Search

Schrems II: Narrowing Options for Moving Data

Scott Blackmer
Scott Blackmer
July 17th, 2020

The Court of Justice of the European Union (CJEU) delivered its judgement in “Schrems II” on July 16, 2020, invalidating one of the common methods for legally sharing personal data between entities in the EU / EEA and their affiliates or vendors in the US – the EU-US Privacy Shield program, in which more than 5300 US companies are enrolled -- and casting doubt on the future of the mechanism employed by most companies in the EEA to transfer data abroad, the EU-approved Standard Contract Clauses (“SCCs”).  Alternatives are available, but they are more limited and are also under pressure.

The CJEU referral arose from objections raised against Facebook before the Irish data protection commission, because of concerns over covert surveillance of trans-Atlantic communications by US intelligence agencies. (Facebook, in common with several other large IT companies, bases its European operations in Ireland.)  The European Commission had investigated those practices and accepted US assurances concerning oversight under the US Foreign Intelligence Surveillance Act (“FISA”) and executive orders establishing an Ombudsman to handle complaints from EEA residents, who do not enjoy the same protections as US citizens under FISA.  The Court rejected the Commission’s decision that the Privacy Shield program provided an “adequate” level of protection under General Data Protection Regulation (“GDPR”) Article 45, because the Court found that these safeguards did not rise to the standard of the EU Charter on Fundamental Rights.  This requires a state to limit its surveillance activities to what is “strictly necessary and proportional” and provide for judicial recourse.  The Court deemed FISA deficient in this respect and the Ombudsman provisions not equivalent to judicial recourse.

There is no appeal from the CJEU, and while the European Commission has proclaimed its willingness to discuss revisions to the Privacy Shield and associated measures with its US counterparts, this is not likely to be resolved in the final months of an unusually fevered general election in the US.

The Court did not invalidate the Commission’s SCC decision, which did not entail an adequacy finding about US law and procedure. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc.

Again, any legislative or executive revisions on the US side will not be simple and cannot be expected before 2021.

Notice, however, that the Court’s decision also puts pressure on contracting parties and data protection regulators to meet a high standard, and not just for data transfers to the US. When a company in Germany shares data with a contractor or affiliate in China, Russia, Turkey, or Vietnam, for example, can it be reasonably satisfied that there is no “disproportionate” government surveillance, and that German citizens would have judicial recourse in those countries if that occurred.

The EU General Data Protection Regulation (GDPR) includes in Article 44 a broad statement that personal data may be transferred to a “third country” (i.e., outside the EEA) only if the “level of protection” guaranteed by the GDPR would not be “undermined.”

This can be accomplished through an “adequacy determination” by the Commission under Article 45, like the now-invalidated Privacy Shield decision or the adequacy decisions in favor of Switzerland, Canada, and Japan. It can also be achieved through a Commission decision under Article 46 finding “adequate safeguards” in approved SCCs or an approved code of conduct, or under Article 47 for adequate safeguards provided by binding corporate rules (“BCRs”) within a corporate group, approved by one or several of the European data protection supervisory authorities (which takes time).

But there are other possibilities for lawful transfers that are not founded on adequate safeguards. Article 49 lists several such derogations.  It allows transfers based on the informed, “explicit consent” of the individual data subject, “having been informed of the possible risks of such transfers.”  It also allows transfers “necessary for the performance of a contract” with the data subject, or to enter into a contract with the data subject, or to perform a contract in the interest of the data subject.  Transfers are also possible to establish or exercise legal claims, or for “important reasons of public interest” (in the relevant EEA country, not the third country).  These derogations are interpreted narrowly, however, and they must be well justified and supported – “explicit” and “informed” consent, and “necessary” processing for contract.  Importantly, the Article 49 derogations do not rely on “adequacy” of protection, but it is not clear whether they would entirely avoid a challenge based on the argument that the CJEU raised against Privacy Shield, founded on the protections against unwarranted surveillance in the EU Charter on Fundamental Rights.

Privacy Shield companies must act immediately, most likely by executing data transfer agreements with SCCs and changing the wording of the privacy policies on their websites and in their European employee privacy notices. We must watch attentively for the next steps in Ireland and in other data protection authorities for decisions about SCCs.  Other important questions arise:  What will the UK do with Privacy Shield and SCCs – will it have to choose between the US and Europe?  What will Switzerland do, as it has its own Privacy Shield program with the US and also accepts the SCCs?

Companies facing the aftershocks of Schrems II should be looking at all available options at this point: limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.  FLI advisors on both sides of the Atlantic are prepared to work together help with these cross-border issues. limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.

Join 10,000 legal professionals
on our mailing list.

Expertly curated emails that will keep you up to date with the latest in the industry.

Scott Blackmer

Scott Blackmer

Scott leads the Americas Management Team. Previously a partner at WilmerHale, Scott advises private and federal clients in technology and is regarded as a leading authority in intellectual property and international trade. He has served as an advisor on privacy, data protection and digital identity to various Fortune 500 entities as well as government organizations.

With extensive experience in all matters related to data protection and cybersecurity, in both consumer and human resources contexts, Scott is an expert in a wide range of legal issues that companies face in online and mobile business, especially across borders.

Related Articles


April 12th, 2021 GDPR: Brexit Implications on UK, EEA & Third Countries

The EU General Data Protection Regulation (GDPR) controls how organizations collect, use and store personal data. It applies to both businesses based in the European Economic Area (EEA) and to those with no physical establishment in the EU, but with operations that fall into the extraterritorial scope of the GDPR.  Fines for GDPR violations can reach €20m or 4% of the annual worldwide turnover (whichever is higher).

See more
November 9th, 2020 The Rise of Digital Banking

In 2015 a study made by FIS found that only 23% of customers believe their banks are fulfilling their expectations. Now, in the COVID-19 era, a recent survey conducted by PwC shows that even though consumers are happier with the banking services provided, the new risks of the industry are competitors and mostly non-traditional competitors. In fact, KPMG has stated that banks are encouraged to use channels that haven’t been prioritized in the past.

Starting with 1990, digitalization has been a constant in the financial industry. This trend that continues to grow is driven by new customer expectations. When today's consumer evaluates financial services, they don't compare banks anymore. They compare experiences. Thus, banks adopted new technologies to improve their services, and create smarter digital service offerings.

With a digital-first focus, the banking game has changed, as shown by the new disruptive proposals that appear in the industry. The latest of which, is virtual banking.

See more
November 9th, 2020 The Future of Fintech Regulation Landscape

It has been two years since the Office of the Comptroller of the Currency (“OCC”) announced the “Fintech Charters” plan. Whilst it has faced great challenges, with the lawsuit filing against this motion, the OCC has persisted with its plan with the Second Circuit. It is important to examine the opportunities, challenges as well as impacts that the charters will have on the regulatory landscape of the fintech companies.

See more
Copyright © 2021 First Law International
143 Avenue Louise, B-1050 Brussels, Belgium. Privacy Policy

Get Started

Whatever your industry, connect with a member of our cross-border team today. We’ll take care of the rest.