GDI Deep Read: Understanding how Schrems II impacts EU-US Cross-border Data Transfers

The dust has barely had time to settle over the last five months since the Court of Justice of the European Union (CJEU) issued arguably the most important judgement on data privacy this year: That of Case-C-311/18 (Schrems II), concerning the EU-US Privacy Shield. In short, the US was found to provide insufficient data subject rights relative to the EU — essentially meaning that there will no longer be a free flow of data from Europe to the US.

Despite the vast scope of its impact, many open questions remain. On the 11th and 12th of November 2020 the European Data Protection Board (EDBP) and the European Commission (EC) finally provided some guidance on the implementation of this monumental judgement. No grace period has been offered to the 5,300 companies affected by this ruling, 70 percent of which are small- and medium-sized enterprises (SMEs). The Schrems II judgement has the potential to transform almost everything about how EU companies conduct international data transfers. How did we get here, and what does this mammoth judgement actually mean?

What happened?

On the 16th of July 2020, the CJEU issued its judgement in Case-C-311/18 (Schrems II) in which it invalidated the EU-US Privacy Shield, which had previously enabled companies on both sides of the Atlantic to comply with different EU and US personal data protection requirements when transferring data. This decision follows the Schrems I judgement issued in 2015 which invalidated the Safe Harbour agreement, the predecessor to the Privacy Shield. The Safe Harbour agreement had been invalidated inter alia in light of the 2013 Snowden NSA revelations about the nature and scope of US surveillance.

In the judgement, the Court’s reasoning states that the Privacy Shield does not offer “essentially equivalent” protection to that offered by the EU’s General Data Protection Regulation (GDPR). US surveillance programs are seen as purposefully vague and unlimited by design, thus rendering the risk too high of mass surveillance of European data. When it comes to individual redress, the Court also stated that the US provides insufficient data subject rights. EU data subjects’ lack of standing in US courts and the absence of alternative mechanisms for Europeans to invoke their data protection claims both presented significant problems for the Court. Finally, the Court found that the so-called Ombudsperson (who had been installed because of the Safe Harbour agreement’s invalidation) was insufficient to guarantee this individual redress, as he was neither independent nor empowered — two conditions the Court viewed as necessary.

What does this mean?

The recent Schrems II judgement essentially means that there will no longer be a free flow of data from Europe to the US, since the EDPB has made it clear that there will be no transition period. Companies wishing to engage in transatlantic data transfers will need to come up with alternative solutions — and fast. Failing to do so could result in astronomically high fines for companies (now possible under the GDPR) reaching up to 4% of yearly turnover or 20 million euros, whichever number is higher. These fines are in addition to possible user damages claims. In this context, it is also worth noting that data transfers are understood within a broad definition: For example, a HR director in Dubai who is accessing employee data in the EU would fall within this definition, making it clear that this ruling impacts effectively any company engaged in business with the EU — not only Big Tech. Law firms are understandably now scrambling to come up with mechanisms of securing safe data transfers for their clients.

Before Schrems II, there were four ways of effecting legal data transfers from the EU to the US:

1. Adequacy Decisions
2. Standard Contractual Clauses (SCCs)
3. Binding Corporate Rules (BCRs)
4. And if all else failed — Derogations (e.g., consent or reasons of public interest)

After Schrems II, this landscape has now significantly changed. The US is no longer deemed of adequate standard (“providing essentially equivalent protections”) for there to continue being a free flow of data between the US and EU. What remains are the latter three options — but not without severe restrictions.

Cross-border data transfer options post-Schrems II: What transfer tools remain?

I. Standard Contractual Clauses (SCCs)

The first remaining option is the usage of Standard Contractual Clauses (SCCs). Prior to the Schrems II judgement, SCCs used to be little more than a box-ticking exercise for companies, since it simply required the inclusion of standard clauses in data controlling or processing contracts with little regard to whether these clauses were actually adhered to. The CJEU, however, has now made it clear that companies must, “verify whether the law of the third country of destination ensures adequate protection under EU law” (para. 134), and that they “are required to verify, prior to any transfer, whether the level of protection required by EU law is respected in the third country concerned” (para. 142).

Crucially, the Court remains silent on the issue of how, exactly, companies are supposed to master this exercise every time they want to make use of SSCs. It is simply not plausible to expect companies — and especially SMEs — to conduct a detailed assessment of a third country’s national law and check for “adequate protection” pursuant to EU standards for every SSC they need to create. The Schrems II case, which was essentially an assessment of whether the US provides adequate protection, took seven years to adjudicate; involved more than 45,000 pages of submissions; and cost several million euros to litigate.

