Schrems II: Reaction from European Regulators and Technology Companies Suggest an Uncomfortable Road Ahead for Transatlantic Data Transfers

To recap, last week, the European Court of Justice (“ECJ”) ruled that the Privacy Shield is invalid and placed significant emphasis on the due diligence which exporting controllers, recipients and supervisory authorities are expected to undertake in relation to transfers of personal data to third countries which are governed by the Standard Contractual Clauses (“SCCs”).  As foreshadowed in our initial reaction to the Schrems II judgement, and now that we’ve had the benefit of the full judgement and initial commentary from some of the European regulators, the EDPB, and some of the big tech companies, the immediate future of transatlantic data transfers appears to be uncertain and commentary is divided on what is and isn’t possible in light of this new judgement.

Summary of practical impact

It is clear that there is still a lot of uncertainty regarding the judgment and its impact on businesses in Europe but there are some initial steps that organisations can take:

• Identify data transfers taking place in reliance on the Privacy Shield in order to be able to assess the scale of the initial impact on your organisation.
• Engage with identified third party data importers relying on Privacy Shield to plan next steps.
• Monitor reactions from your regulator. Some regulators (such as the ICO in the UK) are advising businesses to wait for further guidance rather than taking immediate action. Other regulators (such as the Berlin Data Protection Authority) are ordering organisations to repatriate data to the EU.
• Identify data transfers to the US taking place in reliance on the SCCs where a case by case verification exercise may be required.
• Monitor regulatory guidance with respect to SCCs, in particular, any guidance on the verification exercise to be undertaken by controllers and the additional steps to be taken by controllers when adequate protection cannot be achieved via contract.
• Identify other jurisdictions with significant surveillance regimes where data transfers relying on the SCCs could also require a verification exercise.

SCCs post Schrems II

It is clear from the ECJ’s judgement that whilst the SCCs are still considered valid, there is a renewed emphasis on strict compliance with their provisions, rather than simply a tick box exercise of ensuring they are in place between exporter and recipient.

Notably, the ECJ considers that:

• Controllers and processors are expected to verify, on a case-by-case basis, “whether the law of the third country of destination ensures adequate protection, under EU law”, both with respect to putting in place the SCCs and “where necessary, [by] additional safeguards to those offered by the clauses” (emphasis added);
• There is unfortunately no suggestion as to what those additional safeguards could look like but, where the exporting entity is unable to take adequate additional measures to guarantee the adequate protection of personal data, the exporting entity, or the relevant supervisory authority, is required to suspend the transfer. In particular, this will be the case where the law of the relevant third country imposes obligations on the recipient which are contrary to those of the SCCs, ie that those local law obligations are capable of “impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data”.

The ECJ has also conducted a fairly thorough analysis of the provisions of the SCCs themselves, and notes that:

• Clause 5(a) requires the recipient to promptly inform the exporting entity of any inability to comply with its obligations under the SCCs;
• Clause 5(b) requires the recipient to certify that it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the SCCs; and
• Importantly (despite its location within the SCCs), the footnote to Clause 5 states that the exporter and recipient must satisfy themselves that the legislation of the third country enables the recipient to comply with the SCCs prior to any transfer and that “as regards that verification…the mandatory requirements of that legislation...do not go beyond what is necessary in a democratic society to safeguard…national security, defence and public security, [and] are not in contradiction with” the SCCs (emphasis added).

Crucially, the ECJ considers that US law goes beyond what is proportionate in this respect, given that law enforcement and other agencies are permitted to request and review vast quantities of data which have been exported to the US. It is therefore seems difficult to see how an exporting entity can rely on the SCCs to export data to certain US entities, given these clear statements from the ECJ.

Privacy Shield and the “Big Tech” Providers

For the ECJ’s reasons for finding that Privacy Shield is invalid, and therefore cannot be considered to be adequate for the purposes of Article 45 of the GDPR, see our previous post here.

Practically, following this invalidation, companies may consider seeking to rely on the SCCs, which in light of the ECJ’s comments on the surveillance of the US government and the enhanced focus on due diligence, may not prove a straight forward task.  That said, some of the “big tech” providers including Amazon and Microsoft have already issued statements saying that, with respect to the services they offer European customers, they will still be seeking to rely on the SCCs for data transfers to the US.

