New guidance on the application of the GDPR outside Europe
Amériques, Moyen-Orient, Royaume-Uni & Europe
Protection des données et de la vie privée
A landmark data protection case in Europe last month has the potential to impact how personal data flows from the EU to the Middle East. This is relevant to any business that shares personal data with affiliates or business partners in Europe or targets customers who are resident in Europe. Our special briefing considers the judgment in the case known as Schrems II and its impact on organisations outside Europe and the US.
On July 16 2020, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems II case C-311/18 (the Judgment) which invalidated the EU-US Privacy Shield (a framework for regulating exchanges of personal data for commercial purposes between the European Union (EU) and the United States) and called into question the extent to which data exporters that fall within the scope of the EU General Data Protection Regulation (GPDR) can rely on the European Commission's Standard Contractual Clauses for international data transfers (SCCs).
We explain below the effect of the Judgment on cross-border data transfers and what companies outside Europe and the US, whether acting as data exporters (if their data processing operations are caught by the GDPR) or importers of data from the EU, should consider when entering into SCCs.
The rapid rise in technological developments, digital networks and global inter-connectivity has spurred an immense reliance on data. In our digital economy, data is more valuable than ever. For businesses operating on a global scale, international transfers of data are an essential element of daily business operations.
Companies located outside Europe may, for example, store personal data on cloud servers hosted in the EU, share employee data with a parent or subsidiary of their group based in the EU, or receive customer data from affiliated entities or business partners in the EU. All of these data flows potentially involve a regulated transfer of personal data that would be caught by the GDPR.
As a result of the continuous growth in the volumes and use of data and the introduction of the GDPR in 2018 – now considered as the "gold standard" of data protection laws across the globe – there has been an increase in global regulation in this area, and public and media awareness of data sharing and ownership. Sanctions for failure to comply with these rules can be severe and the reputational damage may be even more significant.
Under the GDPR, cross-border data transfers outside the EU may take place if the country to which data is exported is deemed to ensure an adequate level of data protection, as assessed by the European Commission. The few countries that have been approved to date include Argentina, Canada, Japan, New Zealand and Switzerland, but the list does not include major markets such as Brazil, India, China, Australia and most of the APAC region, the Middle East and Africa.
Personal data can be transferred from the EU to "non-adequate" third countries if the controller (i.e. the entity that determines how and why personal data is processed) or processor (which processes personal data on behalf of a controller) implements appropriate safeguards. The most commonly-adopted safeguards are the SCCs, which are a number of template forms of agreement approved by the European Commission. The SCCs are entered into between the data exporter and data importer with the aim of protecting personal data leaving the European Economic Area and ensuring that the individual data subjects have a right of redress. The SCCs have been the predominant foundation of cross-border personal data transfers from the EU for many years.
The Schrems II case concerns an Austrian privacy advocate, Max Schrems, who filed a complaint with the Irish Data Protection Commissioner in 2015 challenging Facebook Ireland's reliance on the SCCs as a legal basis for transferring personal data to Facebook Inc. in the USA. Schrems argued that due to the surveillance activities undertaken by US intelligence agencies, adequate protection was not provided to personal data transferred from the EU to the USA under the SCCs or the US-EU Privacy Shield (an approved transfer mechanism replacing the original US Safe Harbor framework that was invalidated by the CJEU in the original Schrems case). The Irish Data Protection Commissioner referred questions to the CJEU as to the validity of the SCCs and the EU-US Privacy Shield.
The CJEU invalidated the Privacy Shield framework holding that EU personal data might be at risk of being accessed and processed by the US government for US surveillance purposes once transferred, in a manner that is incompatible with the privacy rights guaranteed in the EU. Additionally, the CJEU held that there is no remedy available for EU individuals to ensure protection of their personal data after they are transferred to the US.
On the other hand, the CJEU upheld the validity of the SCCs as providing sufficient protection for EU personal data, but with some important caveats. In particular, the Judgment stressed that certain requirements will have to be satisfied in order for data exporters to be able to rely on the SCCs moving forward:
The Judgment raises uncertainties as to the use of SCCs for the cross-border transfer of personal data. The Judgment requires many organisations to reassess their processing of personal data that are caught under the GDPR and make immediate changes in how they transfer such data to third countries that are not included on the European Commission's adequacy list at this stage.
The European Commission, however, has confirmed that it is working on alternative instruments for international transfer of personal data, including a review of the existing SCCs.
It is likely that the European Commission views the position created by the Judgment as somewhat invidious for data controllers. After all, the European Commission itself has historically recognised that it is appropriate for assessments as to the adequacy of a third country's legal framework to be carried out by the Commission and not by individual companies. Without an objective regulatory standard being applied to a third country, the prospect is open for controllers to take differing views as to whether or not the SCCs represent adequate safeguards on a case-by-case basis, which from a regulatory perspective seems to fall short of the fundamental aim of the GDPR: to ensure consistent protection of individuals' privacy rights.
It is not practical for businesses to cease data flows immediately and there is a pressing need for the European Commission, the European Data Protection Board and the various European data protection authorities to issue clear guidance or further regulation as to the approach that should be taken by controllers.
The majority of non-EU businesses will not be directly subject to the GDPR; however it does potentially have extraterritorial effect that means this cannot be completely discounted, particularly where entities operate as part of a global business or sell to consumers in Europe. In the absence of timely further guidance from regulators, companies that fall under the scope of the GDPR should consider:
The above measures represent a significant burden on companies and we would be surprised if there is an immediate rush by businesses to respond to the Judgment but, as it stands, the impact of the Judgment suggests that these steps will be necessary.
Non-EU businesses that import data under SCCs may need to: