Schrems II – What’s next?
November 9, 2020
In July we wrote an article reporting on the recent Schrems II judgement. By way of a reminder, this was the successful legal challenge issued by Mr. Schrems against the US Privacy Shield framework for the transfer of personal data between the EU and the US. The European Court of Justice (ECJ) agreed with Mr. Schrems and determined that the US Privacy Shield framework did not offer an adequate level of protection for data transfers between the US and EU.
This has created significant issues and challenges for any company which deals with the transfer of personal data from the EU (including the UK) to the US.
Businesses, lawyers and academics have been grappling with the practical challenge of how EU-US data flows can continue in the absence of the Privacy Shield framework. To date, we have not received any definitive guidance from the ECJ or the European Data Protection Board (EDPB) as to how the situation can be resolved. However, as any professional involved in this area will attest, it is not acceptable to simply ignore the decision.
Companies should be taking steps to assess the risks of Schrems II to their business and be taking steps to address those risks. Particularly as the general consensus is that definitive guidance from the EDPB may not arrive any time soon; it could be months; it could be years!
The Risk: To be transferred or not to be transferred, that is the question…
Any business which controls or processes personal data, and transfers such personal data to the US, should be taking steps now to identify the risks raised by Schrems II.
It should also be noted that the term ‘transfer of personal data’ as defined within the GDPR, is very broad in scope. If a third party can ‘access’ personal data held on a server, then such access will be deemed to fall within the definition of a ‘transfer’ for the purposes of GDPR. This is a critical point.
Many companies use cloud providers as a means to store their own personal data (in respect of which they are data controller) AND to also to store their customer’s personal data (in respect of which they are data processor). Many companies are of the view that if such cloud providers have data centres based in the EU, then such personal data is not being ‘transferred’ outside the EU and as a result they are compliant with GDPR requirements.
This may not necessarily be correct. If a cloud provider is a US registered company, and that US company can access (if it wishes) the personal data stored in its EU data centres, then arguably such ability to access the personal data will amount to a transfer of personal data for the purposes of GDPR. Critically, this means that such cloud providers STILL fall within the Schrems II decision, irrespective of personal data being stored on servers based in the EU. Accordingly, it may be necessary to take further steps to ensure such cloud providers can offer adequate safeguards to protect the personal data held within their EU data centres.
Who is responsible for the risk?
It is the data controller’s responsibility to take steps to protect their personal data, and to ensure their data processors are compliant with the GDPR. However, that does not mean data processors can ignore the issue.
A data controller will be seeking to verify that their data processors are compliant with the GDPR and this will mean taking steps to ensure that (a) no personal data is transferred to the US; and (b) if personal data is transferred to the US, that it is done so in a manner which addresses the issues raised by Schrems II.
Failure to do so may result in a data controller being in breach of the GDPR and facing fines and other penalties enforced by their relevant Supervisory Authority. If a data processor has been culpable in causing a data controller to breach the GDPR, the data controller will look to pass some, or all of the liability incurred from fines down to the relevant data processor.
Accordingly, it is important that every entity within the data processing chain is alive to and meets the requirements of the GDPR, including the requirements following Schrems II.
How can the issues raised by Schrems II be addressed?
As yet, we have not received any firm guidance from the EDPB as to what best to do. The judgment provided by the ECJ stated that any EU-US transfers of personal data must be done so either on the basis of the Standard Contractual Clauses (SCCs) or the Binding Corporate Rules (BCRs) but crucially it was confirmed that these contracts would only be sufficient if they were supplemented by ‘additional safeguards’. Unfortunately little guidance was offered as to what such ‘additional safeguards’ would be.
As the dust has settled, various proposals as to what the additional safeguards might be have come to the fore. These include the following:
- Encryption of personal data;
- Anonymisation of personal data; and/or
- Pseudonymisation of personal data.
Specifically in relation to pseudonymisation of personal data, it is worth commenting that the definition of pseudonymisation of personal data has been updated. Pseudonymisation now requires that (i) personal data cannot be linked to a specific data subject without using other ‘additional information’; (ii) the ‘additional information’ is kept separate from the personal data being transferred; and (iii) technical and organizational measures must ensure that personal data cannot be attributed to identifiable persons without access to separate and securely stored ‘additional information’.
We recommend making checks (and if necessary, seeking evidence) from your data processors that such additional safeguards are in place, and if they are not, making requests of your data processors to put such safeguards in place, if possible.
The above safeguards are also excellent methods of complying with the GDPR requirements of “Privacy by design and default”. They will enhance your data security mechanisms overall within your business, and embed a further cultural shift towards the protection of personal data which is the ultimate aim of the GDPR.
- Do not ignore this issue. You should assess whether you are transferring personal data to the US from the EU and the capacity in which you are transferring (i.e. controller or processor). If you are transferring data to the US, you should carry out a transfer impact assessment (TIA) to ascertain the risks and prepare a road map of how to address those risks.
- You should notify the Board of Directors of this matter, and if necessary, add this as a risk on your risk register. It may also be prudent to notify shareholders of the issue if it is determined to be a serious risk.
- You should ascertain which of your processors are transferring personal data to the US from the EU (please note the comments above in relation to cloud providers) and examine the basis on which the personal data is being transferred. If data is still being transferred under the US Privacy Shield framework, you should take steps to change this to the SCCs with additional safeguards.
- Implement additional safeguards to keep the personal data secure.
- Whatever approach you decide to take, ensure you build in some flexibility. It is likely at some point we will have concrete guidance as to how best to approach this issue, whether that be in the form of a new US Privacy Shield framework, amended SCCs or additional safeguards (or a combination of all of these). It will be key to ensure you can adapt quickly to any such changes.
Ignore this issue at your peril; fines for non-compliance can be up to 4% of turnover AND/OR a Supervisory Authority can require that personal data that is at risk is no longer processed.
We will continue to monitor the position and report to clients the latest developments in this area as and when they materialise. In the meantime, if you need any assistance implementing the guidance detailed in this bulletin, please contact Rebecca Kelly at Rebecca.firstname.lastname@example.org.