Schrems II May Change Everything

Thousands of businesses regularly transfer personal data between EU countries and the U.S. The Privacy Shield agreement governed those transfers, but in July, the European Court of Justice (CJEU) invalidated the agreement in what is colloquially known as the Schrems II case. Schrems II also forced the court to examine standard contractual clauses (SCCs), mechanisms for transferring personal data between the U.S. and the EU. Organizations are now left with more questions than answers when it comes to the international transfer of personal data.

What is Schrems II and why does it matter?

In the context of commercial data privacy concerns, that Privacy Shield is no longer valid is important. However, invalidation was collateral damage from the two legal cases that bear privacy advocate Maximilian Schrems’ name. The Schrems cases were about data transfers, specifically from EU member states to the U.S., by a large technology organization.

The latest ruling represents the Irish Data Protection Commissioner’s (DPC) mandate that the organization cease data transfers from the EU to the U.S. For technology companies with business models of selling advertising space based on customer data, the ruling is a potential blow to their operations.

That’s a fact that seems to have escaped many businesses as they prepared to comply with data privacy regulations, namely GDPR. The monetary penalty that befalls a company may not be the worst consequence of noncompliance. In fact, as the Schrems II ruling shows, regulators may even halt businesses from exporting data from Europe altogether.

Be Prepared for Sudden Changes to Data Transfer Laws

Schrems II clarified that eventually there will be a decision that restricts continuous data flows to the U.S. unless there are changes to surveillance laws in the country. Technology companies (and others that leverage customer data as part of their business model) should by now be working on a backup plan for potential restrictions.

The bad news is threefold:

• As part of the Schrems II decision, it’s up to data protection authorities in given countries to maintain law, as the Irish DPC is expected to do.
• The data transfer workarounds companies attempt to implement are going to be clunkier than they want: There is no one-size-fits-all solution at the moment.
• Some of these workarounds may even be invalid themselves.

Understand Mechanisms for Compliance

The best approach companies can take is to understand the data transfer mechanisms that may be in play and how to use them. Without an agreement such as Privacy Shield in place, there is no adequacy agreement that validates data transfers between companies in the EU and those in the U.S. Instead, organizations must turn to options, including SCCs and/or binding corporate rules (BCRs).

It’s important to remember that while the focus of Schrems II analysis has been on data transfers between the EU and U.S., companies must also address data transfers from the EU to the rest of the world. Ninety-two countries have international data transfer requirements, many of which differ from one another. Furthermore, there are 168 countries that are not members of the EU. Some of these countries have strong privacy laws and limited surveillance laws, and some have adequacy decisions, but most do not.

In effect, companies that wish to transfer data from an EU member state to another country must assess the regulations and adequacy decisions of each country and whether SCCs or BCRs (other mechanisms) are still sufficient.

Binding corporate rules govern an entity or group of entities. They apply to data transfers within one entity or group of entities. BCRs do not apply to data transfers between two different entities, however. These contracts wouldn’t necessarily protect against government interference and companies may still have to implement additional safeguards depending on the country in question.

Standard contractual clauses are on a per-contract basis. Every time an organization enters into an agreement to transfer data to another organization, it must fill out an SCC and the adjoining annex. An SCC annex discusses the data the organizations will send to one another. The problem typical with SCCs is that many organizations do not read the entire contract or fill out the annexes. If these annexes aren’t filled out, neither company is compliant.

Furthermore, following the Schrems II case, an additional annex will need to be prepared, spelling out extra safeguards of an operational, technical and legal nature that will help to protect transferred data against the risk of government interference. What these safeguards could be also depends on the volume and nature of the data. Specific regulator guidance on this point is expected in the coming weeks and months.

Take a Proactive Approach to Changing Privacy Regulations

Ideally, the European Data Protection Board (EDPB) would assess the most relevant economies for international data transfers and recommend what safeguards could be put in place for those transfers. As long as such assessments have not been published, the privacy industry must take it upon itself to devise mechanisms for valid data transfers so that some standardization exists. Without EDPB-recommended safeguards or an industry standard in place, it will be nearly impossible for companies without the adequate resources to make assessments of every country’s data privacy laws.

In the meantime, organizations can help themselves prepare for the eventual decision by:

• Reviewing their international data flows and starting the case-by-case assessment on what additional measures might be needed to protect the data against government interference.
• Reviewing their data-processing agreements and ensuring that, where relevant, SCCs are attached, filled out and signed.
• Reviewing the revised draft SCCs once they become available (likely early October) and taking part in the stakeholder consultation. Once the European Commission finalizes and approves these new SCCs, organizations must work with the updated clauses as is.
• Review the European Data Protection Board’s data controller/processor guidelines. These guidelines are still open for feedback until October 19.
• Find technology that can automate privacy law assessments. No matter what the European court decides, organizations must be responsible for understanding their data privacy risks and how those risks pertain to different international laws.