On 16 July 2020, the Court of Justice of the European Union issued the expected decision on the preliminary ruling in the case known as Schrems II (C-311/18) which deemed the Privacy Shield instrument invalid, with immediate effect and clarified some aspects regarding the scope of the standard clauses adopted by the EU Commission on foreign transfers of personal data (so-called “SCC”).
After 5 years from the decision that invalidated the “Safe Harbor” (C-362/14, “Schrems I”), it is now up to his successor and, in the meanwhile, the Court has also rejected with his opinion a proposal for an international agreement for transfers of air passenger data to Canada.
Operational impacts and FAQ
Can transfers of personal data to the USA, currently based on the Privacy Shield, continue?
The invalidity judgment of the Privacy Shield is with immediate effect. A new basis for legitimacy for these transfers needs to be found.
Can SCCs be used, as an alternative to the Privacy Shield, to legitimize data transfers to the USA?
It is necessary to check whether the data importer can be subject to interference by the US public authority for reasons of national security, administration of justice or other public interest purposes:
- if so, the SCCs alone do not represent an adequate safeguard but must be integrated with additional guarantees (such as when the data importer is a TelCo or an electronic communications service provider – subject to the Foreign Intelligence Surveillance Act (FISA) which allows US security authorities to access personal data without the need for authorization from the judge or companies that use telecommunications provider services (e.g. cloud services) or, finally, if the transmitted data are not sufficiently encrypted, as potentially monitored during the passage through transatlantic cables, based on US Executive Order 12,333);
- if not, the SCCs may legitimize the transfer of EU-US personal data.
What should be done now operationally?
For data transfers from the EU to the USA under the aegis of the Privacy Shield, as mentioned, companies must identify as soon as possible a different basis of legitimacy, which may also be the use of the SCC, within the limits and under the conditions indicated in the previous FAQ .
For all other transfers based on the SCCs (and also probably with regard to the BCRs) it will be necessary to carry out the adequacy assessment, case by case, as indicated in the following FAQ.
How can we continue to use SCCs as “adequate guarantees” in light of the “Schrems II” decision?
Data controllers and processors will have to assess, case by case and prior to the transfer, whether the destination country’s legal regime allows authorized interference by the local public authorities with personal data transmitted by the EU, for that specific transfer and without “adequate guarantees” (ie , in a non-limited manner and without data subjects having effective and enforceable rights). If yes, additional guarantees or other safeguard measures will have to be identified (§181).
What are the additional guarantees to be eventually integrated into the SCCs?
It seems doubtful that the additional guarantees could be of a contractual nature (despite Recital 109, mentioning “the addition of other clauses and additional safeguards”, as reported in paragraph 132 CJEU), given that they do not bind third parties and public authorities in the country of destination; the European Committee (EDPB) announced in its statement that it will shortly issue guidelines on the use of tools for data transfer to third countries based on the decision. In addition, the EU Commission is proceeding with the modernization of the SCCs, adopted in accordance with Directive 95/46 / EC, to adapt them to the new GDPR regime; the Commission has stated that in doing so it will take into account the Court’s ruling. On this basis, the decision on modernized SCCs can be expected to exceed the limits found in the current version of the Schrems II case.
What happens if you continue to use the SCCs without carrying out the adequacy assessment on a case-by-case basis?
If the supervisory authority becomes aware of it and believes that the guarantees contained in the SCC are not adopted or cannot be adopted in the country of destination, the authority can suspend or prohibit the transfer and consider the controller or processor guilty of violation of the Article 46 GDPR (paragraph 113 of Schrems II). Therefore, a “new” accountability front opens for controllers and processors for which companies and internal departments are not equipped, having no expertise, as a rule, in the field of third-contry legal systems.
What other safeguards can be used if an adequacy decision is missing and SCCs cannot be adopted?
In the transitional period, before the release of guidelines by EDPB and supervisory authorities or the new version of SCC adopted by the Commission, it is possible to resort to the derogating measures (for example, the consent of the data subject) provided for in article 49 GDPR, recalling that according to EDPB guidelines 2/2018, these measures may be used on a case-by-case basis and only for occasional and non-massive data transfers.ù
Can Schrems II have impacts on international trade?
The decision on the Schrems II case has certainly created a vacuum in international trade practice which must be filled as soon as possible with the identification of a “dictionary” of the impact of adequacy in the various countries and with the identification of supplementary measures to the SCC . There are areas of the globe to which all the safeguard measures currently available to legitimize the transfers of personal data seem impractical, such as those towards undemocratic countries or where the rule of law does not exist or to which the problem of authorized interference by law enforcement authorities and national security services arises again (in a non-proportionate, unlimited and without guarantees for data subjects). Finally, it cannot be excluded that Schrems II will also have an impact on future Brexit negotiations for the possible adequacy decision of the personal data protection regime present in the United Kingdom which, now, seems less obvious.
What can be expected for US-EU data flows in the near future?
After the second failure of the US-EU agreement on transfers of personal data, it does not seem realistic to consider the option of a corrective solution that could resolve the defects of the agreement found by the CJEU. Equally unlikely it seems a third new agreement between the Commission and the US Department of Commerce along the same lines as the previous two. With Schrems II, the Commission has new guidelines to take into consideration in the process of adopting implementing decisions on the adequacy of personal data protection regimes: the current regulatory bodies of the USA and EU conflict in certain relevant points, which are difficult to resolve. Probably it will be necessary to make creative use of new tools not yet used but identified by the GDPR, such as codes of conduct and certifications.
In the meantime, some supervisory authorities have already take action,
- The DPA of Berlin, officially requesting that European personal data currently stored on US territory be relocated to service providers established in the EU; this indication seems provisional not constituting a generally practicable solution;
- The DPA of Rhineland-Palatinate, inviting the owners to update the information issued pursuant to articles 13 and 14 of the GDPR and to suspend the transfer or terminate the contract if a “substantially equivalent” level of protection cannot be guaranteed in the third country of reference.
What implications for Supervisory Authorities?
The competent supervisory authority “is in any case required to fulfill its task of supervising full compliance with the GDPR with all the diligence required” (paragraph 112). When it “considers that transfers of data to a third country should, in general, be prohibited, (it may) apply to the European Data Protection Board (EDPB), which may, pursuant to Article 65 (1) (c) of the same regulation, adopt a binding decision.”
U.S. Department of Commerce: https://www.privacyshield.gov/Program-Overview e https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and
EU Commission, press release: https://ec.europa.eu/commission/presscorner/detail/en/statement_20_1366