When the Court of Justice of the European Union invalidated the EU-U.S. Safe Harbor framework in 2015, Bird & Bird Partner and Co-Head of International Data Protection Practice Ruth Boardman said there was a clear path for organizations to take to maintain transborder data flows. Safe Harbor was gone, and it was time to use standard contractual clauses.

Five years later, the CJEU made another landmark decision when it invalidated the EU-U.S. Privacy Shield agreement with its "Schrems II" ruling. The SCCs remained legally valid, but additional safeguards would be needed for them to still be used.

While the sense of shock isn't as striking as it was compared to the initial "Schrems" ruling, Boardman said privacy professionals have faced a far murkier path following the court's determination this past summer.

"Although there are actions in terms of assessing your transfers when you then come and look at the safeguards that might be appropriate, it is harder to implement those. It is also less certain what to do," Boardman said during an IAPP LinkedIn Live event. "If you are looking at contractual safeguards, for example, organizations only to want to negotiate once. They don’t want to do it now and then discover that the standards have changed slightly and then they have to do it again."

The confusion over the lack of guidance in the days after the court struck down Privacy Shield was a concern for privacy professionals. A level of uncertainty was assuaged when the European Data Protection Board published its recommendations for post-"Schrems" data transfers in November. The road ahead may be tenuous for a large number of entities; however, there are steps organizations can take to avoid legal issues down the line.

Boardman recommends organizations look at encryption and pseudonymization as tactics to implement for certain data transfers. For those organizations with a heavier volume of global data flows, it may require a far deeper dive.

"If you are an organization that is very dependent on data transfers, looking at what it would take to alter things has to be the next step, because this is not something that you can change overnight," said Boardman. "Looking at what it might take to actually rearchitect your solutions, looking at the impact on services and looking at whether there are actually alternative service providers for you to move to are all things some of our clients are looking at."

Part of the reexamination will be vetting cloud service providers that act as data processors. Boardman advises organizations to avoid cloud services providers that need to access data in plain text. Providers that need to interact with data in a meaningful way will ultimately need plain text data, but Boardman said finding an infrastructure-as-a-service cloud is one way to comply with the decision. The plain text issue was noteworthy enough for the EDPB to include a section on the topic in its recommendations.

"One of the points the EDPB mentioned in its recommendations is that when an organization needs access to the data in plain text, it is very difficult to have effective safeguards," Boardman said. "If there is an ability for national security agencies or law enforcement agencies to access that data and the organization has the data in plain text, it is very difficult to preclude that."

The "Schrems II" case may have focused primarily on U.S. surveillance laws, but it doesn't mean everyone else should bury their heads in the sand. Boardman said any entity importing or exporting data to a country where law enforcement has the ability to access exported European data must adhere to the ruling. The EDPB notes it is not just the initial data transfer that needs attention, but also every single transfer afterward. It is also why vetting cloud service providers is such a vital practice.

"You might transfer data to a parent organization for administrative purposes and that parent organization might not be subject to these particular laws. However, if that parent organization uses a service provider, who in turn uses another service provider, who in turn ends up using a cloud service provider then the decision is relevant to you," Boardman said. "Almost all processing of data, at some stage, ends up with a cloud service provider and therefore the decision is almost universally relevant."

European privacy teams have plenty of experience handling such turbulence after the first "Schrems" decision and the implementation of the EU General Data Protection Regulation. The EU may have a longer track record, but that doesn't mean the U.S. hasn't made strides of its own. Wilson Sonsini Goodrich & Rosati Of Counsel Laura De Boel said U.S.-based privacy teams have handled the new "Schrems" ruling far better than it did back in 2015. De Boel said this is evident by recent white papers and other materials that address concerns about future data transfers.

Privacy teams in the U.S. seem to be in a better place compared to 2015. The same cannot be said for U.S. surveillance laws, at least when considering a potential Privacy Shield replacement. De Boel said the U.S. Department of Commerce's commitment to Privacy Shield should be viewed as a positive political sign. Despite the aforementioned willingness, it does not look as though a new Privacy Shield will be a top priority for U.S. President-elect Joe Biden's administration, as European Data Protection Supervisor Wojciech Wiewiórowski recently alluded to when he said a new agreement would not be reached any time soon. 

Another problem may be the legislative chasm between the EU and U.S. Due to the gap between U.S. surveillance laws and the standards in the EU, De Boel finds it hard to imagine an agreement standing up to another legal challenge.

"There’s a lot of work that would need to be done to bring those (surveillance) laws to the EU standard," De Boel said. "Then, you could maybe see something happening in the political negotiation. There could be some political agreement between the EU and U.S., but then that political agreement would need to stand the test of a very principal-based court in the EU. It’s difficult to see how they would stand that test."

While the future of a Privacy Shield successor may be in doubt, SCCs will see a new iteration thanks to the European Commission's draft implementation decision that came out last month. Boardman said the new SCCs will help lay out the obligations organizations must meet based on the text of the "Schrems II" ruling and the EDPB's recommendations.

Boardman did offer one warning: The final SCCs will likely not be a one-to-one match of what is currently in the draft decision. If an organization can wait until the final SCCs are unveiled, they are going to be in good shape. For those data transfers that relied on Privacy Shield, Boardman said the current SCCs must be used even though they will be reworked once again in short order.

Until then, privacy professionals will have to wait for the day when the revised SCCs come to town. Boardman said the European Commission is working to finalize the SCCs as soon as possible, possibly by the end of this year or early 2021.

Boardman admits this is an optimistic timeline, and De Boel shared a similar sentiment. Since the EDPB and EDPS will have to issue their own opinions on the commission's draft, De Boel said it is highly unlikely the revamped SCCs will be ready by the conclusion of 2020.

Regardless of when they come, the reworked clauses represent a paradigm shift in transborder data flow, and it will be imperative for organizations in the EU, U.S. and around the world to take notice.

"You can’t go back to the situation before 'Schrems II' where you sign SCCs, whether they are the old ones or the new ones, and not think about the broader context of the data flows," De Boel said. "The additional due diligence that is required by the 'Schrems II' decision is still going to be necessary for these new SCCs."

Photo by Giulia May on Unsplash