Given the extensive resources that went into this one case analysing a single country’s “adequate protection” for data subject rights, it remains a mystery how companies and SMEs are expected to carry out this same exercise in a fraction of the time, for a fraction of the cost. It also leaves a certain scent of irony to expect Big Tech to — once again — self-regulate with minimal guidance from public authorities.

Moving forward: If it is established that a third country does not provide adequate protection after an assessment of the third country’s laws has been carried out, additional measures are required to guarantee the same level of data protection under EU law. These additional measures may include anonymization, pseudonymization, or encryption, each of which comes with its own share of security risks that need to be mitigated. It remains clear that US-situated companies will inevitably be bound by US disclosure laws. The CJEU has further made it clear that compliance with these rules are shared responsibilities between the data exporter and importer.

On 12 November 2020, the European Commission (EC) released a draft version of the highly anticipated updated SCCs. SCCs have two main players: the data controller and the data processor. The GDPR defines a data controller as, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,” while the data processor is, “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The European Commission has adopted a modular approach in its new Standard Contractual Clauses, taking account of four configurations: i) EU controller to non-EU controller, ii) EU controller to non-EU processor, iii) EU processor to non-EU processor, iv) EU processor to non-EU controller.

A novelty in this new set of SCC clauses is the ‘docking clause,’ which enables new parties to join existing contracts. Moreover, the concept of limiting the applicability of SCC’s to EU-based exporters has been abandoned since the GDPR clearly applies not just to EU based data exporters, but to any company processing data involving EU citizens.

The new obligations now stipulated in the SCC’s include the following:

• A transfer impact assessment: This refers to the assessment of the third countries’ protection standards referred to above. The data importer must warrant that it has made use of best efforts to provide the necessary information and cooperation. An important nuance compared to EDBP guidelines outlined below is that the EC SCC’s require that parties take into account the specific circumstances of the transfer. This would allow parties entering into SCC’s to consider the level of risk in regard to possible exposure to government surveillance. Thus the EC foresees a slightly more subjective assessment here than that outlined by the EDPB.
• Third party beneficiary rights for data subjects: Another novelty is the fact that data subjects can now directly derive rights from the contract between the EU data exporter and third country recipient. This is further reinforced by enhanced transparency obligations. In regard to C2C transfers, the identity of the data importer will have to be disclosed. The data importer will also be responsible for handing the data subject’s requests.
• Importer warrants detailed review of access requests: This innovation stipulates that the data importer must warrant that if foreign parties seek access to data, the data importer must scrutinize/review these requests and can voluntarily commit to challenge access requests. It is interesting to note here that Microsoft has already announced that it would pay users compensation if it discloses personal data following a government access request which would violate EU law.

Finally, it must be noted that the new SCC’s are no “get out of jail free” card. If there is no equivalent protection, supplementary measures will always be required. The EC has foreseen a transition period of one year, in which the “old” set of SCC’s will remain valid.

2. Binding Corporate Rules (BCRs)

The second option remaining are Binding Corporate Rules (BCRs). These are considered by some to be the new “gold standard” for data transfers and can be precisely tailored — but one should be careful before considering BCRs a possible panacea. Aside from being restricted to intra-group transfers, BCRs are notoriously costly and time intensive to negotiate, which has historically restricted their use to large companies rather than small businesses. The EDPB has also made it clear that additional measures will be required here as well if the third country does not meet the threshold of “adequate protection.”

3. Derogations

The last option — derogations — remains largely unaffected by the Schrems II judgement. However, the EDBP has made it clear that derogations are only suitable for occasional and non-repetitive data transfers, and only when they apply to a closed group of data subjects (e.g. employees). These derogations grow increasingly complex when applicable in a B2C context. Explicit consent, thus seems the only viable option in this regard.

As a last-resort, an alternative option that has also been suggested is re-localisation. Here, data processing would be re-located to within the EU and thus data would never have to leave the EU in the first place. This option would be very costly as it would require companies to build additional data processing centres in the EU. Another likely negative effect would be felt within the entrepreneurial and small business landscape, as the Schrems II judgement could substantially impair EU market accessibility for smaller companies and nascent start-ups.

