What is the Schrems 2.0 case about?

The case was begun by Max Schrems as a complaint to the Irish data protection authority, the Data Protection Commission (DPC), about Facebook in Ireland sending his personal data to Facebook’s US parent company making it subject to mass covert US surveillance laws.

The case dealt with whether two of the key mechanisms which legitimise the transfer of personal data to countries outside the EEA offer enough protection given the US surveillance laws:

• Standard Contractual Clauses (SCCs), and
• The Privacy Shield.

Binding corporate rules (BCRs) were confirmed as a key safeguard.

For more information see Schrems 2.0: what you need to do now.

What has happened in the three months since the Schrems 2.0 decision?

On the Privacy Shield:

• The Privacy Shield was invalidated on 16 July 2020 because of US surveillance activities and insufficient data protection rights and remedies for EU/EEA citizens. The Swiss Privacy Shield was also deemed to be inadequate on 8 September 2020
• On 16 July 2020 the US Department of Commerce said that it would continue to administer the Privacy Shield. At the moment, it is not clear what is happening on renewals, although there appear to have been no new applications under framework
• It seems highly unlikely that there will be a replacement for the Privacy Shield in 2020

More generally:

• On 23 July 2020 the European Data Protection Board (EDPB) issued FAQs with general guidance
• The US Department of Commerce has issued a white paper on the protections for personal data in the US. . The frustration of the US authorities within the paper is clear

On SCCs:

• SCCs remain valid, but are risky and need extra work if they are to be used
• It is clear that businesses need to do case-by-case assessments when using SCCs which must, in particular, consider the relevant aspects of the legal system of the relevant non-EEA country or territory to see whether they offer a level of protection essentially equivalent to that guaranteed by the GDPR (including data protection and national security legislation) and may need to implement additional measures in particular cases. Additional clauses might be required to deal with particular risks. We call this SCC+
• The EDPB FAQs reiterate that using SCCs requires an assessment and supplementary measures. If these determine that appropriate safeguards are not ensured, you must stop transferring. If you intend to continue you must notify the relevant data protection authority
• New SCCs are awaited. We are still waiting for the GDPR-compliant SCCs so it is likely that any updated SCCs will be delayed.
• We are also awaiting EDPB guidance. The EDPB hasn’t seen all the documents they need to see to produce such guidance, such as the updated SCCs, so further delay is highly likely
• Certain data protection authorities such as Berlin are taking a robust line on the use of SCCs with the US. Other data protection authorities have provided warnings
• For more information, see Schrems 2.0: what you need to do now.

On BCRs:

• BCRs remain the ‘gold standard’ for data transfers within a global business and externally with customers, provided they address issues relevant to processing locations. For multinationals and medium-to-large businesses BCRs are by far the safest option. The global applicability and structural framework of BCRs are their greatest benefits
• For smaller businesses BCRs are unlikely to be feasible (hybrid data transfer agreements (DTA) are a good alternative)
• In light of our experience, obtaining BCRs in under a year is now possible. There has been a big uptake of BCRs in the past year or so with the process now running again via EDPB.
• There is a process, the law enforcement procedure, which enables the sharing of certain data to the satisfaction of authorities on both sides of the Atlantic, with a new UK-US agreement.

What do you need to think about now?

• Check: do you transfer personal data from the EU/EEA to the US using the Privacy Shield?
• Check your records of processing activities and data maps
• Assess what safeguards are needed, urgently if that was previously the Privacy Shield
• Understand the existing SCC obligations. They require significant vigilance, legal advice, ongoing monitoring and action
• Create additional clauses within your hybrid DTA or GDPR-compliant contract to supplement the SCCs to address specific risks
• Review and update your due diligence processes for new vendors and suppliers especially in the US and risky locations. Shoosmiths’ location questionnaire can be used
• Consider your data protection compliance assessment generally, ensure you’re not just undertaking paper compliance, but you are doing what you say you are. Update risk priorities to adopt and evidence basic principles including accountability, baking in privacy by design and default and considering technical and organisational methods such as minimisation, anonymisation, pseudonomysation and encryption. This will all assist with the justification of processing and transferring. Our compliance plans have always been created with these basic principles in mind and these will be even more important ongoing
• Monitor developments:
  • Watch out for decisions about other countries being deemed unsafe (this is not just a US/ EU issues).
  • Updated SCCs and guidance from the EDPB are expected, but organisations should have realistic expectations that obligations remain on them to take steps by themselves to comply with privacy laws.
  • Brexit consequences need to be considered. Watch out for our Brexit webinar dealing with privacy issues on 5 November.
• Remember: no contract will achieve compliance on its own. Any new SCCs will not get around the need to undertake the work above!

What conclusions can be drawn?

• Consider your options: for multinationals and medium-to-large companies, typical options are:
  • BCRs controller and processor which address processing internally and with customers
  • Hybrid DTA
  • SCC+
• Consider your options: for smaller companies, typical options are:
  • Hybrid DTA
  • SCC+