1. What are transfers of personal data?
Companies increasingly use storage ‘in the cloud’ to store their data and applications and use service providers located outside Europe or service providers inside Europe while the data itself is stored in non-EEA data centres. Did you know that these are transfers of personal data?
But what exactly is a transfer of personal data? We can define a transfer of personal data as any transmission of personal data to a recipient or location outside the European Economic Area (EEA). This clearly includes storage ‘in the cloud’, storage in data centres outside the EEA and the transmission of personal data to applications and service providers located outside the EEA.
In addition, the transmission of personal data per email to a recipient outside the EEA, or a website hosted outside the EEA with personal data published on it may also constitute a transfer of personal data. It may be clear that many day-to-day activities of your company fall within the scope of the legal regime of data transfers under the GDPR.
The general principle of data transfers outside the EEA is that the mechanism under Chapter V GDPR must be relied upon. The recent Schrems II judgment has greatly impacted the interpretation of those mechanisms.
2. Key points and implications of the judgment
2.1 Nullification of the Privacy Shield
One of those mechanisms in the GDPR is the so-called ‘adequacy decision’, in short an agreement between the European Union and a third country on the smooth flow of data between them.
Does your company store personal data in the United States or does it transmit personal data to a recipient in a third country, based on an adequacy decision? Or in the United Kingdom, Canada, Japan or Switzerland? If so, the first key point of the judgment is certainly relevant to your company.
It concerns the nullification of the Privacy Shield, i.e. the adequacy decision between the European Union and the United States, by the Court of Justice of the European Union. On the basis of this adequacy decision, companies could freely transfer personal data to the United States, just like with the Safe Harbour decision. The Court now nullifies the Privacy Shield because, on the one hand, it considers the US surveillance practices not to be ‘strictly necessary and proportionate’ and, on the other hand, because data subjects do not have an effective remedy against those practices, as required by Article 47 of the Charter of Fundamental Rights of the EU. Max Schrems scored another victory in the fight against internet giants, such as Facebook, with the nullification of the Privacy Shield. In addition, the judgement will not have a transitional period, although the obligations under the Privacy Shield will continue to apply. As a result, companies have to balance their obligations under the Privacy Shield and the implications of the Schrems II judgment.
The impact of the judgement not only creates ambiguity and concern for data transfers to the United States, but other adequacy decisions such as those with Canada, Japan and Switzerland must also be questioned after the judgment. The intended adequacy decision with the United Kingdom after the Brexit will also be called into question. Companies should therefore be extremely careful in how they deal with these uncertainties and inform themselves properly to avoid sanctions.
2.2 Standard contractual clauses
The second and potentially even more far-reaching key point of the judgment concerns standard contractual clauses (better known as SCCs). SCCs, together with Privacy Shield, are the main mechanism that companies rely on to justify data transfers. Although the Court does not declare SCCs invalid, it states that companies wishing to transfer personal data to third countries on the basis of SCCs must assess on a case-by-case basis whether the third country offers an ‘adequate level of protection’. This statement is very unclear and makes it very difficult in practice to deal with this mechanism in an objective and certain way.
The ‘adequate level of protection’ boils down to the strict necessity and proportionality of surveillance practices, together with effective remedies against those practices, the foundations for the nullification of the Privacy Shield. If the third country cannot guarantee this, companies must either provide additional safeguards or suspend/ terminate the data transfers. The scope of the notion of ‘additional safeguards’ also raises questions after the judgement and only makes it more complex for companies to deal with the standard contractual clauses.
3. What after Schrems II?
What can you do after such a drastic change? Can you no longer transfer personal data outside the EEA or make use of ‘the cloud’, data centres, applications and service providers outside the EEA? The answer is not unequivocal. Although the future for data transfers under the GDPR is clearly still uncertain after the judgement, we compile below our advice and best practices for companies:
- Map your personal data and data transfers. If you do not transfer personal data outside the EEA (which is unlikely), the judgment will not apply to your company.
- Conduct an audit. You should check for all processing operations whether you, as controller (or through your processor(s)), transfer personal data to third countries and on what basis.
- Consult a legal advisor, who can guide the assessment of the following points together with your company.
- For each transfer, check whether the third country offers an ‘adequate level of protection’, i.e. that the surveillance practices are ‘strictly necessary and proportionate’ and that data subjects have an effective remedy against such practices.
- If you want to invoke a third country adequacy decision, always check whether that decision is still in force and what the competent data protection authority says about it.
- If you wish to rely on standard contractual clauses to third countries that do not offer an ‘adequate level of protection’, take additional technical and/or organisational measures.
- If you transfer personal data to third countries only in an occasional way and to a limited extent, this may be justified by the explicit consent of the data subject.
Monard Law is happy to assist you with your questions regarding the consequences of the Schrems II judgment, transfers of personal data to third countries, standard contractual clauses or any other questions or issues regarding the GDPR.