EDPB guidelines and steps towards compliance

As of December 2020, the European Data Protection Board has now released some guidelines which offer more clarity on what data controllers and processors must take into account in the future when transferring data to outside of the EU. While EDBP guidelines do not possess binding character, they are considered highly authoritative since the EDBP is the institution tasked with supervising the implementation of the GDPR. The EDBP has outlined a number of steps to be taken by businesses wanting to ensure compliance with the new rules. Most important are the following:

1. Know your transfers: This step requires businesses to map and record all data transfers within their organization. As implied previously, transfers also include situations of remote access, onward transfers, and international cloud storage. No further steps are required if the data within the organization does not leave the European Economic Area (EEA).

2. Verify Transfer Tool: Similarly, if the data is sent to a country considered to have adequate protection standards, then no further steps are required. Likewise, if the data transfer is only occasional and non-repetitive, then derogations may be used. However: in all other circumstances, SCCs and BCRs will need to be used.

3. Assess the Third Country: If either SCCs or BCRs are used, then an assessment will need to be conducted of whether protection in the third country is essentially equivalent. Here, the data importer can provide relevant sources. The relevant parameters are the a) applicable legal context (this depends on the type of industry and data), b) the laws governing access to data by authorities (especially when they are ambiguous or not freely available), and c) whether individuals can obtain judicial redress against unlawful access.

Most importantly, the EDPB determined that this assessment shall not be made based on subjective factors, such as the likelihood of the data being accessed. The EDPB thus has interpreted the Schrems II judgement restrictively and demands an objective assessment here. [Additional note: This is especially interesting in the context of a recent White Paper (Sept 2020) published by the US Government in response to the Schrems II data, where it stipulated that most EU data were of low interest to US government agencies.]

4. Adopt Supplementary Measures: The EDPB has outlined a number of technical, contractual, and organizational measures that can be used in an attempt to remedy inadequate protection standards in third countries:

• Technical measures include methods like those previously mentioned, including encryption, pseudnoymisation, or split/multi-party processing. In regard to encryption, the EDPB requires that the decryption key must be in the hands of an EU controller and in regard to pseudonymisation, the additional data needed to de-pseudonymise the data must also be in the hands of an EU controller. To many businesses’ despair, this will simply not be possible within their current business models (this includes standardized web-services such as Salesforce or Google-Recaptcha).
• Contractual measures include: Technical measures as a precondition for transfer; transparency obligations imposed on the importer; the exporter’s right to audit data processing facilities; and the notification of inability to comply or importer’s commitment to review the legality of an access request.
• Organisational measures will likely mainly be relevant for the usage of BCRs and include measures such as a) the allocation of responsibilities and access rights and b) the imposition of strict data security and data privacy policies (cfr. ISO 27001).

The EDPB also clarified that merely implementing contractual and organisational measures will usually not be sufficient. Thus, the implementation of technical measures will have to become the norm.

How does this judgement affect US/EU Data transfers?

This is the second adequacy decision for data transfers to the US (Schrems I and Schrems II) that the EU has invalidated within the last five years, not forgetting Opinion 1/15 (i.e., the invalidation of a proposed international agreement for airline passenger data transfers to Canada). This runs counter to European Data Protection Commissioner Peter Hustinx’s statement that EU data transfer rules, “are based on a reasonable degree of pragmatism in order to allow interaction with other parts of the world.” These decisions have made it clear that the EU is simply not willing to budge when it comes to data subjects’ protection. Rather, it requires all other countries wanting to conduct business within the EU to rise to its level, leaving little room to accommodate third country norms — a rather perfect example of the so-called “Brussels Effect,” coined by Professor Anu Bradford. As Dr. Christopher Kuner eloquently states:

“…this [Schrems II] could be viewed either as a missed opportunity to provide increased global interoperability between data protection systems, or as a necessary step to avoid the circumvention of the standards of the GDPR.”

The Schrems II ruling has sparked an uproar in the data protection world. Facebook warned that it may pull out of the European market entirely as a results of the ruling, affecting services including Facebook-owned Instagram. In a blog-response to the judgement, Nick Clegg, Facebook’s head of global affairs and communications, wrote:

“In the worst-case scenario, this could mean that a small tech start-up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco.”

As of September 2020, the Irish Data Protection Commission (IDPC) has already gone ahead and shared a draft preliminary order that would essentially halt all Facebook personal data transfers to the US unless it changes its data processing practices, and suggested that SSCs cannot be used as a method to ensure “adequate protection”. This preliminary order could potentially prevent any company from lawfully transferring personal data to the US. Ironically, even Ireland’s COVID-19 tracking app for the ongoing Covid-19 pandemic currently relies on SCCs for data transfers to one of its processors in the US.

