Fortunately, the CJEU did not invalidate the European Commission's standard contractual clauses for transfers to data processors. However, the rationale behind the court’s ruling on Privacy Shield (which focused on concerns about U.S. law and practice on government surveillance) would suggest that companies will need to evaluate their use of SCCs. In particular, companies will need to evaluate whether the SCCs provide sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country.

Historically, when the CJEU invalidated the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) in 2015, the EU data protection authorities collectively advised that they would observe a grace period on enforcement so that companies would have an opportunity to respond. As of the date of this writing, we haven't received such welcome guidance from the European Data Protection Board, although individual DPAs, such as the U.K. Information Commissioner, have indicated that if companies are using Privacy Shield, they should continue to do so. Moreover, it is not clear what the timeline would be for the European Commission and U.S. government to remediate the infirmities in the Privacy Shield as found by the CJEU, although public statements from both sides suggest that they are in communication on these issues.

So, what now? For U.S. organizations participating in Privacy Shield, next steps can include the following.

Understand what personal data is covered

The first step is to understand what personal data transfers have been covered under the organization's self-certification to Privacy Shield. Privacy Shield organizations can be data controllers with respect to personal data about internal human resources data (e.g., employees, job applicants, contractors and others of EU subsidiaries or operations), as well as customers (e.g., corporate customer contacts, individual consumers, patients or the like) and other third parties (e.g., contacts for distributors, business partners, suppliers and the like). Privacy Shield organizations also can be data processors that act as vendors to process data related to the consumers, patients and end-users of the organization's corporate customers. 

Develop a plan for each category of data transfer

The organization should develop a plan for how it will address each big picture category of data transfer under Privacy Shield. There is no one-size-fits-all plan, but having a plan will help the organization focus its efforts and also in the event the organization needs to have a discussion with DPAs, customers, business partners, company data protection officers, works councils or others.

Evaluate whether implementation of SCCs can help

Where the organization participates in Privacy Shield as a controller, implementation of the SCCs for such controller to controller data transfers can help strengthen the position that the transfers are permissible. Given the reasoning of the CJEU in "Schrems II," the organization will still need to undertake due diligence to evaluate and document the risks associated with the transfers, but the organization would be in a better position from a GDPR perspective because the SCCs are still a valid tool for data transfers. Where the organization acts as a data processor on behalf of customers in the EU, the organization should consider preparing and presenting to customers updated terms that include the SCCs for controller-to-processor transfers. The organization should also be prepared to answer due diligence questions from customers regarding disclosures to public authorities and related issues raised in the CJEU opinion. It will be important to have a clear understanding of whether, in practice, the organization has needed to respond to such intelligence gathering by public authorities in the past, as well as what it's policies and practices are for responding going forward.

Evaluate whether derogations or other legal justifications can help

Depending on the context, some organizations may be able to adopt other strategies. For example, if the organization engages in direct to consumer online transactions, it might be able to narrow the data collections to that which is necessary to perform the transaction with the consumers. Such an approach might require the company to trim out data collections that are unnecessary (e.g., to disable advertising cookies for EU IP addresses) but could be a logical way to proceed.

Remember Privacy Shield obligations still apply

Even though the legal value of Privacy Shield participation has been invalidated from a GDPR perspective, the U.S. obligations to adhere to Privacy Shield promises still apply. If an organization were to decide to disregard its Privacy Shield commitments, it could still be subject to action by the U.S. Federal Trade Commission. The organization might also have obligations in agreements with customers or others to adhere to the Privacy Shield, and those commitments may not be terminated merely because of the CJEU ruling. As such, organizations need to be mindful to continue to adhere to Privacy Shield obligations even in this interim period following "Schrems II."

Continue monitoring developments

The interpretation and application of "Schrems II" is rapidly changing and developing. We are expecting more guidance from authorities and other developments in the coming days and weeks. Privacy professionals should stay closely aligned with these developments and adjust their plans accordingly. 

At the end of the day, no one realistically expects that EU DPAs will immediately launch investigations against thousands of companies that have built and deployed strong privacy programs in reliance on Privacy Shield. Such an approach would be counter to how the EU DPAs have approached their responsibilities over many years. What is to be expected, however, is that organizations participating in Privacy Shield should have a plan for how they are going to address the issues, start implementing that plan as soon as reasonably possible, and be ready to discuss with authorities, business partners, customers and others as needed.

