Search

Schrems II: Narrowing Options for Moving Data

Scott Blackmer
Scott Blackmer
July 17th, 2020

The Court of Justice of the European Union (CJEU) delivered its judgement in “Schrems II” on July 16, 2020, invalidating one of the common methods for legally sharing personal data between entities in the EU / EEA and their affiliates or vendors in the US – the EU-US Privacy Shield program, in which more than 5300 US companies are enrolled -- and casting doubt on the future of the mechanism employed by most companies in the EEA to transfer data abroad, the EU-approved Standard Contract Clauses (“SCCs”).  Alternatives are available, but they are more limited and are also under pressure.

The CJEU referral arose from objections raised against Facebook before the Irish data protection commission, because of concerns over covert surveillance of trans-Atlantic communications by US intelligence agencies. (Facebook, in common with several other large IT companies, bases its European operations in Ireland.)  The European Commission had investigated those practices and accepted US assurances concerning oversight under the US Foreign Intelligence Surveillance Act (“FISA”) and executive orders establishing an Ombudsman to handle complaints from EEA residents, who do not enjoy the same protections as US citizens under FISA.  The Court rejected the Commission’s decision that the Privacy Shield program provided an “adequate” level of protection under General Data Protection Regulation (“GDPR”) Article 45, because the Court found that these safeguards did not rise to the standard of the EU Charter on Fundamental Rights.  This requires a state to limit its surveillance activities to what is “strictly necessary and proportional” and provide for judicial recourse.  The Court deemed FISA deficient in this respect and the Ombudsman provisions not equivalent to judicial recourse.

There is no appeal from the CJEU, and while the European Commission has proclaimed its willingness to discuss revisions to the Privacy Shield and associated measures with its US counterparts, this is not likely to be resolved in the final months of an unusually fevered general election in the US.

The Court did not invalidate the Commission’s SCC decision, which did not entail an adequacy finding about US law and procedure. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc. Instead, the Court made it clear that companies using SCCs are responsible in the first instance to determine if they can assure the confidentiality of the data in the receiving country, given local law and government practices, and the Court stated that the data protection supervisory authorities in Europe should examine that issue when challenged.  The court referred the SCC complaint back to the Irish data protection commission to do so in the case of Facebook.  Given what the Court concluded about deficiencies in the US legal protection of non-US persons affected by US surveillance, it would seem that the Irish commission is in a difficult position to bless SCCs that currently cover, or that would replace Privacy Shield, for the trans-Atlantic data flows of giants with EMEA bases in Ireland, such as Google, Microsoft, AWS, Hewlett Packard, Accenture, Pfizer, Experian, Seagate, Medtronic, Johnson & Johnson, etc.

Again, any legislative or executive revisions on the US side will not be simple and cannot be expected before 2021.

Notice, however, that the Court’s decision also puts pressure on contracting parties and data protection regulators to meet a high standard, and not just for data transfers to the US. When a company in Germany shares data with a contractor or affiliate in China, Russia, Turkey, or Vietnam, for example, can it be reasonably satisfied that there is no “disproportionate” government surveillance, and that German citizens would have judicial recourse in those countries if that occurred.

The EU General Data Protection Regulation (GDPR) includes in Article 44 a broad statement that personal data may be transferred to a “third country” (i.e., outside the EEA) only if the “level of protection” guaranteed by the GDPR would not be “undermined.”

This can be accomplished through an “adequacy determination” by the Commission under Article 45, like the now-invalidated Privacy Shield decision or the adequacy decisions in favor of Switzerland, Canada, and Japan. It can also be achieved through a Commission decision under Article 46 finding “adequate safeguards” in approved SCCs or an approved code of conduct, or under Article 47 for adequate safeguards provided by binding corporate rules (“BCRs”) within a corporate group, approved by one or several of the European data protection supervisory authorities (which takes time).

