This week, the Court of Justice of the European Union will hear the Schrems II case. The case focuses on Facebook’s transfer of personal data to the U.S. using standard contractual clauses and whether those EU-approved commercial contracts meet European legal standards for government access to data. As the primary legal mechanism underpinning companies’ global data transfers, there is a lot at stake. Privacy professionals around the world are asking what happens if SCCs are deemed insufficient. One issue that merits greater discussion is whether a transfer mechanism is needed in the first place when a company receiving personal data is itself subject to the EU General Data Protection Regulation.
The EU’s 1995 Data Protection Directive originally set forth various data transfer mechanisms to prevent companies from circumventing EU data protections when moving personal data outside the EU. The territorial scope of the 1995 law corresponded directly with the physical territory of the EU itself. The directive applied only to entities established in or making use of equipment in the EU.
The adoption of the GDPR in 2016 greatly expanded the jurisdictional reach of the EU data protection regime. The GDPR applies to entities established in the EU or those outside of the EU offering goods or services to data subjects in the EU or monitoring their behavior. To make this scope enforceable, the GDPR requires non-EU entities subject to the law to appoint a representative in the EU. When data are transferred to a processor (inside or outside the EU), the GDPR obliges the controller of that data to implement safeguards to ensure the processing meets the requirements of the GDPR. The expanded territorial scope of the GDPR was one of its most impactful features. Companies around the world have spent billions of dollars complying with its requirements and providing new rights to EU data subjects.
While significantly extending the reach of EU data protections, the GDPR largely maintained existing mechanisms to transfer personal data. The text of the law, however, does not indicate whether these mechanisms should be used when data is transferred outside EU territory or outside the territorial scope of the law. As a result, many, if not most, companies have applied transfer mechanisms just as they did under the directive.
European Commission officials have suggested that data transfer mechanisms are only necessary when transfers are made for processing operations to which the GDPR does not apply. This stands to reason. If a data transfer mechanism were needed to send data to a non-EU-based recipient when the GDPR already applies, it would seem to call into question the law’s extraterritorial application. It would also make it less clear whether that transfer mechanism, which might offer substantially similar but not identical protections, or the GDPR itself governs in case of a dispute. The European Data Protection Board has not yet weighed in on the issue, deferring its planned guidance on the topic to a later date.
While the premise of Schrems II is that the protections afforded by SCCs might be insufficient, it is worth considering if a further question should be asked: Was a data transfer mechanism needed in the case at hand? The CJEU could address the threshold issue: Is a data transfer mechanism ever necessary if the entity receiving the data is already bound by GDPR requirements?
The CJEU has discretion to answer the questions of its choosing. It already has some critically important ones before it. Ultimately, which questions the court considers are just as consequential for global data flows as the answers it provides.
Photo by Bill Oxford on Unsplash