In the coming days, we will issue a series of guidance notes on what to do in the wake of "Schrems II," including on what "Schrems II" means for companies that rely on Privacy Shield, C2P SCCs, C2C SCCs, derogations, binding corporate rules and what it means for Brexit. 

The CJEU put the onus on data exporters to determine whether the exporter's implementation of the C2P SCCs provides sufficient protection in light of any access by the public authorities in the third country to the personal data transferred and the relevant aspects of the legal system of such third country. It further notes that individual member state data protection authorities are empowered to evaluate the adequacy of the C2P SCCs adopted in any case and that those authorities should suspend or ban data transfers whenever the factual conditions render the C2P SCCs an ineffective mechanism to ensure the protection of the personal data transferred.

New obligations for data exporters and importers

The precise contours of what is required after the “Schrems II” decision is not sharply defined, but the decision indicates that there are actions that are generally advisable for the exporter to undertake in order to rely on the C2P SCCs in each case. In particular, data exporters implementing C2P SCCs should, on a case-by-case basis:

• Carefully read the C2P SCCs and work with the importer to ensure that they are able to address all of the provisions of those clauses.
• Carry out due diligence of the legal system in the third country to which it is exporting the personal data to verify the rules for disclosure to and access by government agencies (noting that the mere existence of laws that provide for disclosure to or access by government agencies would not, in and of itself, cause the C2P SCCs to be insufficient, as long as those laws comply with the necessity principle as described by the CJEU).
• Carry out due diligence with the importer to determine whether the importer is bound by these laws, including the likelihood that the importer will be disclosing personal data of the exporter to the authorities in that third country, which could take into account, for example, the industry involved, categories and volume of personal data transferred, purposes of the processing by the importer, duration of data retention in the third country, any past practices of such disclosures, and the like.
• Carry out due diligence on the importer to verify that the importer (1) has a procedure or practice to notify the data exporter, to the extent permitted by law, if a government demand extends to the exporter's data; (2) will provide an opportunity to resist production; and (3) will comply with its obligation to notify the exporter that it can no longer comply with the requirements of the C2P SCCs and cease processing the personal data in the event of any government demand that would not allow it in practice to comply with the C2P SCCs.
• Confirm, on the basis of the due diligence carried out, that the C2P SCCs, in conjunction with any other applicable contractual terms for the relationship, are sufficient to address any issues raised as to the protection of personal data in the third country in that context or whether the circumstances require more specific terms.
• Document such due diligence and the rationale for determining adequacy to have in its files something akin to a data protection impact assessment for each set of transfers in case its position is ever challenged.

Practical implications of ‘Schrems II’ for exporters and importers using C2P SCCs

Establishing clear policies and procedures to address these new requirements for reliance on C2P SCCs will be key for organizations to operationalize these new compliance obligations imposed by “Schrems II.” Clear and effective communication channels between exporters and importers will be vital, particularly as exporters seek to monitor any change that may affect compliance with the C2P SCCs and the exporter’s instructions, including changes in national legislation and/or requests from government authorities in the importer's jurisdiction. To that end, the requirements implicit in the “Schrems II” decision further emphasize the need for exporters to engage in substantive monitoring of their data processors and the location of processing activities, including as they relate to the use of subprocessors (although processors may be able to provide the exporter with the requisite information for diligence related to any subprocessors used), as well as reinforce the need for organizations to stay up to date on data protection law developments globally.

In addition, service providers with EU customers may wish to take proactive steps to help their customers address these issues. In particular, taking such steps now to address these in a systematic and scalable manner will likely greatly increase the efficiency and operational capability of service providers to meet the new demands of their EU customers in this regard.

Can organizations rely on C2P SCCs to transfer personal data to the US?

