On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case. In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination. For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.
Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement. The result of this impact analysis may be underwhelming for some. So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of. In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses. As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.
In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing. Note, however, that much depends on the nature of the personal data transfers concerned. As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector). These risk-based considerations should inform how businesses prioritize remedial actions going forward.
Immediate actions
- The CJEU invalidated the EU-U.S. Privacy Shield with immediate effect. Companies that were Privacy Shield certified now have to take swift action to transition to a different transfer mechanism. While the Privacy Shield still exists as such, and apparently U.S. regulators continue to administer and enforce it (see our related alert here), it can no longer serve as a valid transfer mechanism for personal data originating in Europe. This aspect of the Schrems II decision also impacts companies that transfer personal data to service providers or other third-party controllers that relied on the Privacy Shield. These companies should swiftly assess their exposure and take immediate steps to remediate.
- The CJEU also imposed additional requirements on the use of SCCs. Companies should take stock of their contractual agreements that currently rely on SCCs (e.g., create an inventory, in case their records of processing operations do not already capture this) and identify the contracts that are most critical. We do not recommend making changes to SCCs that are already in place in the short term, because the European Commission is currently working to update the SCCs, meaning that companies will have to replace their existing SCCs anyway in the near future. We expect these updated SCCs to be published by the end of 2020, according to a statement by Commissioner Reynders in a meeting of the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament on September 3, 2020.
- For newly signed SCCs and those already in place, we also recommend that companies begin conducting “Transfer Impact Assessments”. Such assessments should cover the nature of the transfer and the potential risks in relation to the countries of destination concerned. These assessments will help in mid- and long-term remediation efforts for international transfers, by helping identify high-risk areas that may require quick intervention. We have developed materials to help clients with this exercise.
- Companies should also consider reinforcing the SCCs with additional provisions for strategic and/or high-risk transfers. This is certainly the case for SCCs being put in place now in the wake of Schrems II, but in some cases, additional measures may also be warranted for SCCs already in place. Technological protections, such as encryption, may contribute to the solution. In some cases, however, the risk of continuing to rely on SCCs as a transfer mechanism may be so high that the personal data involved should be brought back onshore, and stored or hosted locally in Europe.
- Companies relying on binding corporate rules should also undertake this same exercise. While the CJEU’s judgement focused in SCCs, its findings apply equally to transfer of personal data under BCRs.
Mid-Term Actions
- We expect regulators to soon issue more detailed guidance to assist companies making Transfer Impact Assessments, and also to clarify how they intend to apply and enforce the Schrems II judgement going forward.
- As indicated above, the European Commission is currently preparing a new set of SCCs that will take into account the GDPR standard of data protection. While it may be overly optimistic to expect the new SCCs to meet all the requirements imposed by the CJEU’s decision, many hope that the updated clauses will factor it in to the fullest extent possible, and perhaps offer additional (optional) clauses that could help data exporters satisfy the requirements articulated by the Court. In any case, as businesses will need to eventually replace their SCCs, this presents a good opportunity to leverage the results of Transfer Impact Assessments discussed above when negotiating new agreements.
- In addition, we expect an uptake in technological solutions, such as encryption, that are designed to protect personal data from interception and/or that require intervention from EU-based personnel in order to release or decrypt the data concerned. Such an intervention would likely require submitting a foreign data request to EU personnel, which may be a substantial enough barrier for the request to be withdrawn.
Long-Term Actions
- In the long term, and as a result of Transfer Impact Assessments and the other actions discussed above, we expect that companies will increasingly question the need for international transfers of personal data originating in the EU, in light of the administrative burden and potential risks such transfers present. Consequently, we expect service providers to begin offering more solutions that do not require international transfers, such as local data storage and hosting facilities. That being said, given the broad definition of an “international transfer” and the potentially broad scope of foreign laws that may enable access to data, it may not always be possible to completely shield data from foreign intervention.
- Finally, we expect regulators, academics and service providers (including privacy technology vendors) to continue developing more refined and standardized tools to assist companies in assessing their transfers, so that duplication of efforts can be avoided.
[1] The European Data Protection Board issued an FAQ (see here) and one of the regional German supervisory authorities ventured into guidance (see here, in German).