As we all know, the EU-U.S. Privacy Shield framework, the cross-border transfer mechanism relied upon by over 5,000 U.S. entities until just over a month ago, was recently invalidated by the CJEU in the Schrems II case (see here for our last post following the ruling). So what next?With Privacy Shield dead and the CJEU reaffirming that truly adequate safeguards must be coupled with the Standard Contractual Clauses (SCCs), organizations must determine how to properly transfer personal data outside of the EEA to non-adequate jurisdictions (including companies in the U.S.). Indeed, although the SCCs and other more limited mechanisms remain valid for transfers out of the EEA per the CJEU ruling, each underlying data transfer must be assessed on a case-by-case basis in order to determine if/when personal data will be transferred outside of the EEA and if so, whether the data to be transferred to a third country not otherwise deemed adequate by the EU can nonetheless be adequately protected under and as per EU data protection laws. If the third country and/or recipient organization cannot provide those same safeguards, EU data protection law mandates that the personal data not be transferred. To be clear, the requirement of adequate safeguards was already law in the EU, but merely loudly re-affirmed by the CJEU. In fact, over the years, many companies entered into SCCs as part of data processing agreements without much thought being given to whether all of the adequate safeguards were or could be met.
Recent developments post-Schrems II
Following Schrems II, most companies small and large – especially those that had self-certified Privacy Shield – took a “wait-and-see” approach given the massive confusion that ensued. However, not much more guiding clarity has emerged since the ruling – other than some official statements/comments, such as the FAQs issued by the EDPB. All in, no groundbreaking developments, and certainly no uniform guidance on what should come next or how impacted companies might proceed. This may soon change. As of last week, Max Schrems and his privacy watchdog organization, NYOB, shook things up and filed over 100 complaints in 30 EEA countries. The complaints were filed against European companies that continued – post Schrems II – to transfer personal data about their online visitors to Google and Facebook in the U.S. More detailed information about those complaints (including a list of those companies and the individual complaints) can be found here.
In a nutshell, the complaints state that the transfers of personal data by these various companies to Facebook and/or Google are unlawful because they are either (a) still based on an invalidated adequacy decision (i.e., Privacy Shield) or (b) reliant on the Standard Contractual Clauses (SCCs), the use of which is prohibited under GDPR if the third country to which personal data is transferred does not allow for the same standard of adequate protection as under EU law. As summarized by NYOB’s website, this is because, with respect to U.S. companies, the CJEU found that further transfers to recipients that fall under U.S. surveillance laws namely the Foreign Intelligence Surveillance Act (“FISA”) violate data subjects’ data protection rights (among others). Because Google and Facebook qualify as electronic communication service providers within the meaning of FISA (50 U.S. Code §1881(b)(4)) and as such are subject to U.S. intelligence surveillance under FISA, it follows that the transfers of personal data outside of the EU to those recipients are unlawful –regardless of the relied-upon mechanism, per NYOB. What’s more, NYOB’s complaints would presumably require member state supervisory authorities to intervene and stop the transfers if indeed unlawful.
What steps should organizations take with respect to transfers pf personal data out of the EEA?
Now that it’s very clearly time for companies that have put off re-assessing the validity and bases of cross-border transfers to get busy, what does this mean concretely? First off, this means conducting transfer assessments. Then, once transfers and their bases have been validated, making necessary adjustments to cross-border transfer agreements and privacy notice(s).
At a high level, these transfer assessments require organizations transferring personal data within the scope of the GDPR to:
- Determine the third country (or countries) to which personal data is transferred and the basis of such transfer(s) (e.g., SCCs, Privacy Shield, etc.) – keeping in mind the broad notion of “transfer” also includes access, as well as the fact that some transfers may be to other related entities within a corporate family as well as third parties or sub-contractors of third parties.
- Review local and domestic laws in each such third country that is not deemed adequate by the EU, in order to determine whether such laws enable public authorities to access the personal data of EU (EEA) data subjects;
- Assess whether the recipient(s) of personal data within a third country that is not adequate and that does not provide similar protection is in fact subject to the domestic laws granting access to public authorities – and whether such access is limited to what is necessary and proportionate;
- Determine what additional safeguards, if any, might be applied to protect the personal data (e.g., encryption) and whether the domestic law at issue provides effective remedies/redress for data subjects.
Once these assessments are conducted and properly recorded (in anticipation of a potential future audit), organizations will want to adjust their data processing agreements in order to ensure, where necessary, that any recipients in third countries that do not cut it either stop transferring the data to those countries or, if this can feasibly be accomplished, provide additional safeguards (e.g., encryption, notice mechanisms etc.). Importantly, organizations that have relied on Privacy Shield must also adjust their privacy notice(s).
Note that all organizations in the supply chain (controller, processor, sub-processor) are impacted here. If your organization is a processor of EU personal data in a third country that is not deemed adequate (again, including the U.S.), your organization must be capable of (a) addressing any controller/exporters’ concerns and (b) ensuring that its own onward transfers to sub-processors provide adequate safeguards, even though the primary responsibility falls upon the controller and/or exporter of personal data to perform assessments before allowing any personal data to be transferred out of the EEA. Processors should address this issue now so that they are prepared when an EU controller reconsiders using service providers in non-adequate countries as a result of the Schrems II decision.
In other words, there is a lot to be done.