Data transfers demand due diligence after 'Schrems II'

The Court of Justice of the EU (CJEU) ruled last month to invalidate a European Commission decision that adopted the EU-US Privacy Shield – a framework set up to help businesses transfer personal data across the Atlantic in a way which complies with the requirements of EU data protection law. EU data protection regulators have subsequently confirmed that there is no grace period for businesses to move away from relying on the Privacy Shield for compliance on EU-US data transfers.

Even more significantly, however, the CJEU cast doubt on the ability of businesses to rely on standard contractual clauses (SCCs) – the most popular mechanism for providing data protection law-compliant safeguarding around data transfers from the EU – for EU-US data transfers and for transfers to other jurisdictions with known invasive surveillance regimes, without countervailing safeguards in place for individuals whose data will be transferred.

In its judgment in the so-called 'Schrems II' case, the CJEU highlighted shortcomings with the safeguards in place to counteract US legislation that gives US law enforcement and intelligence agencies powers to request and access data. This risk arises where the recipient of data transferred from the EU is subject to the Foreign Intelligence Surveillance Act (FISA) in particular.  FISA covers activities of so-called electronic service providers – a term that covers a wide range of companies including technology giants such as Microsoft, Facebook and Amazon Web Services. 

The outcome of the ruling is that businesses that have been reliant on the Privacy Shield must immediately find other legal mechanisms to underpin their EU-US data transfers, or risk potential enforcement action, and that businesses turning to or sticking with SCCs – and indeed other data transfer mechanisms such as binding corporate rules (BCRs) – must conduct due diligence to understand the risks of foreign surveillance regimes and put in place any additional safeguards necessary to meet their obligations under EU data protection law if their assessment is that SCCs alone do not ensure adequate data protection for the transferred data.

There is a lack of clarity – at this stage – on what exactly any 'additional safeguards' should comprise of and what additional clauses can be put in place to ensure there are adequate safeguards when supplementing SCCs. The European Data Protection Board (EDPB), which brings together national data protection authorities from across EU member states, has promised guidance to help on this, while the European Commission is in the process of updating the existing SCCs.

Although the position is still evolving, doing nothing is not an option for businesses. There are actions businesses can consider to minimise their compliance risks:

• identify where the Privacy Shield has been relied upon as the sole basis for transfers to the US and prepare to put in place SCCs;
• identify other data flows, both intra-group and externally, and the mechanisms used to ensure compliance in case these need to be reviewed, amended or replaced;
• stay alert for guidance in your jurisdiction. Some national data protection authorities (DPAs) seem to be taking a softer approach than others, but a more harmonised approach is likely to emerge as the DPAs work within the EDPB;
• Pinsent Masons has developed a due diligence checklist for clients which assesses the risks inherent in transfers to other jurisdictions on a case-by-case basis, particularly, if using SCCs;
• additional contractual clauses could be beneficial as an additional safeguard regarding requests from public authorities and obligations on importer;
• consider if any other measures may assist including, further limiting the volume and/or sensitivity of data transferred to 'third' countries and keeping data within the EU where possible to do so;
• large businesses or even industry bodies can carry out assessments of specific types of data or categories of transfers to determine if the transfers would be compliant on the basis of the SCCs;
• include contractual provisions allowing for a changeof the transfer mechanism as soon as a better one becomes available – there is the prospect, in the medium-term, of an updated Privacy Shield emerging in the context of EU-US data transfers, for instance, as the US Department of Commerce has alluded to;
• explore technical methods for minimising the risks to individuals, without effecting the purpose of the processing for the data exporter;
• consider if any of the derogations provided for in the GDPR in relation to data transfers are relevant or practical for any specific transfers. The derogations should not be used as a mechanism for regularly transferring personal data;
• consider whether increased transparency as to the potential for public authority access in the third country would be helpful;
• consider different routes for transfer, such as direct sharing from data subject to importer, for example.