A question many are wondering about is whether the current C2P SCCs, with the potential adoption of additional safeguards, may be relied upon to transfer personal data to service providers in the U.S., as the “Schrems II” decision stated that the U.S. provides inadequate protection. Indeed, some DPAs in the EU (e.g., the Berlin Commissioner for Data Protection and Freedom of Information) have already suggested in response to the “Schrems II” ruling that personal data should no longer be transferred to the U.S., and such authorities are empowered under the EU General Data Protection Regulation and “Schrems II” to suspend or prohibit such transfers.

For now, we anticipate that the C2P SCCs, duly assessed in accordance with the requirements of the CJEU’s ruling, should arguably address the risks of transfers to service providers in the U.S. in many cases. However, organizations should undertake a review of all such transfers as part of the response to “Schrems II” and keep a close eye on statements from the DPAs in their jurisdictions regarding the viability of the C2P SCCs for transfers to the U.S.

We note that the European Commission has stated that a modernized version of the C2P SCCs will soon be released. As the precise timing of those new terms is currently unknown, most organizations would be well-served by undertaking and documenting assessments of each set transfers for which it relies on the C2P SCCs to provide adequate protection for transfers to third countries to address the requirements of the “Schrems II” ruling, rather than waiting on the issuance of new terms from the European Commission.

In terms of fines, breach of data transfer rules triggers the higher penalty level provided by the GDPR (20 million euros or 4% of the global annual turnover of the preceding year, whichever is higher), so companies should be prepared to face challenges and able to provide evidence that they took appropriate steps in response to the judgment.

The key question at this stage is whether the U.K. will be successful in securing an adequacy finding from the European Commission by that date or whether it will be considered a "third country" for which data transfers will need to be legitimized by appropriate safeguards, as is the case for other third countries with no finding of adequacy. In addition, the post-Brexit U.K. will be a separate legal regime from that of the EU, which companies will need to consider separately from the EU data transfer rules. 

In light of the ongoing uncertainty, set out below are the important initial steps that companies transferring data to and from the U.K. should consider at this stage. 

Keep in mind the implications for UK adequacy

Organizations will need to be mindful that the decision and its heavy focus on government surveillance may have implications for U.K. adequacy. While the adequacy assessment for the U.K. is currently underway, a U.K. adequacy finding is by no means a given. Given that the EU-U.S. Privacy Shield appears to have been invalidated primarily because of concerns about U.S. law and practice on government surveillance, similar arguments could be made in relation to the U.K. adequacy assessment. This is particularly so in view of the broad powers of the U.K. authorities to intercept communications and require access to data under the Investigatory Powers Act 2016. Companies should, therefore, start to prepare for the possibility that the U.K. may not be successful in securing an adequacy finding and begin to consider alternative mechanisms to legitimize transfers to the U.K. from the European Economic Area as discussed in more detail below.

Transfers from the EEA to the UK

Without an adequacy decision for the U.K., organizations transferring personal data from the EEA to the U.K. will need to put in place a data transfer mechanism to legitimize the transfer to the U.K. or identify another means to justify the transfer.

Given that the CJEU has upheld the validity of the EU SCCs in "Schrems II," the good news is that the SCCs remain an option for transfers from the EEA to the U.K.

That said, the judgment clearly places a burden on data exporters relying on SCCs to carry out case-by-case assessments of the extent to which data will be protected in the destination country, including in the U.K., particularly with regard to the legal regime in that country and access to that data by the national public authorities.

In addition, companies should be mindful that any SCCs could be vulnerable to regulatory scrutiny from European data protection authorities if in practice it would be impossible for a U.K.-based data importer to comply with the SCCs. Again, given the emphasis which "Schrems II" places on the U.S. authorities' powers of surveillance and access to data, similar arguments could well come up in relation to the powers of the U.K. authorities in this respect and in particular the IPA 2016. 

As such, given the increased uncertainty that now surrounds reliance on the SCCs, companies transferring data from the EEA to the U.K. should also begin to consider any alternative mechanisms that might be relied on in their stead (such as binding corporate rules or Article 49 derogations).

Transfers from the UK to the EEA

For transfers of personal data from the U.K. to the EEA, the U.K. government has indicated its intention to ensure that personal data can continue to flow freely from the U.K. to the EEA following the transition period and intends to recognize the EEA and jurisdictions subject to an adequacy decision by the European Commission as “adequate” for the purposes of U.K. data protection law. This will allow personal data to continue being transferred from the U.K. to the EEA without needing to put SCCs or other safeguards in place (in contrast to the position for EEA-U.K. transfers). Assuming the position of the U.K. government on this point does not change, "Schrems II" does not change this position. 