But there are other possibilities for lawful transfers that are not founded on adequate safeguards. Article 49 lists several such derogations.  It allows transfers based on the informed, “explicit consent” of the individual data subject, “having been informed of the possible risks of such transfers.”  It also allows transfers “necessary for the performance of a contract” with the data subject, or to enter into a contract with the data subject, or to perform a contract in the interest of the data subject.  Transfers are also possible to establish or exercise legal claims, or for “important reasons of public interest” (in the relevant EEA country, not the third country).  These derogations are interpreted narrowly, however, and they must be well justified and supported – “explicit” and “informed” consent, and “necessary” processing for contract.  Importantly, the Article 49 derogations do not rely on “adequacy” of protection, but it is not clear whether they would entirely avoid a challenge based on the argument that the CJEU raised against Privacy Shield, founded on the protections against unwarranted surveillance in the EU Charter on Fundamental Rights.

Privacy Shield companies must act immediately, most likely by executing data transfer agreements with SCCs and changing the wording of the privacy policies on their websites and in their European employee privacy notices. We must watch attentively for the next steps in Ireland and in other data protection authorities for decisions about SCCs.  Other important questions arise:  What will the UK do with Privacy Shield and SCCs – will it have to choose between the US and Europe?  What will Switzerland do, as it has its own Privacy Shield program with the US and also accepts the SCCs?

Companies facing the aftershocks of Schrems II should be looking at all available options at this point: limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.  FLI advisors on both sides of the Atlantic are prepared to work together help with these cross-border issues. limiting unnecessary data transfers, switching to SCCs from Privacy Shield, changing their privacy disclosures to warrant transfers based on consent or contract performance, and adjusting vendor and customer contracts where necessary.

Join 10,000 legal professionals
on our mailing list.

Expertly curated emails that will keep you up to date with the latest in the industry.

Scott Blackmer

Scott Blackmer

Scott leads the Americas Management Team. Previously a partner at WilmerHale, Scott advises private and federal clients in technology and is regarded as a leading authority in intellectual property and international trade. He has served as an advisor on privacy, data protection and digital identity to various Fortune 500 entities as well as government organizations.

With extensive experience in all matters related to data protection and cybersecurity, in both consumer and human resources contexts, Scott is an expert in a wide range of legal issues that companies face in online and mobile business, especially across borders.

Related Articles


March 5th, 2024 The Evolving Landscape of European Technology Regulation: Implications for Global Business

The European Union has emerged as an undeniable leader in the comprehensive regulation of the digital sphere. Its approach towards privacy, dominant tech platforms, online content moderation, and the development of artificial intelligence has the potential to influence regulatory trends across the globe. From small businesses to multinational corporations, any entity operating within the EU market or interacting with EU citizens faces a rapidly evolving set of complex requirements.

See more
September 6th, 2023 Greenwashing in Sustainable Finance: Navigating the Ethical Landscape

The evolving landscape of ESG considerations has attracted widespread attention in recent years, particularly in relation to the prominent subject of Sustainable Finance. However, its emergence has accentuated a concerning issue of greenwashing. The implications of greenwashing are significant as it could undermine the credibility and effectiveness of sustainable finance by potentially misleading investors who seek to support sustainable initiatives.

See more
July 5th, 2022 Guide for Evaluating Country Risk for Global Investments 2022

FLI is excited to have published its 2022 Global Guide for Evaluating Country Risk for Global Investments. As always, FLI is proud to showcase the work of its stellar in-country partners. We are pleased to see so many of them contribute to this year's edition and wish to thank them for their contributions. Targeted at corporates with foreign operations, this guide provides executives with the insights, nuances and ins and outs to navigating investment abroad. It is our aim that this guide will open doors and create opportunities.

See more
Copyright © 2024 First Law International
480 Avenue Louise, B-1050 Brussels, Belgium. Privacy Policy

Get Started

Whatever your industry, connect with a member of our cross-border team today. We’ll take care of the rest.