However, in light of the ECJ’s judgement and the subsequent reactions from many regulators, are these companies burying their heads in the sand because there’s no other immediate option?  Of course, it’s entirely open to the tech and cloud services providers to establish centres in the EU, and ensure that EU customer data is stored in these new centres, but that’s a costly option, and not one which can be set up overnight.

Reactions from the regulators

It is interesting to see the divergent opinions of the regulators who have already reacted to this judgement:

• Notably, Berlin’s data protection commissioner, has stated that following the decision, Berlin’s exporting controllers and processors must relocate their personal data from the US back to Europe. The commissioner’s view is that customers using cloud services, in particular, must reconsider their current exports and repatriate their data and that “now is the time for Europe’s digital independence”.
• The Hamburg data protection authority has criticised the decision and has stated that the ECJ should have gone further and invalidated the SCCs. The regulator’s further criticism of the decision is that it has now created further work for regulators.
• The Bavarian regulator has queried how exporting entities will be able to get timely and accurate information about the data protection legislation in the relevant third country. This aligns with concerns echoed in the data protection community about the level of due diligence exporting entities are expected to undertake, as we discussed when the Advocate General published his opinion.
• However, the ICO seems to have taken a different approach, at least in its initial commentary when it stated that it was still considering the judgement. The ICO also appears to be granting UK-regulated businesses a grace period when on its website it states “If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.”
• In Ireland, the Irish data protection commissioner has emphasised the practical issues coming out of this judgement and has stated that: “It is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case-by-case basis”

What is clear even from these initial statements, is that regulators are likely to take different approaches to transfers of personal data by way of the SCCs.  In this respect, the concern is that we could begin to see a fragmentation of approach from different regulators, which would further compound the issues for multinational entities operating in a number of European jurisdictions.  We could end up with a series of “shadow adequate” jurisdictions which regulators consider adequately protect personal data, and so the SCCs remain a valid method transfer to those countries.  However, it is possible that such lists will differ from regulator to regulator, again causing practical complexities.

In this respect, the ECJ has noted that Article 64(2) gives supervisory authorities the possibility of referring a question of whether transfers to a specific third country must be prohibited to the EDPB.  The EDPB would then be entitled to issue a binding opinion on this question, and would thereby be able to maintain a consistent approach across supervisory authorities.  However, in practice, this seems to be a very onerous – and very political – task to give to the EDPB.

 An idealistic but commercially unrealistic judgement?

In light of the above, we find ourselves wondering whether the ECJ has handed down a judgement that, whilst advancing the protection of personal data, presents a very real, commercial issue for customers and tech providers alike. For those companies who are regulated by regulators such as the Berlin data protection authority, the direction of travel is clear: re-patriate your data to the EU – and do so quickly.  It is clear that the tech providers have chosen to continue on the basis for the SCCs for the moment, but it will be interesting to watch their next steps and whether they make any strategic moves in response to this judgement, and possibly also in response to changing customer demands.

The political angle?

It’s no secret that the EU has long wanted to produce a tech giant of its own, and to entice EU entities to bring their data home, and the recent EU data strategy made this ambition clear.  So it’s interesting to note that the ECJ has, in this judgement, made it more likely that EU companies will have to bring their data home, or at least think long and hard about sending it to the American tech giants.  Politically, it would be a significant shift if it was agreed that European entities couldn’t lawfully transfer personal data to the United States, and so it seems likely that a new version of Privacy Shield will be developed.  However, it is difficult to see how any new arrangement can overcome the issues relating to mass surveillance and law enforcement intervention that the ECJ has raised.

Finally, it will be interesting to see what, if any, similar comments are made in the course of the adequacy discussions in relation the UK’s ability to intercept and survey data.  Previous comments have expressed a degree of concern at the UK’s powers in this area, and it seems likely that this judgement will only cement any such concerns.

So what next?

It’s too early to tell what the full impact of this judgement will be – but it’s clear that there is likely to be a fairly significant one. Given that the ECJ has now struck down both Safe Harbor and Privacy Shield, it seems clear that it is looking for equivalence with EU data protection legislation before permitting data transfers to third countries.  Does this mean that we essentially need to wait for the US to implement a GDPR standard federal privacy law before companies can comfortably transfer their data across the Atlantic?  If so, given the slow progress in the US towards a federal data privacy law, that could leave European entities in a difficult situation for a long time.

As we continue to monitor the reaction to the Schrems II judgement, it will be interesting to see how the reaction from the regulators who, as yet, have not commented develops, and also to see if the fears of fragmentation and a “shadow adequacy” list come true.