There has been much talk recently within the media and industry of the impact on data protection rules since the announcement of the Schrems II judgment, but what is this case and how might it affect us?
The position to date
Data transfers to countries outside of the EU and EEA that are not accepted as being adequate in terms of data protection are only lawful if additional means of protection are applied to such transfers. For data transfers into the US, the EU-US privacy shield has been important to enable thousands of companies to freely transfer data between the EU and the US as part of their business operations. Essentially the privacy shield is a commitment by US data importers to comply with certain EU data protection rules, with compliance supervised by the US Federal Trade Commission.
In a recent case known as Schrems II (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems), the European Court of Justice (ECJ) has held that the EU-US privacy shield does not provide sufficient protection and is invalid with immediate effect. As one can imagine, this has caused significant concern amongst data protection authorities and companies alike as to how international data transfer can be effected lawfully in the future.
Schrems II concerns transfers of personal data of an Austrian individual, Mr Maximillian Schrems, by Facebook Ireland to Facebook US. In a previous case known as Schrems I, the ECJ invalidated the previous EU-US safe harbor rules stating that there is no proper balancing between national security and privacy interests in the US and that there are no sufficient legal remedies available to EU citizens if safe harbor rules are breached. After the invalidation of the safe harbor rules, the EU and the US entered into a new deal - hence the EU-US privacy shield.
Mr Schrems has now claimed that Facebook Ireland is still not entitled to transfer his data to Facebook US, arguing that the privacy shield is an insufficient means to ensure that his personal data is properly protected in the US, bearing in mind the practices of the US intelligence services. The ECJ has concluded that US law does not set out limitations on the powers of the intelligence services and does not give data subjects actionable rights before US courts or ombudsperson, and so cannot ensure a level of protection essentially equivalent to that guaranteed by the EU Charter.
On 24 July 2020, the European Data Protection Board (EDPB) published its initial interpretation of Schrems II, which deals with some important questions but fails to address the consequences of the ECJ’s judgment.
The EDPB confirms that privacy shield-based transfers need to be immediately based on other means without a grace period and that the alternative method of compliance (ie by way of Standard Contractual Clauses or SCCs) can continue to be used. However, data exporters need to evaluate each individual transfer based on SCCs in light of Schrems II. A transfer must be stopped or notified to the competent authority if a data exporter comes to the conclusion that the transferred data will not be adequately protected by the data importer.
This means that if you are currently transferring data out of the EU, you should:
- Identify any elements of the personal data that you control or process, that are subject to transfers into countries without adequate protection.
- Use alternative means to cover transfers based on the privacy shield; in case of doubt, this will be SCCs.
- Evaluate whether additional means of protection can be applied to transfers - such as technical means (ie. encryption, anonymisation or pseudonymisation) or legal means (such as the use of consent).
- If additional means can be undertaken with reasonable efforts, carry this out immediately.
- Ask any suppliers to which you are transferring data for assistance in considering these issues.
- Communicate with interested customers the steps being undertaken in light of Schrems II.
In today’s global markets, companies will not stop doing data-based business or limit it to only arrangements where additional technical or legal means have been applied. Therefore, it is likely to be the data protection authorities and national courts which will have the responsibility for interpreting Schrems II in a balanced and constructive way for all stakeholders involved, from the large multinational company to each individual. Whilst there is no doubt that international data transfers must and will continue, the conditions have become extremely uncertain.