Editor's Note:
Editor’s note: This is the second in a series of guidance notes on what the "Schrems II" decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what "Schrems II" means for Brexit and what companies can expect with the road ahead on these issues.
The decision by the Court of Justice of the European Union in “Schrems II” provides that the controller-to-processor standard contractual clauses are a viable mechanism for data transfers from the EU to third countries but identified further conditions that need to be considered when implementing them to address the requirement to provide "adequate protection" to such transfers.
The CJEU put the onus on data exporters to determine whether the exporter's implementation of the C2P SCCs provides sufficient protection in light of any access by the public authorities in the third country to the personal data transferred and the relevant aspects of the legal system of such third country. It further notes that individual member state data protection authorities are empowered to evaluate the adequacy of the C2P SCCs adopted in any case and that those authorities should suspend or ban data transfers whenever the factual conditions render the C2P SCCs an ineffective mechanism to ensure the protection of the personal data transferred.
New obligations for data exporters and importers
The precise contours of what is required after the “Schrems II” decision is not sharply defined, but the decision indicates that there are actions that are generally advisable for the exporter to undertake in order to rely on the C2P SCCs in each case. In particular, data exporters implementing C2P SCCs should, on a case-by-case basis:
- Carefully read the C2P SCCs and work with the importer to ensure that they are able to address all of the provisions of those clauses.
- Carry out due diligence of the legal system in the third country to which it is exporting the personal data to verify the rules for disclosure to and access by government agencies (noting that the mere existence of laws that provide for disclosure to or access by government agencies would not, in and of itself, cause the C2P SCCs to be insufficient, as long as those laws comply with the necessity principle as described by the CJEU).
- Carry out due diligence with the importer to determine whether the importer is bound by these laws, including the likelihood that the importer will be disclosing personal data of the exporter to the authorities in that third country, which could take into account, for example, the industry involved, categories and volume of personal data transferred, purposes of the processing by the importer, duration of data retention in the third country, any past practices of such disclosures, and the like.
- Carry out due diligence on the importer to verify that the importer (1) has a procedure or practice to notify the data exporter, to the extent permitted by law, if a government demand extends to the exporter's data; (2) will provide an opportunity to resist production; and (3) will comply with its obligation to notify the exporter that it can no longer comply with the requirements of the C2P SCCs and cease processing the personal data in the event of any government demand that would not allow it in practice to comply with the C2P SCCs.
- Confirm, on the basis of the due diligence carried out, that the C2P SCCs, in conjunction with any other applicable contractual terms for the relationship, are sufficient to address any issues raised as to the protection of personal data in the third country in that context or whether the circumstances require more specific terms.
- Document such due diligence and the rationale for determining adequacy to have in its files something akin to a data protection impact assessment for each set of transfers in case its position is ever challenged.
Practical implications of ‘Schrems II’ for exporters and importers using C2P SCCs
Establishing clear policies and procedures to address these new requirements for reliance on C2P SCCs will be key for organizations to operationalize these new compliance obligations imposed by “Schrems II.” Clear and effective communication channels between exporters and importers will be vital, particularly as exporters seek to monitor any change that may affect compliance with the C2P SCCs and the exporter’s instructions, including changes in national legislation and/or requests from government authorities in the importer's jurisdiction. To that end, the requirements implicit in the “Schrems II” decision further emphasize the need for exporters to engage in substantive monitoring of their data processors and the location of processing activities, including as they relate to the use of subprocessors (although processors may be able to provide the exporter with the requisite information for diligence related to any subprocessors used), as well as reinforce the need for organizations to stay up to date on data protection law developments globally.
In addition, service providers with EU customers may wish to take proactive steps to help their customers address these issues. In particular, taking such steps now to address these in a systematic and scalable manner will likely greatly increase the efficiency and operational capability of service providers to meet the new demands of their EU customers in this regard.
Can organizations rely on C2P SCCs to transfer personal data to the US?
A question many are wondering about is whether the current C2P SCCs, with the potential adoption of additional safeguards, may be relied upon to transfer personal data to service providers in the U.S., as the “Schrems II” decision stated that the U.S. provides inadequate protection. Indeed, some DPAs in the EU (e.g., the Berlin Commissioner for Data Protection and Freedom of Information) have already suggested in response to the “Schrems II” ruling that personal data should no longer be transferred to the U.S., and such authorities are empowered under the EU General Data Protection Regulation and “Schrems II” to suspend or prohibit such transfers.
For now, we anticipate that the C2P SCCs, duly assessed in accordance with the requirements of the CJEU’s ruling, should arguably address the risks of transfers to service providers in the U.S. in many cases. However, organizations should undertake a review of all such transfers as part of the response to “Schrems II” and keep a close eye on statements from the DPAs in their jurisdictions regarding the viability of the C2P SCCs for transfers to the U.S.
We note that the European Commission has stated that a modernized version of the C2P SCCs will soon be released. As the precise timing of those new terms is currently unknown, most organizations would be well-served by undertaking and documenting assessments of each set transfers for which it relies on the C2P SCCs to provide adequate protection for transfers to third countries to address the requirements of the “Schrems II” ruling, rather than waiting on the issuance of new terms from the European Commission.
In terms of fines, breach of data transfer rules triggers the higher penalty level provided by the GDPR (20 million euros or 4% of the global annual turnover of the preceding year, whichever is higher), so companies should be prepared to face challenges and able to provide evidence that they took appropriate steps in response to the judgment.
Photo by Beatriz Pérez Moya on Unsplash