TechGDPR

International Transfers of Personal Data after the Schrems II ruling

Thursday August 6th, 2020 by Vlad Nekrutenko

On July 16, 2020, the top court of the European Union (CJEU) issued a groundbreaking ruling on the so-called “Schrems II” case concerning  international transfers of personal data from the European Union. It was meant to deal mostly with transfers to the main EU commercial partner – the United States – but turned out to have implications for all countries outside of the European Economic Area (EEA). 

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

International data transfer

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

  • require indiscriminate surveillance / data collection from them by government bodies;
  • prohibit deletion of the transferred data at the end of your relationship with them;
  • limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

  1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
  2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

Tags: , , ,

Vlad Nekrutenko

Privacy Consultant

Vlad Nekrutenko (CIPP/e) is a data privacy enthusiast and expert in GDPR compliance, specialising in international data transfers and documentation review. He has his education background in law, studying European Law at Strasbourg University (France) and Public Administration Law at Taras Shevchenko University of Kyiv (Ukraine).

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

One year of GDPR: GDPR enforcement and awareness
May 25th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
WiFi (1)
Workshop (2)
Analysis
Article 17
Artificial Intelligence
Big Data
Blockchain
call center
CCPA
CJEU ruling
Cold calling
compliance
covid-19
Data transfers
Debunked
Europe
European Commission
GDPR
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
HIPAA
International transfers
marketing
medical data
MedTech
one year gdpr
open workshop
personal data
personally identifiable information
PII
POPIA
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
WiFi
WiFi-Tracking
Zcash
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.