welcome the need to complete an additional Transfer Impact Assessment, it will allow a more comprehensive and flexible risk assessment rather than narrowly focusing on the third country’s laws. For example, there is a significant difference between storing your organisation’s internal telephone directory in a third country and transferring your customer’s sensitive financial or banking records.

Finally, this Transfer Impact Assessment needs to be monitored on an ongoing basis and updated in light of any changes in the laws of the third country.

The end of EU-U.S. Privacy Shield

After a comprehensive review of the EU-U.S. Privacy Shield and U.S. surveillance law, the Court of Justice decided that the Privacy Shield does not ensure adequate protection of personal data, as required by the EU Charter of Fundamental Rights. There are two key reasons for this finding:

  • U.S. surveillance law, principally section 702 of Foreign Intelligence Surveillance Act and Executive Order 12333, does not contain sufficient safeguards to ensure proportionate use.
  • The Ombudsman mechanism under the EU-U.S. Privacy Shield which is used to protect EU citizens’ rights does not provide a sufficient remedy to EU citizens as required by Article 47 of the EU Charter of Fundamental Rights.

Subject to the upcoming U.S. administration and EU Commission’s official reactions to the judgment, it seems likely that it will make any future partial adequacy finding for the U.S. even more difficult.

Some transfers to the U.S. will already be made on a “belt and braces” basis under both EU-U.S. Privacy Shield and SCCs, so can simply fall back on SCCs, subject to carrying out a Transfer Impact Assessment, as set out above.

Where the transfer is made solely under the EU-U.S. Privacy Shield, it is important to put SCCs in place as soon as possible.

Over to you, supervisory authorities

The judgment raises a number of questions and places a number of burdens on data protection authorities. In particular:

  • While the data protection authorities cannot grant a “grace period” as such, they may well take a gradual approach to enforcing these new requirements. As an illustration, when the Safe Harbor was struck down in 2015, data protection authorities indicated they would not take active enforcement for a few months to allow controllers to make new arrangements.
  • The data protection authorities will have to start assessing transfers made to third countries using the SCCs, including responding to complaints by data subjects. This is an unenviable task. Foreign law enforcement and national security laws are often unclear, opaque or even secret. Most jurisdictions do not avow their national security powers in the way some Western European jurisdictions do (such as through the UK Investigatory Powers Act 2016). It is not clear how the data protection authorities intend to approach such an assessment.
  • The judgment could be read as suggesting that data protection authorities need to draw up “blacklists” of jurisdictions that will not adequately protect personal data. However, any such finding would be politically explosive and likely legally unsound, given it would not factor in the particular circumstances of that transfer.
SCCs v.2.0

The current SCCs pre-date the GDPR and some versions are nearly twenty years old. The EU Commission has been working on an updated version of the SCCs behind the scenes both to update their terms to match the GDPR and in preparation of any challenge to their terms.

The Schrems judgment removes any immediate pressure to rush out the updated SCCs, but it is still likely that the EU Commission will look to issue them in due course. The new form of SCCs might “bake in” the new requirement for a Transfer Impact Assessment.

Importantly, on the upside, we expect these new SCCs to cover processor-to-processor transfers, which have long been needed e.g. to facilitate EU-based processors to use sub-processors based outside of the EU.

While it is likely that the new SCCs will not affect the validity of any existing transfers made under the original SCCs (as was the case when the new controller-processor SCCs were issued in 2010) business should factor in further disruption moving to these new SCCs in due course.

Brexit – All eyes on adequacy

The judgment will also have a significant impact on data transfers post-Brexit when the current transitional period comes to the end at the end of the year. At that point, the UK will become a third country for the purposes of the GDPR. In relation to future transfers:

  • From the UK to the EU – These can continue unimpeded as the UK has decided that the EU has adequate data protection laws.
  • From the EU to the UK – These may be affected as the EU has not yet made a reciprocal finding that the UK has adequate data protection laws. This remains an issue in discussions between the EU and the UK. The judgment is likely to impact transfers from the EU to the UK.

Firstly, the judgment is marginally unhelpful to any adequacy finding. The UK surveillance regime is markedly different to that in the U.S. For example, the UK regime, as set out in the Investigatory Powers Act 2016, contains numerous checks and balances. It has already been reviewed by the European courts and a number of amendments have been made to bring it into line with European law. In addition, the UK regime does not have the same distinction between UK and foreign nationals made under U.S. law. However, the judgment will undoubtedly make the EU Commission more cautious about finding the UK adequacy given the risk that decision could also be challenged in the CJEU.

Second, in the absence of an adequacy finding, the use of SCCs by EU business to transfer personal data to the UK has become more cumbersome and more onerous. While it should be relatively straightforward for EU businesses to conclude that such transfers are still permitted, some may be deterred by the additional cost and expense this assessment will entail.