In Facebook Ireland Ltd. v. Maximillian Schrems (Schrems II) (July 16, 2020), the European Court of Justice (CJEU) invalidated the Privacy Shield, a widely-used method to transfer personal data from the EU to the US. The decision also put other data transfer mechanisms—Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCRs)—into significant doubt. The court’s concern was the deficiency of the US law’s regulation of government surveillance, and this concern is difficult to fix with better contracts or stricter binding rules. The decision has thus left great uncertainty about how most forms of personal data transfer can occur from the EU to the US.
I had the opportunity to discuss Schrems II with Wim Nauwelaerts, a partner in the Brussels office, leading Alston & Bird’s European Privacy & Data Security Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.
Wim wrote a very insightful article about the implications and aftermath of Schrems II. In the interview that follows, I ask him questions about some points from his article as well as many questions that go beyond. We discuss directly the possibilities and strategies for how data transfers can continue in a post-Schrems II world.
SOLOVE: Schrems II allows the SCCs and BCRs to survive in theory, but in practice, how can they survive?
NAUWELAERTS: It is essential that the SCCs and BCRs survive because they were specifically designed to transfer personal data outside of the EEA, to recipients in countries where the (privacy) laws do not ensure an adequate level of protection. That is their raison d’être! At this point in time, the SCCs and BCRs are the only data transfer tools in the GDPR that are at the same time effective and practical, allowing companies to maintain the necessary flow of personal data between the EEA and third countries without unnecessary burdens. And so far the CJEU has not questioned their validity. However, in Schrems II the CJEU did emphasize that in order to use SCCs and BCRs companies will have to assure themselves that the level of protection offered by the SCCs/BCRs is not undermined by the third country’s laws. In particular, mandatory requirements enabling public authorities in the third country to access data held by local companies. If these requirements go beyond what is considered necessary in a democratic society (for example, in the interests of national security and public safety), companies may have to consider implementing supplementary measures in order to mitigate the governmental interference.
SOLOVE: The Court of Justice of the EU (CJEU) says that supplementary measures can make a transfer possible, but there still isn’t guidance about what kinds of supplementary measures would work. What are your thoughts about this?
NAUWELAERTS: Shortly after the Schrems II-decision, the European Data Protection Board (EDPB) promised to publish further guidance on the topic, but it is unclear when that will be available. In the meantime, the supervisory authority for the German state of Baden-Württemberg has come out with its own views on what types of supplementary measures may be needed. The supervisory authority seems to suggest that companies should amend the SCCs if they want to use them to send data to the US, for example, to make the clauses more robust. It is an interesting thought, but one that is difficult to marry with the requirement in the SCCs that the clauses should not be modified (at least not without approval from the supervisory authorities). With so much depending on the concept of “supplementary measures“, it will be crucial to have clear and coherent guidance from the EDPB.
SOLOVE: The main failing of US law in Schrems II was based on its lack of adequate regulation and redress regarding government surveillance. What kinds of measures can companies take regarding government surveillance? Stronger contracts and added protections can bind companies, but what can constrain the government? Is there a way for the SCC and BCRs to survive without some way of limiting a foreign government’s ability to access the data?
NAUWELAERTS: It is important to keep in mind that the failing of US law that you refer to was raised in the specific context of the EU-US Privacy Shield. In the eyes of the CJEU, the European Commission had failed to properly assess whether the US ensures an adequate level of protection for personal data transferred under the Privacy Shield. The European Commission’s adequacy decision did not cover the entire US legal system, but only the “safe harbor” created by the EU-U.S. Privacy Shield. As far as government surveillance is concerned, technical protections (such as encryption) as well as organizational measures can make it harder for foreign governments to access the data that companies hold. In its upcoming guidance, the EDPB will likely encourage the implementation of these types of measures. However, it is unrealistic to expect that these measures will completely eliminate the possibility of data access by public authorities, and the supervisory authorities in Europe have recognized this. They have accepted that intelligence gathering can be a perfectly legitimate aim to process personal data – even if it includes the use of secret surveillance measures – as long as adequate and effective guarantees against abuse are in place.
SOLOVE: What do you advise companies to do in light of Schrems II? Do you have a short term and long term strategy that you recommend?
NAUWELAERTS: First of all, they should closely monitor the regulatory developments in this area. As already mentioned, the EDPB is expected to issue further guidance on supplementary measures in the near future. The European Commission has been developing alternative sets of SCCs – which might replace the “old” SCCs – but has not indicated when they might be launched. Also, there is a possibility that at some point the European Commission and its US counterparts join forces again to develop a new (and improved) framework for transfers of personal data from the EEA to the US.
In any event, companies that are transferring personal data outside of the EEA should assess, on a case-by-case basis, whether the effectiveness of the SCCs in concrete transfer scenarios can be guaranteed. In doing so, they should take into account the impact of the laws that apply to the data importer in the country of destination. To put it in different terms, EEA-based data exporters relying on the SCCs will need to be able to demonstrate that they have carefully assessed the risks associated with the transfer of personal data via the SCCs. Such a “transfer impact assessment” should provide solid legal arguments for the (continued) use of the SCCs. Without it, companies run the risk of having their data transfers challenged by the supervisory authorities.
SOLOVE: Will using the GDPR Article 49 derogations (such as consent) be a workable way to transfer data?
NAUWELAERTS: Relying on Article 49 derogations does not appear to be a viable option for the majority of data transfers outside of the EEA. According to guidance from the EDPB that pre-dates the Schrems II-case, the derogations can be used in exceptional circumstances only, and provided that stringent conditions are met. As a result, the derogations are not suited to replace the SCCs in situations where there are frequent and large-scale data flows (for example, in the context of intra-group data transfers). So far there has been no indication that the EDPB or individual supervisory authorities will allow more flexible use of the Article 49 derogations in light of Schrems II.
SOLOVE: How are data transfers continuing after Schrems II? Shouldn’t most data transfers to the US have stopped? How are US companies continuing to do business in the EU?
NAUWELAERTS: In Schrems II the CJEU invalidated the Privacy Shield decision; it did not suggest that all data transfers to the US should be stopped. The CJEU also confirmed that there was no reason to question the validity of the SCCs as a data transfer tool. This means that it should still be possible to use the SCCs to transfer data outside of the EEA, including to the US, on condition that a transfer impact assessment is conducted and the outcome of the assessment is positive. As the CJEU explained, this assessment requires companies to verify, on a case-by-case basis, whether adequate protection of personal data pursuant to the SCCs is ensured in the country of destination. Some companies receiving personal data in the US may find it more difficult than others to conclude that there is adequate protection under the SCCs. But that doesn’t mean that all US companies should be tarred with the same brush.
SOLOVE: What are the implications for the law of other countries? The opinion implies that data transfers to any foreign country with similar weaknesses in the regulation of government surveillance will be affected. Are data transfers to other countries starting to halt? If so, which countries are being affected?
NAUWELAERTS: The CJEU’s ruling in Schrems II does not affect EU-US data transfer only. Companies that use the SCCs or BCRs to transfer personal data to any country outside the EEA are subject to the same assessment obligation. Conducting the required foreign law assessment will be challenging in those jurisdictions where data access by public authorities is not regulated in a transparent way or where the regulatory landscape is complex and uncertain. Also, against the backdrop of Schrems II, it is hard to see how companies can use the SCCs to transfer personal data to recipients in communist or dictatorial countries. Since the assessment test developed in EU case law is that public authority interference should not go beyond what is “necessary in a democratic society”, transfers to countries without a democratic foundation appear to be off-limits.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy+Security Forum (Oct. 21-23, 2020), an annual event designed for seasoned professionals.