5 Steps To Secure Global Data Flows post Schrems II
For the second time in five years, a Court of Justice of the European Union (CJEU) ruling on international data flows is making big waves on both sides of the Atlantic.
At the heart of European data protection law is a guarantee that the privacy rights of citizens travel with their personal information when it moves overseas. To safeguard these rights, European lawmakers have developed a series of legal mechanisms that allow organizations transferring data for business purposes to provide adequate privacy protections for that information. On July 16, the CJEU’s “Schrems II” decision reviewed two of the most popular data mechanisms used by companies to transfer data out of Europe, ultimately striking down the validity of the EU-U.S. Privacy Shield Framework, while finding that Standard Contractual Clauses (SCCs) remain valid, subject to certain caveats.
The bottom line for companies is that the Schrems II decision creates immediate legal uncertainty for thousands of organizations and their business partners participating in transatlantic commerce. In the modern digital economy, unencumbered data flows are vital to trade, innovation and economic prosperity on both sides of the Atlantic. The Internet is inherently global, and companies both within and beyond the digital sector engage with customers, maintain data servers, process information, and contract with service providers across borders. Data flows facilitate development and deployment of digital services such as mobile apps, websites, and cloud-based software, as well as companies’ routine use of daily business data such as payroll and HR information and customer service requests. Digital services kept our economies open for business during recent lock-downs. But without sustainable mechanisms for transferring data abroad, small firms may be severed from their global supply chains, while others may be forced to exit markets entirely.
In complying with the Court’s decision in Schrems II, companies will look to policymakers to take the following steps to secure the availability of sustainable data transfer tools.
1. Minimize Economic Disruption While Transitioning to New Transfer Instruments
The immediate impacts of the CJEU’s decision are significant. Over 5,300 companies, the majority of which are small and medium-sized entities, rely on Privacy Shield to transfer data from the EU to the United States. The CJEU’s decision to invalidate Privacy Shield puts these organizations in legal limbo, and will require them to transition to alternative (frequently complex) legal mechanisms for their routine business data transfers.
For many participants in the transatlantic economy this is an unpleasant déjà vu. In October 2015, the CJEU struck down Privacy Shield’s predecessor, the Safe Harbor framework, on related concerns. In response, European Data Protection Authorities acted in concert to establish a three-month enforcement moratorium to allow companies to transition to new data transfer mechanisms and for EU and U.S. policymakers to negotiate a stronger transfer framework. In order to provide certainty for organizations transitioning to new transfer mechanisms without costly disruptions to transatlantic data flows, enforcement authorities should again take a flexible approach by delaying enforcement for companies who have relied on Privacy Shield to participate in transatlantic commerce.
2. Guidance on Standard Contractual Clauses
The CJEU also reviewed Standard Contractual Clauses which are European Commission-approved model contractual terms that have become a popular mechanism for transferring data globally. The Court’s judgment found that SCCs remain a valid transfer mechanism, but included additional criteria that businesses must review closely. In short, the Court held that companies must verify, on a case-by-case basis, whether a recipient jurisdiction provides for adequate protections for data transferred pursuant to a SCC. In certain cases, organizations transferring data may be required to provide for “additional safeguards” to ensure appropriate privacy protections.
Making the types of determinations envisioned by the Court for recipient jurisdictions across the globe will be a considerable challenge for businesses. For starters, the CJEU was silent as to what the “additional safeguards” for SCCs are likely to entail. This difficulty will be compounded if the various European enforcement authorities begin developing their own views and guidance on business responsibilities for ensuring SCC adequacy. The publication of consistent, EU-level guidance on SCCs post-Schrems II would be valuable for businesses reviewing their legal bases for transfers. Continental regulators such as the European Data Protection Board (EDPB) may consider providing guidance on specific supplemental safeguards including: (1) encryption and other technical measures to protect data in transit and at rest, (2) transparency reports on law enforcement data access requests, and (3) assessments of whether the specific data categories at issue may be subject to government access requests.
3. Clarity on ‘Derogations’
The business community will also look to the 27 European privacy regulators for consistent guidance for data transfers based on individual consent, if necessary to conclude or perform a contract, or if a company has a “compelling legitimate interest” to do so (the so-called Article 49 derogations). The good news is that companies are not starting from scratch here: the EDPB has already published its advice for companies to use these alternative tools. The bad news is that there is a notable discrepancy about the scale of data transfers permitted under these derogations between the EDPB’s extensive but restrictive advice, and the picture that the EU Court of Justice painted in its decision.
When the Court of Justice struck down Privacy Shield, it briefly argued that it is “appropriate” to do so since the derogations in Article 49 prevent “a legal vacuum” that would mitigate the “effects” of the invalidation of an adequacy decision. While the Court recognizes that these derogations have their own conditions, it seems to imply that individuals’ consent or contract with a company or any other derogations is “appropriate” and therefore capable of replacing an adequacy decision that supports today’s massive data flows between the EU and the U.S. or any jurisdictions. On the other hand, the EDPB argues that these “derogations must be interpreted restrictively so that the exception does not become the rule (…) and can only be used for specific situations.” That is why, up until now, the vast majority of companies have not used these derogations to transfer EU personal data outside Europe, at least certainly not to the scale of what an adequacy decision allows. Clarifications would be very helpful.
4. Alternative Transfer Tools
It is one thing to clarify existing transfer tools, it’s another to develop new ones. Now more than ever, companies need more tools to transfer data outside the EU, not less.
In practice, most companies can only really use the same two data transfer instruments that they were using before the GDPR era, namely SCCs and adequacy decisions. As we pointed out before, two years after the GDPR came into effect, alternative instruments are either too slow, too expensive, or inexistent. The fact is that most data protection authorities simply do not have enough staff and funding to support the development of new data transfer tools. There is now an urgent need for Member States to increase the budgets of their authorities, and for data protection authorities to prioritize alternative data transfer mechanisms provided for in the GDPR such as codes of conduct and certifications.
5. Establish a new Transatlantic Transfer Framework
Above all, the European Union and the United States need a long-term sustainable solution to dissipate any further legal uncertainty for cross-border data transfers. It is clear from last week’s decision that an adequacy decision that can pass the test of the Court of Justice would lift much of the pressure on any other alternative data transfer mechanisms. On a positive note, the Court of Justice provides the European Commission and its U.S. counterparts with guidance as to what a future adequacy decision could look like. Both the EU Commission and the U.S. Administration have already committed to seek a bilateral solution. This would be helpful for the thousands of European, U.S., and international companies doing business on both sides of the Atlantic.