In the context of the “Schrems II” case held before the Court of Justice of the European Union (“CJEU”), some mechanisms used to transfer personal data out of the European Economic Area (“EEA”) have been fully invalidated (Privacy Shield) while others (Standard Contractual Clauses) – although validated by the CJUE – are now coming with additional requirements to be complied with by companies transferring personal data out of the EEA.
Under the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 ("GDPR") in principal personal data cannot be transferred to recipients outside of the EEA except if (i) there is a decision by the European Commission certifying that the destination country offers an adequate level of data protection or, failing this, (ii) appropriate safeguards are in place such as the signature of Standard Contractual Clauses (“SCCs”) issued by the European Commission or binding corporate rules or, (iii) certain limited derogations can be relied upon in specific situations.
Transfers to the United States of America (“US”) were covered by an adequacy decision under which transfers of personal data to entities having self-adhered to the EU-US Privacy Shield Framework were allowed.
The main outcome of the judgement of 16th July 2020 is the following:
- Invalidation of the Privacy Shield - Almost five years after invalidating the Privacy Shield’s predecessor, the US Safe Harbour, the CJUE decided to do the same with the EU-US Privacy Shield Framework.
- Validity of the SCCs - The CJEU confirmed the validity of the controller-to-processor SCCs issued by the European Commission but the CJEU has also added some new requirements to be complied with by entities relying on such SCCs.
What are the direct consequences of this decision for companies transferring personal data outside the EEA?
Consequences for companies currently transferring personal data from the EEA to entities in the US that had adhered to the Privacy Shield
Transfers from the EEA to some entities in the US that had self-adhered to the Privacy Shield Framework are now invalid and the CJEU did not provide for any grace period which means that entities that used to rely of such framework must find solutions quickly.
TO DO IF YOU CURRENTLY RELY ON THE PRIVACY SHIELD
- Check the transfer section of your records of processing (register which is mandatory under article 30 of the GDPR and requires entities to list their processing of personal data) and whether or not your entity transfers personal data from the EEA to the US and whether such transfers currently rely on the Privacy Shield Framework. If this is the case, if not already in place, sign SCCs with the recipient(s). We will see below that, even if this is not a perfect solution, having SCCs should, provided you comply with some specific requirements, allow you to maintain the transfers currently in place.
- If your record is not complete or not up to date, try to map potential recipients of personal data that are located in the US (service providers, data processors, other entities of the group, etc.) and check whether you have an agreement in place with them for the transfer of personal data and whether such agreement contains the SCCs. If not, implement such SCCs.
Consequences for companies using SCCs to transfer personal data outside the EEA to countries not offering a sufficient level of personal data protection (“Third Country”)
As mentioned above, SCCs are one of the possible options to legally transfer data outside the EEA. In such situation, the exporting company in the EEA should have a contract (including the SCCs) signed with the importing company located outside the EEA.
Whereas the validity of this mechanism has been confirmed by the CJEU, the Court has however insisted on a strengthened duty for data exporters and data importers using such clauses, which implies the following steps / requirements:
Both parties must verify, prior to any transfer, and taking into account the circumstances of the transfer, whether a level of protection equivalent to that guaranteed within the EU by the GDPR is respected in the Third Country concerned, meaning that the destination Third Country's laws must allow compliance with the GDPR; and,
The data importer must inform the data exporter of any inability to comply with the SCCs (for example because of any national surveillance legislation) while the data exporter must suspend the transfer of data and/or to terminate the contract with the former in such case.
In practice this strengthens the practical application of SCCs as a real monitoring obligation rests upon companies relying on SCCs to suspend or prohibit such transfers in cases where the SCCs cannot be complied with. This means that more due diligence on data importers located in a Third Country should be performed by data exporters, usually acting as controllers of the personal data transferred, whenever possible.
What about the use of SCCs for future transfers to the US?
With respect to transfers of personal data made to the US on the basis of the SCCs, as the CJEU found that US law does not ensure an essentially equivalent level of protection, whether or not entities can transfer personal data in such circumstances will then depend on the result of their case-by-case assessment, taking into account the circumstances of the transfers, and supplementary measures they could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.
TO DO IF YOU CURRENTLY RELY OR WANT TO RELY ON SCCs
- Check in your record of processing which transfers rely on SCCs.
- Implement an internal scheme putting in place additional monitoring for such transfers.
- Consider auditing your main data processors outside the EEA, notably to receive confirmation from them that the law of their country still does not prevent / impede the good application of the SCCs by the processor.
Is there any alternative to SCCs?
Even if the validation of the SCCs has been confirmed, we have seen that there is still a level of uncertainty around their application, especially now when they are used as a legal safeguard to justify transfers to the US.
In addition, SCCs remain an incomplete set of tools as they only cover transfers from EU controllers to non-EU controllers or non-EU processors and do not cover processor-to-subprocessor transfers.
Finally, the versions of the SCCs available on the website of the European Commission have not yet been updated following the entry into force of the GDPR more than two years ago and still refer to the old legislation.
Other solutions are available under the GDPR to validate international transfers of personal data, even if their practical application can sometimes prove to be tricky:
- Binding corporate rules are a viable solution for multinationals but this is a rather lengthy process and implies important resources that are important obstacles in practice for SME’s and start-ups;
- Contractual necessity and consent of the data subjects are limited options and are rather uncertain (contractual necessity is interpreted very narrowly and the company would have to stop transferring data outside of the EEA should the data subject refuse to give his/her consent or withdraw it); and
- Codes of conduct and certification mechanisms are not yet approved and cannot currently be used.
What about Brexit and transfers to the UK?
Another unexpected consequence of the decision of the CJEU is that many companies affected by the Brexit who had recently decided to start relying on SCCs for their transfers from the EU to the UK should adapt their assessment method for the reliance to SCCs and closely follow-up the developments of this case to be able to (quickly) adapt their strategy in a very near future.
Head of Technologies & IP
T: +352 26 48 42 35 98
T: +352 26 48 42 35 58