Schrems 2.0: what you need to do now

What is the Schrems 2.0 case about?

The case was begun by Max Schrems as a complaint to the Irish Data Protection Authority about Facebook in Ireland sending his personal data to the US parent company making it subject to mass covert US surveillance laws. A reference was made to the CJEU, the European Court about whether two of the key mechanisms which legitimise the transfer of personal data to countries outside the EEA offer enough protection given the US surveillance laws:

• Standard Contractual Clauses (SCCs) (EU approved contractual clauses that set standards for transfers that if used properly can safeguard the data processing), and
• The Privacy Shield (a quasi-adequacy framework agreed between the EU and US).

Binding corporate rules (BCRs) were confirmed as a key safeguard. Facebook were not using them in this case.

What has happened?

• The Privacy Shield has been invalidated with immediate effect (ie, from 16 July 2020) because of U.S. surveillance activities and insufficient data protection rights and remedies for EU/EEA citizens
• SCCs remain valid, but are risky and practically unworkable in many cases and need extra work if they are to be used
• BCRs remain the gold standard for data transfers if they consider particular locations and their risks
• The European Commission, European Data Protection Board, Irish Data Protection Commission and U.S. Department of Commerce are working through the repercussions of the judgment. Updated SCCs are expected.

What are the risks with SCCs?

• SCCs are typically used for countries and territories where there are no adequacy findings. They have been often misused and misunderstood. They have been used as a paper exercise, but the terms include obligations that reflect the GDPR requirements to protect data transfers that must be actioned, enforced and followed on a case by case basis.
• Many businesses will be looking at how they use SCCs internally (eg, between group companies) and externally (with customers and other stakeholders)
• As for EU/EEA to US transfers using SCCs, in view of the US surveillance laws which may make it impossible for the SCC terms alone to protect data transfers, the Irish DPA said on 16 July 2020: ‘it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable’
• Businesses need to do assessments when using SCCs which must, in particular, consider the relevant aspects of the legal system of the relevant non-EEA country or territory to see whether they offer a level of protection essentially equivalent to that guaranteed by the GDPR (including data protection and national security legislation) and may need to implement additional measures in particular cases. We call this SCC+
• Where businesses can’t guarantee the required level of protection, they must suspend the transfer or terminate the contract (or the data protection authority must enforce this)
• Expect data protection authorities, stakeholders and customers to take a keener interest in them
• Ongoing monitoring is essential for SCCs. This isn’t easy and is likely to be time-consuming
• There are many challenges with this, including: could any country without an adequacy decision be a risk?; lack of knowledge from businesses on secret/ unknown surveillance regimes; how do businesses assess countries?; what if DPAs come to different conclusions on any assessments?; sending personal data to countries with strong surveillance regimes such as China or Russia; and practical aspects of compliance and costs of doing so.

Has anything happened to BCRs?

• The good news is that nothing has happened to BCRs which remain the ‘gold standard’ for data transfers within a global business and externally with customers provided they address issues relevant to processing locations
• For multinationals and medium-to-large businesses BCRs are by far the safest option
• For smaller businesses BCRs are unlikely to be feasible (hybrid DTAs are a good alternative)
• In light of our experience, obtaining BCRs in under a year is now possible.

How does Brexit impact on this?

• U.S. surveillance activities show that EU/EEA citizens must have actionable rights. The EU has placed fundamental rights at the heart of trading relationships. Query whether the likelihood of a post-Brexit UK adequacy decision has diminished?
• If SCCs are potentially unlawful for EU/EEA to U.S. transfers, query whether they will be equally as tricky for EU/ EEA to UK transfers after 31 December 2020?
• Don’t forget the need to appoint EU and UK representatives, where necessary, after 31 December 2020.

What conclusions can be drawn?

• There is a lot for business to think about and do. In particular,
• Understand your data flows and locations involved
• Ensure you’re not just undertaking paper compliance but you are doing what you say you are
• Watch out for decisions about other countries being deemed unsafe
• Undertake effective due diligence with commercial partners
• Consider your options: for multinationals and medium-to-large companies, typical options are:
  • BCRs controller and processor which address processing internally and with customers
  • Hybrid DTA
  • SCC+
• Consider your options: for smaller companies, typical options are:
  • Hybrid DTA
  • SCC+