Examples of other big IT and cloud service providers impacted by this judgement include AT&T, Amazon, Apple, Cloudflare, Dropbox, Facebook, Google, Microsoft, and VerizonMedia. Outsourcing of data — i.e., where an EU company forwards personal data to a US company for data processing — are rendered illegal under the current framework. This might mean that services including Facebook, Twitter, and Instagram will need to significantly change their data processing policies — or must cease providing services within the EU.

While the US Commerce Secretary, Wilbur Ross, announced that the US will remain in close contact with the European Commission and the EDPB on this matter and hopes “to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments“, it remains to be seen whether there will be a further edition of this seemingly never-ending Safe Harbour/Privacy Shield saga. In light of the CJEU judgement’s bluntness — which took issue with the primacy of US rule of law — this seems rather unlikely, especially given the political inclinations of the current US government. Whether this trajectory will change following the recent US national election, remains to be seen.

What about data transfers to other third countries?

With the Schrems II judgement, it has become evident that at stake is not merely an EU-US debate concerning data protection standards, but one that will inevitably affect data transfers to any third country. This raises significant legal questions regarding already existing adequacy decisions and their validity. More immediately, it also brings up concerns relevant to any UK adequacy decision as to whether continue UK-EU data transfers that would now have to be granted on account of Brexit. In the wake of widespread surveillance conducted by the UK, it remains to be seen whether such a decision will be granted.

Finally, the Schrems II ruling also raises concerns as to whether data transfers to other major world powers, including China, will continue to be possible, given that law enforcement legislation and information concerning security services may be difficult to obtain or non-existent. This is particularly worrying in view of the EU’s annual exports of over €200 billion to China, including via natively-Chinese platforms like Tik Tok, Alibaba and TenCent. It could be argued that transfers to nations that might be considered to be following authoritarian capitalism deserve greater scrutiny. How can one justify prohibiting data transfers to the US, but freely allow them to other countries where national data protection standards grant even less protection? Such broader enforcement would also fully bring to light the massive economic implications of the Schrems II decision.

In sum, the Schrems II decision affects nearly every sector of the European economy, from the medical sector to the financial markets. Whether Schrems II will result in a more harmonized global data protection framework, or whether it will instead lead to the limitation of free data flows and data localization (and thus, the fragmentation of the data economy) remains to be seen.

Marcus Evans, EMEA Head of Data Protection, Privacy and Cybersecurity at Norton Rose Fulbright law firm in London aptly concluded: “At the moment we are in a very uneasy position where the regulators seem to have set the bar too high and businesses are trying to explain that if they keep the bar at that height the implications will be enormous. If they could soften this guidance so we could take into account the likelihood of access by a foreign government, the world might be able to carry on spinning without the disruption the current guidance is suggesting.”

Key Takeaways (TL;DR):

• The recent Schrems II judgment in July 2020 irreversibly changes the transatlantic data transfer landscape.
• Companies wanting to conduct transatlantic data transfers via Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) will now have to conduct tailored assessments as to whether the third country to which the data is transferred provides adequate data protection standards.
• However, the Court of Justice of the European Union (CJEU) has essentially concluded that the US does not provide such adequate protection. This means that additional protection measures (e.g., encryption or anonymization) will have to be implemented.
• Other remaining data transfer options are either derogations — which are not meant for repetitive or regular data transfers — or conducting data processing exclusively in the EU.
• We do not yet know how the Schrems II judgment will affect data transfers to other countries with even lower data protection standards (e.g., China).

About the Author: Victoria Häberle

Victoria Häberle holds a LL.B. in European Law from Maastricht University and is reading the LL.M. at the University of Cambridge, specialising in Intellectual Property and Data Privacy Law. She is currently conducting research focused on global FRAND (fair, reasonable, and non-discriminatory) litigation and its compatibility with TRIPS (The Agreement on Trade-Related Aspects of Intellectual Property Rights). During her time at Maastricht University, she participated in the Nuremberg Moot Court 2018, which she won together with her team. She previously worked as an intern in the Prosecution Section at the International Criminal Court (during which she worked on the Al-Hassan case) and was a Schuman Trainee at the European Parliament. Victoria is also the assistant-editor for the Annotated Leading Cases of International Criminal Tribunals, and a current Research Analyst at GDI.