Transfers from the UK to the US and other third countries

The U.K. Information Commissioner's Office has stated that for the time being, companies currently relying on Privacy Shield to transfer personal data to the U.S. can continue to do so, although organizations not already relying on it should not start to do so now. 

In the short term, this statement will be reassuring for U.K.-based data exporters and suggests there may be little immediate risk of enforcement action from the ICO for continued reliance on Privacy Shield. The ICO has also indicated, however, that it is reviewing its current guidance on SCCs and Privacy Shield in light of the decision, and so the ICO's position could well change in the near future. Organizations should, therefore, watch for updated guidance from the ICO in the coming weeks.  

Longer term, the position in relation to U.K.-U.S. data transfers is much less clear.

Prior to the decision, the U.K. government was making preparations to allow data transfers to the U.S. under a modified Privacy Shield arrangement after the end of the Brexit transition period, but it remains to be seen whether the U.K. will now change its approach in light of the decision. Therefore, organizations should begin preparing for the possibility that a U.K.-U.S. Privacy Shield (or something like it) will not be an option for U.K.-U.S. transfers after the end of the transition period and that they may need to rely on alternative mechanisms to legitimize these transfers. Moreover, even if the U.K. were to continue down this path, companies would still need to consider whether it is feasible to participate in Privacy Shield for U.K. to U.S. transfers and a different transfer mechanism for transfers from the EEA.

Companies should also be aware that the decision will have implications for data transfers from the U.K. to third countries other than the U.S. Because the decision is still binding on the U.K. courts, data exporters relying on the SCCs will need to make the same assessment as companies transferring data from the EEA in respect of the data importer's practical ability to comply, in view of the level of protection provided by the relevant third country's legal system for the data transferred.

Continue monitoring developments

At the time of writing, DPAs, including the ICO, are still digesting the judgment, and its interpretation is still evolving. We should, therefore, expect more guidance and statements to be issued in the coming weeks, both from the ICO and DPAs in the remaining EU member states. Companies should, therefore, continue to watch for further developments and adjust plans accordingly if necessary.

1. The additional measures for transfers under C2P SCCs also apply to transfers under C2C SCCs.
2. Those additional measures for C2C transfers may be even more burdensome than those for C2P transfers because the level of protection afforded to data subjects under C2C SCCs seems to be lower than under C2P SCCs.

Companies will, therefore, need to evaluate each data flow under C2C SCCs, in particular with respect to the legal system of the third country, types of data transferred, type of recipient and types of data subjects. This is because “Schrems II” was not limited to data transfers to the U.S. but applicable to all data transfers to third countries outside of the EU/European Economic Area.

C2C SCCs are still valid

To be clear, at this time, C2C SCCs remain valid because “Schrems II” did not address them. As set out below, however, a risk exists that the CJEU may subsequently invalidate C2C SCCs if asked to weigh in on the question, taking into account its reasoning in “Schrems II.”

Additional conditions for data transfers under C2C SCCs

Considering the CJEU’s reasoning in “Schrems II,” it also seems unavoidable to apply the additional conditions for transfers under C2P SCCs to transfers under C2C SCCs. While Articles 46(1) and (2)(c) of the EU General Data Protection Regulation were analyzed by the CJEU only for C2P SCCs, they represent the same legal basis for transfers under C2C SCCs. Article 46(1) of the GDPR, moreover, specifically says that data transfers to a third country may only occur on the condition that data subjects have enforceable rights and legal remedies.  

“In the absence of a decision pursuant to Article 45(3) [i.e. an adequacy decision by the EU Commission], a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.”

In light of the"Schrems II" decision, we must focus on two important requirements for cross-border data transfers that rely on SCCs: (1) appropriate safeguards; and (2) data subjects having enforceable rights and effective legal remedies available. This applies not only for future cross-border data transfers, but also to already ongoing data transfers. To determine whether data subjects have enforceable rights and effective legal remedies available, however, the CJEU now requires an assessment of the legal system of the third country and whether the data subjects are afforded a level of data protection essentially equivalent to the level of protection under the GDPR and the EU Charter of Fundamental Rights. 

