On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination.  For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.

Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement.  The result of this impact analysis may be underwhelming for some.  So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of.  In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses.  As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.

In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing.  Note, however, that much depends on the nature of the personal data transfers concerned.  As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector).  These risk-based considerations should inform how businesses prioritize remedial actions going forward.

Immediate actions

  • The CJEU invalidated the EU-U.S. Privacy Shield with immediate effect. Companies that were Privacy Shield certified now have to take swift action to transition to a different transfer mechanism.  While the Privacy Shield still exists as such, and apparently U.S. regulators continue to administer and enforce it (see our related alert here), it can no longer serve as a valid transfer mechanism for personal data originating in Europe.  This aspect of the Schrems II decision also impacts companies that transfer personal data to service providers or other third-party controllers that relied on the Privacy Shield.  These companies should swiftly assess their exposure and take immediate steps to remediate.
  • The CJEU also imposed additional requirements on the use of SCCs. Companies should take stock of their contractual agreements that currently rely on SCCs (e.g., create an inventory, in case their records of processing operations do not already capture this) and identify the contracts that are most critical.  We do not recommend making changes to SCCs that are already in place in the short term, because the European Commission is currently working to update the SCCs, meaning that companies will have to replace their existing SCCs anyway in the near future.  We expect these updated SCCs to be published by the end of 2020, according to a statement by Commissioner Reynders in a meeting of the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament on September 3, 2020.
  • For newly signed SCCs and those already in place, we also recommend that companies begin conducting “Transfer Impact Assessments”. Such assessments should cover the nature of the transfer and the potential risks in relation to the countries of destination concerned.  These assessments will help in mid- and long-term remediation efforts for international transfers, by helping identify high-risk areas that may require quick intervention.  We have developed materials to help clients with this exercise.
  • Companies should also consider reinforcing the SCCs with additional provisions for strategic and/or high-risk transfers. This is certainly the case for SCCs being put in place now in the wake of Schrems II, but in some cases, additional measures may also be warranted for SCCs already in place.  Technological protections, such as encryption, may contribute to the solution.  In some cases, however, the risk of continuing to rely on SCCs as a transfer mechanism may be so high that the personal data involved should be brought back onshore, and stored or hosted locally in Europe.
  • Companies relying on binding corporate rules should also undertake this same exercise. While the CJEU’s judgement focused in SCCs, its findings apply equally to transfer of personal data under BCRs.

Mid-Term Actions

  • We expect regulators to soon issue more detailed guidance to assist companies making Transfer Impact Assessments, and also to clarify how they intend to apply and enforce the Schrems II judgement going forward.
  • As indicated above, the European Commission is currently preparing a new set of SCCs that will take into account the GDPR standard of data protection. While it may be overly optimistic to expect the new SCCs to meet all the requirements imposed by the CJEU’s decision, many hope that the updated clauses will factor it in to the fullest extent possible, and perhaps offer additional (optional) clauses that could help data exporters satisfy the requirements articulated by the Court.  In any case, as businesses will need to eventually replace their SCCs, this presents a good opportunity to leverage the results of Transfer Impact Assessments discussed above when negotiating new agreements.
  • In addition, we expect an uptake in technological solutions, such as encryption, that are designed to protect personal data from interception and/or that require intervention from EU-based personnel in order to release or decrypt the data concerned. Such an intervention would likely require submitting a foreign data request to EU personnel, which may be a substantial enough barrier for the request to be withdrawn.

Long-Term Actions

  • In the long term, and as a result of Transfer Impact Assessments and the other actions discussed above, we expect that companies will increasingly question the need for international transfers of personal data originating in the EU, in light of the administrative burden and potential risks such transfers present. Consequently, we expect service providers to begin offering more solutions that do not require international transfers, such as local data storage and hosting facilities.  That being said, given the broad definition of an “international transfer” and the potentially broad scope of foreign laws that may enable access to data, it may not always be possible to completely shield data from foreign intervention.
  • Finally, we expect regulators, academics and service providers (including privacy technology vendors) to continue developing more refined and standardized tools to assist companies in assessing their transfers, so that duplication of efforts can be avoided.

[1] The European Data Protection Board issued an FAQ (see here) and one of the regional German supervisory authorities ventured into guidance (see here, in German).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.