The importance of monitoring client data transfers between EU and the US

David Edwards, director and head of Harrison Drury’s regulatory team, considers the judgment on a landmark data protection case regarding the transfer of client data between Europe and the US and outlines to businesses the importance of correct management and storage of client data.

On 16 July 2020, the Court of Justice of the European Union (CJEU), published its decision on the landmark case, Data Protection Commissioner v Facebook Ireland Ltd, Maximilan Schrems and intervening parties, Case C-311/18  (Schrems II), which ruled that the EU-US Privacy Shield framework was invalidated for personal data transfers between the EU and the US.

Background

By way of brief background, Max Schrems, in 2015, challenged the legal basis of a declined complaint against Facebook Ireland Ltd, which was rejected by the Irish Data Protection Commissioner (Irish DPC) as being baseless.

Mr Schrems argued that his personal data was being transferred from Facebook Ireland Ltd to the US parent company Facebook Inc, without his consent. He also argued that under EU law, his rights were not fundamentally protected, because the US public authorities are able to carry out surveillance on EU individuals’ personal data.

The case has been ongoing for years, during which time, the Irish DPC has dismissed the complaint and taken no enforcement action in protection of the rights of Mr Schrems.

The CJEU, in its ruling, endorsed the original complaint and reminded the Irish DPC of its obligations to protect data protection rights of individuals and their decision to oppose Schrems’ original complaint was wrong.

What did the CJEU say?

EU-US Privacy Shield no longer valid

The CJEU reviewed the US surveillance laws, principally Section 702 of Foreign Intelligence Surveillance Act and Executive Order 11333 (E.O. 12333), which allows US authorities to collect information and survey EU data subjects – such activities do not afford actionable legal rights to those data subjects.

The CJEU asserted that the EU-US Privacy Shield was invalid because the US surveillance programmes are not constrained to processing data which is necessary and proportionate which therefore, does not comply with Article 52(1) of the EU Charter on Fundamental Rights and that EU citizens do not have effective means of rectification in the US in the event of unlawful surveillance under the Privacy Shield framework.

This means that the EU-US Privacy Shield can no longer be used as a legitimate export mechanism under Article 45 of the EU General Data Protection Regulation (GDPR).

Standard Contractual Clauses (SCCs)

Whilst the SCCs remain a valid transfer mechanism under Article 46 of the GDPR, the CJEU’s decision casts doubt upon practical implementation of SCCs, going forward. Most businesses have simply assumed that the execution of SCCs alone is sufficient to meet the requirements of the GDPR.

However, following the Schrems II judgment, this approach can no longer be taken. Companies, when acting as the data controllers, will be required to conduct a case-by-case assessment which must involve both a consideration of the provision of the SCCs, and whether the country where the data will be imported to, operates to EU standards of data governance.

In practice, this means that companies which are data exporters must ensure that additional safeguards are in place, above and beyond the provisions within SCCs.

The Commission must consider the factors set out in Article 45(2) of the GDPR, including:

• the rule of law in country and human rights;
• whether the public authorities can access the personal data;
• whether the country has any independent supervisory authorities;
• if there are effective data subject rights in place and;
• if there are appropriate rights in place afforded to data subjects from the exported country.

These factors can be met through the data importer agreeing provisions to the SCCs. It is important to note that terms within the SCCs will not overthrow mandatory laws applicable to the country the data will be transferred to. Therefore, businesses may have to consider carefully the factors set out above when making a decision to transfer personal data from the UK to a non-EEA country.

Many businesses across the EU will be looking to their Data Protection Authority (DPA) for guidance as to what is required and how such an assessment should be made.

The UK’s ICO released a statement on 27 July, 2020, advising that companies, “must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.”

The Schrems II judgment makes it clear that supervisory authorities have and will continue to have a very important role to play in the oversight of international transfers, which the ICO are “taking time to consider carefully what this means in practice”.

Businesses will need to ensure compliance

What is now clear, is that businesses will need to ensure compliance with the requirements set out within the SCCs, given that the CJEU now places an explicit obligation to assess the adequacy of the level of protection for transfers.

Where the data importer is unable to comply with their obligations under the SCCs, they must inform the data exporter, who in turn will need to consider whether or not they suspend or terminate the transfer.

If the data exporter does not suspend or terminate the transfer, the data exporter is required to inform the relevant DPA must then undertake an investigation. In practice, this will mean that DPAs will need to familiarise themselves with foreign legal systems in order to investigate such complaints effectively.

Can businesses rely on any other data export mechanism?

Binding Corporate Rules (BCRs) is one of the data transfer mechanisms available under Article 46(1), which enables the transfer of personal data lawfully from the EEA to third countries or international organisations.

BCR’s involve groups of enterprises engaged in a joint activity to transfer personal data.

Before BCRs can be relied upon, they require approval from a DPA, unlike the SCCs, which require only agreement between the parties to the contract.

One of the reasons why BCRs are considered to provide a high standard of protection is that every member of the group must comply with them, and that each is liable for any breach of the BCR.

However, the downfall with BCRs is that they can take a large amount of time to approve. Businesses may seek to rely on exemption provisions.

These are set out in Article 49 GDPR, and should only be relied upon in very limited circumstances (for example, with an international travel booking).

What businesses are recommended to do now

• Businesses in the UK must continue to monitor guidance from the European Data Protection Board and the ICO, in relation to how international transfers can be adequately implemented in practice.
• Create a data flow map, which can demonstrate how data actually flows and upon which data transfer mechanism. It would also be advisable to create a written risk assessment to show there has been consideration into the proposed data transfer.
• The CJEU has ruled that transfers to the US will require a formal assessment because of the surveillance practices in place. Other countries are expected to on the list specifying when an assessment will be required.
• Remove Privacy Shields and put SCCs in place. It is prudent to implement SCCs to ensure that a valid export mechanism is in place. BCRs are a long-term solution, but as discussed above, these can take years to be approved.
• Consider an assessment strategy when using the SCCs as a data transfer mechanism. Further guidance from the ICO and the EDPB will be required, but in the meantime, it will be necessary to review things properly.
• Consider if a derogation will apply, where the individual has given explicit consent to transfer their personal data.
• Where a transaction involving the export of personal data to a non-EEA are in progress, parties may need to consider delaying these, until further guidance has been released by the ICO and EDPB.
• Review the UK’s position following the transition period from the EU in December 2020 / January 2021.

What will happen after Brexit?

The UK transition period comes to an end on 31 December, 2020, and with negotiations between the EU and UK currently in a state of flux, the UK may leave with a ‘no deal’.

Once this transition period ends, the UK will be considered to be a ‘third country outside the EEA’, for the purposes of GDPR.

The UK is hopeful that the EU make a ruling which will enable a free flow of data between the EU and the UK, without businesses and entities having to reply upon any export mechanism.

However, businesses must note that the Schrems II judgment is still binding on the UK during the transitional period and they must, therefore, comply with the obligations set out above, to be able to to transfer data adequately outside the UK and the EU.

Following the transitional period, it will be open to the UK Supreme Court or the UK Government to follow Schrems II, or overrule it, but given the UK’s desire to be listed as an adequate country, it is unlikely they will want to overrule such a landmark decision.

If you wish to discuss any issues raised in this article or concerning your business’s data compliance and policies, please contact Harrison Drury’s regulatory team on 01772 258321.