Assessment of the level of data protection in the third country

As covered in our guidance controller-to-processor SCCs, the CJEU did not specify what aspects must be considered in this assessment or address how companies will be able to carry out this complex assessment that requires a detailed understanding of the legal system of a third country. While we are all waiting for guidance from the authorities on how this assessment should be performed (ideally even guidance on the key aspects of the third countries’ legal system), the assessment could generally include:

• Carefully read the C2C SCCs and work with the importer to ensure that they are able to address all of the provisions of those clauses.
• Carry out due diligence on the type of data transferred, type of data subjects, processing purpose, retention period, and type of recipient/industry sector of the recipient.
• Carry out due diligence of the legal system in the third country to which personal data is exported to verify the rules for disclosure to and access by governmental agencies which includes, for example, whether and to what extent the third-country legal system authorizes government agencies to require disclosure of data and whether data subjects (including foreign data subjects) are informed about the disclosure and are able to bring legal remedies in court or tribunal.
• Carry out due diligence with the importer to determine whether the importer is bound by these laws, including the likelihood that the importer will disclose personal data of the exporter to the authorities in that third country, which could take into account, for example, the industry involved, categories and volume of personal data transferred, purposes of the processing by the importer, duration of data retention in the third country, etcetera.
• Carry out due diligence on the data importer to verify that the importer has a procedure to notify the data exporter, in compliance with the SCCs if a government demand extends to the data exporter’s data and will provide an opportunity to resist production.
• Confirm, on the basis of the due diligence carried out, that the C2C SCCs, in conjunction with any other applicable contractual terms for the relationship, are sufficient to address any issues raised as to the protection of personal data in the third country in that context or whether the circumstances require more specific terms as additional measures of protection.
• Put in place additional measures of protection if necessary to cure any deficiencies identified in the due diligence, for example, regarding the limitations of notification obligations in Clause II (b) of the C2C SCCs.
• Document such due diligence and the rationale for determining adequacy to have on file something akin to a data protection impact assessment for each set of transfers in case its position is ever challenged.

As data exporters located in the EU are much more likely to be subject to enforcement actions by the EU data protection authorities than a data importer outside of the EU, data exporters should take on this assessment as their own responsibility and accountability. Enforcement actions, in particular, an order of suspensions or fines, will in most cases be imposed on the EU data exporter, not a foreign-based data importer.

C2C SCC as appropriate safeguards

When comparing C2P SCCs against C2C SCCs, one could argue that C2C SCCs offer data subjects less protection than C2P SCCs. This is because C2P SCCs are governed by the law of the EU member state in which the data exporter is located and the further processing of the personal data by the processor importer remains subject to the GDPR, as the controller remains responsible for compliance of the processing with GDPR. The C2C SCCs, on the other hand, say only that data was transferred in compliance with the GDPR, but any further processing by the data importer is in principle no longer subject to GDPR. Under C2C SCC, the parties can freely decide whether the further processing shall be subject to GDPR or “only” to the processing principles set out in Annex A. Furthermore, under the C2C SCC, the notification requirements vis-a-vis the data exporter for disclosing data to third parties do not apply to disclosures to persons permitted or authorized by law to have access to the personal data.  

This suggests that a data importer under C2C SCC would not be required to inform the data exporter about a governmental disclosure request.  

In light of the varying protection levels under C2C and C2P SCCs, companies should consider the protection levels under C2C SCCs when carrying out the supplemental assessment of the legal system of the third country. As part of that assessment, it may be necessary to undertake an additional arrangement between the parties to cover the gap between C2P and C2C SCCs.  And, in so doing, remember that the CJEU may in a future opportunity hold them as invalid within the meaning of Article 46 (2)(c) of the GDPR. 

