In July 2020 the Court of Justice of the European Union passed a judgement that is still sending shockwaves through the privacy and data protection industry in the UK, EU and USA. In case you have never heard of Max Schrems and the Schrems II judgement, this is what you need to know and how it will impact your business.
The Schrems Complaint – GDPR, SCC and the EU-US Privacy Shield
Max Schrems is a privacy advocate from Austria. In 2013 he filed a complaint with the Irish Data Protection Commissioner that Facebook Ireland (Facebook’s Europe-based legal entity) was breaching the then active EU-US Safe Harbour rules because: “Mr Schrems’ personal data should not be sent from Facebook Ireland Ltd (serving Facebook users outside of the US and Canada) to Facebook Inc. (the US parent company), given that Facebook has to grant the US National Security Agency access to such data” due to the US Foreign Intelligence Surveillance Act (FISA) law which provides for wholesale access by US security agencies to data on non-USA citizens held by US organisations. In October 2015 Europe’s highest court, the CJEU, ruled in favour of Schrems and the EU-US Safe Harbour was declared invalid.
In November 2015 Facebook changed the basis of their defence saying the Safe Harbour ruling is immaterial as in fact they relied on EU Standard Contract Clauses to provide the legal basis and safeguards for data transferred out of the EU.
Standard Contract Clauses are a range of legal document which have been certified by the European Commission as fit for purpose to provide the necessary protections for personal data. In other words, if you need to transfer personal data out of the EU and your contract with the data controller / data processor outside of the EU includes the relevant Standard Contract Clauses – and of course everyone obeys them – then you are compliant. The SCC provide a best practice framework for organisations to follow and prevent everyone from having to re-invent the wheel when drafting contracts relating to data processing.
The legal case before the Irish DPC continued on the basis of the SCC defence, and the DPC took the view that the SCC do not provide a legal mechanism for Facebook Ireland to transfer the data to Facebook USA. This was because Facebook USA would not be able to comply with the EU approved SCC due to the FISA law in the USA requiring them to provide data to third parties in violation of the contractual terms in the SCC.
Facebook did not agree and then invoked the EU-USA Privacy Shield agreement which had since been created between the EU and USA to replace the defunct Safe Harbour rules.
In a new ruling by the CJEU in July 2020 the Privacy Shield was invalidated – it does not exist anymore. The implication is that any business in the EU (and in the pre-Brexit UK) that is transferring personal information to the USA solely on the basis of the Privacy Shield terms is now acting illegally (from website metrics up to customer records being held or processed in cloud CRM systems or databases in the USA).
You might think that a remedy would be to fall back on the SCC and simply amend your contract with the American data processor to include the EU approved contractual terms. However, this is not possible either as the Schrems II CJEU ruling also declared that SCC on their own were not adequate protection for data transferred to the USA as the national laws in the USA (FISA) overrode the protections offered by the Standard Contract Clauses. The ruling stated that data exporters must confirm that there is an ‘adequate level of protection’ provided by the domestic laws and the SCC in the destination country – and take additional steps to protect the data if this is not the case.
What do we do now?
So as of September 2020 the generally accepted answer to the question: ‘how do we legally export data to the USA for processing ‘ is: “um, can I come back to you on that?” Or as an advisory paper from the BCS (September 2020) puts it: “Our understanding of the implications of the Schrems 2 judgement is still evolving.” The European Data Protection Board which consolidates the input of the various member states has issued guidance to help on this.
There is no period of grace allowed in the EU ruling which means organisations have to act now – even though there is little clarity on what is the best approach. In theory, organisations that fail to act are exposed to the full might of the GDPR with fines of up to 4% of global turnover possible. However a statement from the ICO implies a pragmatic approach from the UK regulator.
What is clear is that organisations that had previously relied on the Privacy Shield or SCC terms alone to safeguard exported personal data to nations not on the Adequacy List will have to take additional steps and conduct further due diligence in order to be able demonstrate compliance with the GDPR – or cease contracts where compliance is not achievable.
The BCS paper provides a list of steps UK firms should take now to prepare their organisation including:
- Search contracts and agreements with non-EU processors for reliance on ‘Privacy Shield’ or ‘SCC’ terms and prioritise these for review and put in place additional protections if there are domestic laws hostile to data protection in those countries.
- Consider alternate processing arrangements to avoid moving personal data outside of the EU or to countries not on the Adequacy list (see below)
- Consider system changes to implement encryption or tokenisation of exported personal data so that it is protected or anonymised
What is Data Protection Adequacy?
The European Commission maintains a list of countries whose domestic privacy and data protection laws provide similar protections to GDPR and as a result no additional measures are needed when exporting data to these countries. These are known as countries with ‘adequate levels of data protection’ or the Adequacy List.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
Notice that the United Kingdom is not on the list nor is the United States of America. If the Post-Brexit UK is not added to the list by 31st December 2020 then EU firms dealing with UK organisations will have to implement the SCC into their contracts and possibly other measures in order to meet their legal obligation to provide an adequate level of data protection which is equivalent to that provided by GDPR.