This is the last in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.
It's difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed.
In this final note in the series, we provide seven predictions for the road ahead with "Schrems II" and global data transfers. Some of these may be more controversial than others, but here goes:
1. More Privacy Shield companies will implement alternatives. The CJEU opinion is complex, but one unmistakable point is that "Schrems II" invalidated the European Commission finding that Privacy Shield provides adequate protection for personal data transfers under the EU General Data Protection Regulation. As such, Privacy Shield companies will need to implement alternative solutions. SCCs will be a logical option to consider where the U.S. company receives personal data from EU companies, using the C2P SCCs if the U.S. company is a processor or the C2C SCCs if the U.S. company is a controller. Fortunately, the CJEU confirmed the validity of the C2P SCCs, so this should be a viable alternative, although subject to conditions (discussed below). For online consumer companies dealing directly with EU consumers, another alternative will be to look to derogations for specific situations under Article 49 of the EU General Data Protection Regulation, such as necessary to perform a contract with the data subject or the like.
2. An updated version of Privacy Shield will likely not emerge until after the U.S. elections in November. When the adequacy decision for the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) was invalidated by the CJEU in 2015, the U.S. Department of Commerce and European Commission had already been negotiating for an updated trans-Atlantic program for many months. With "Schrems II," although the Commerce Department and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. Moreover, although it will require further evaluation, it may be that the issues cited by the CJEU in "Schrems II" may require some form of legislative and not merely administrative action to address. As such, the process to update Privacy Shield is unlikely to be concluded in the next few months before the U.S. elections in November, particularly during the time of the pandemic and the associated economic challenges. Companies, therefore, must anticipate that the alternatives they implement will need to remain in place for the short to medium term.
3. No formal grace period for implementing "Schrems II" will be provided, but large-scale enforcement should be unlikely in the short term. The European Data Protection Board has indicated in its July 23, 2020, FAQ document that it will not be providing a grace period for companies to continue to rely on Privacy Shield (as the authorities had done for Safe Harbor following "Schrems I"). In practice, however, it would seem unlikely for there to be widespread enforcement actions solely on the basis that the companies were continuing to rely on Privacy Shield while implementing other solutions. Such an approach would be inconsistent with how data protection authorities have approached enforcement in the past, primarily seeking to help companies comply, rather than sanction them in enforcement actions. There can always be exceptions, particularly if a data protection authority feels pressed in a particular case, and DPAs have certain duties to investigate claims, but large-scale enforcement in the short term in this context seems unlikely (not to mention unfair).
4. Many Privacy Shield companies will continue to participate in the program for some time, even though the adequacy decision has been invalidated for the EU. Despite the CJEU ruling, there still can be some legal benefits to participation in Privacy Shield, including that the EU-Swiss Privacy Shield decision has not been invalidated, and certain authorities — most notably, the U.K. Information Commissioner's Office — may still recognize that Privacy Shield's practical commercial privacy protections. The Privacy Shield program is still fully functioning, and noncompliance with Privacy Shield promises are still subject to enforcement by the U.S. Federal Trade Commission. Privacy Shield also requires 90 days of advanced notice to the Commerce Department and other conditions to withdraw, so it's not as easy as simply deleting the Privacy Shield promises in the company's external-facing privacy statement. Moreover, depending on the business context, Privacy Shield companies may have customer agreements that require Privacy Shield participation until an alternative solution, such as the execution of SCCs with appropriate conditions. Some companies may also consider that they have built an entire program around Privacy Shield. These companies may wish to remain in the program in anticipation that the Commerce Department and EC will eventually be brought back to the negotiating table to work out a creative solution for many of the same reasons (protection of personal data and certainty for trans-Atlantic commerce) that brought them together more than two decades ago for Safe Harbor and more recently for Privacy Shield.
5. More companies will pursue BCRs, but this approach will not scale to the level of use of SCCs. The EDPB has indicated that companies relying on BCRs must undergo the same type of assessment of the laws and practices of the recipient countries as companies that rely on SCCs. In practice, BCRs may still be viewed as being safer than other approaches because the data protection authorities themselves would have participated directly in the approval of the BCRs and may be unlikely to take such companies to task as being a test case. Ultimately, however, BCRs will be unlikely to scale in the volume of participants until the authorities move beyond time-intensive case-by-case approvals and instead follow a more innovative approach, such as where (similar to SCCs) a "model" BCR or perhaps a code of conduct is available that will be deemed to provide adequate protection for personal data transfers if adopted without modification.
6. When doing the assessment of government law and policy in recipient countries, companies will tend to focus their analysis on their own industry vertical and actual practices (case-by-case analysis). One of the more challenging aspects of "Schrems II" is the obligation that is imposed on companies to assess whether the level of protection in the recipient country is essentially equivalent to the level guaranteed by the GDPR on national security. As summarized by the EDPB in its FAQ, the Privacy Shield adequacy decision was invalidated because the CJEU "considered the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities."
Now, companies need to do this type of assessment when using other data transfer vehicles under Article 46 of the GDPR (e.g., SCCs, BCRs). This can be a significant challenge for a company sending data to multiple jurisdictions globally. How does a company assess the national security law and practice of each of these recipient jurisdictions? And, what recipient country's law and practice would realistically survive a strict reading of the CJEU's opinion? For example, what country allows foreign nationals to enter local courts and challenge the practices of the country's intelligence services? In practice, and perhaps as a first step until some guidance is forthcoming from the EDPB, EC or other authorities, companies will tend to focus their due diligence analysis on their own industry vertical and their own experience with national security demands (case-by-case analysis). They may also be looking to confirm or perhaps update their contract terms with third-party vendors on these points, including subcontractors, covering to some degree the legal position under recipient country laws, as well as any available information about actual practices impacting data about the company's industry sector or the like.
In addition, the company may seek assurances that the vendors have policies and practices on government demands that seek to minimize disclosures and provide transparency customers. And, taken these threads together, the companies may wish to document these types of reviews in order to demonstrate later, if ever needed, that they have done a suitable assessment of these issues.
7. Commercial cross-border data transfers will become more difficult in the next three to five years. "Schrems II" is, unfortunately, just one example of a broader trend within the global privacy and regulatory environment that is making it more difficult to transfer data across borders. Russia data localization has been with us for several years but is getting more strict with enforcement. China is implementing its Cybersecurity Law to exert more scrutiny on outbound data transfers and require data localization in some cases. India is considering legislation that would require data localization in some cases. Brazil and other jurisdictions are adopting GDPR-like data protection requirements with cross-border transfer restrictions. Given that the landscape is changing and developing rapidly, companies considering long-term investments in information technology and cloud applications will need to evaluate how to build in geo-flexibility as a hedge against data localization and privacy risk. It goes without saying that this broad privacy and regulatory trend cuts directly against how data collection, use and transfer is becoming increasingly important to business in the digital age. As such, the road ahead will be quite interesting and challenging for privacy professionals.
Photo by Michael Dziedzic on Unsplash
If you want to comment on this post, you need to login.