BCRs are also not in the scope of the "Schrems II" decision, and the Court of Justice of the European Union has not in any way touched upon the validity of existing BCRs. That said, BCRs are essentially another "adequacy instrument," just like the standard contractual clauses and EU-U.S. Privacy Shield. In other words, when approving BCRs, the supervisory authorities must have been convinced that the group companies, including those in the U.S. and the U.K., were required and able to comply with the contractual safeguards of the BCR arrangement. However, in the aftermath of the “Schrems II” decision, it is likely that, if individual SCC-based transfers would be considered noncompliant on grounds related to U.S. government surveillance, the same would apply to BCR-based transfers to the U.S.

In practice, the main difference is that the burden on assessing the adequacy of the safeguards rests with the supervisory authorities if a company uses BCRs, while the user of SCCs must, according to the CJEU, make its own adequacy assessment and is accountable if wrong.

Will this decision impact BCRs' approval trajectories that are planned or already in the pipeline?

This is a question we have heard from many organizations, and it is a difficult one to answer. First, it is clear that the "Schrems II" decision will drive more organizations to file for BCR approval, especially those who have group companies in the U.S. that process the customer's data as a sub-processor. Many technology suppliers contract with EU corporate customers through their EU subsidiaries based on a "local-to-local" processing agreement. Since there are still no processor-to-sub-processor SCCs and uncertainty remains whether the controller-to-processor SCCs can be used for transfers from an EU processor to a sub-processor in a third country, the only safe way to deal with data transfer restrictions without having to create direct legal relationships between the EU customers and the supplier's U.S. affiliates is to use BCRs.

Clearly, there will be more demand for BCRs, and it is no secret that the supervisory authorities are already understaffed and overstretched. Their international transfer teams are already trying to cope with the flood of new BCR approval applications that is caused by Brexit. So getting new BCRs approved will definitely take more time than in the past.

A more fundamental yet "crystal ball" question is whether supervisory authorities will be prepared to give their blessings to pending BCR applications of organizations that have affiliates in the U.S., as well as the U.K. and other countries with surveillance laws. Neither the European Data Protection Board nor an individual supervisory authority will probably be very keen to be the first to decide what measures need to be put in place by an individual company to ensure "adequate protection" of personal data transferred to the applicant's group companies in the U.S. However, they may not want to hold off on all BCR applications until the courts have provided clarity.

Legal certainty with BCRs?

Obtaining much-needed clarity from the courts may take a long time. If the supervisory authority rejects a BCR application, the applicant would have to appeal that decision through the national courts. A reference for a preliminary ruling to the CJEU would be possible but limited to questions of the interpretation of EU law (e.g., what level of adequacy is needed?). The ultimate determination will, therefore, likely be left to national courts.

Another option would be for the supervisory authorities to conditionally approve BCRs and decide that the approval decision will be revised if and when the CJEU or a national court decides on an individual transfer and/or provides that the BCR may need to be updated to incorporate any additional measures that the supervisory authority or EDPB establishes in the future.

The easiest way out for supervisory authorities would be to approve BCRs with the caveat that any individual transfer would be subject to adequacy requirements that have to be assessed by the users of the BCRs and/or the BCR lead post-approval on an individual basis, i.e. per data flow. By passing the bucket in such a manner, the supervisory authorities would, of course, rob the BCRs of their primary value of legal certainty.

Does the 'Schrems II' decision jeopardize existing BCRs?

BCRs are certainly not going to be invalidated for the simple reason that they are a direct feature of the EU General Data Protection Regulation instead of being based on a decision of the European Commission, such as the Privacy Shield and SCCs. However, the vast majority of all BCRs approved prior to the GDPR entered into force May, 25 2018, will eventually need to be revised. The supervisory authorities and EDPB will then face the same issue as with new applications: renewal of existing BCRs of organizations with group companies in the U.S. will, by implication, mean that the supervisory authorities are satisfied that the safeguards are adequate.

In any case, a supervisory authority could take the position with existing BCRs, that a case-by-case assessment is necessary despite the approved status.

Conclusion

BCRs are here to stay and will most likely gain popularity. At the same time, they do pose a challenge to supervisory authorities: If the EDPB approves BCRs without any caveats, this will mean, by implication, that the contractual safeguards set forth therein are fit for all third countries in scope.

They will hopefully be the catalyst that drives the EDPB to take an official position on whether "additional measures" are required by organizations that transfer personal data to their group companies in the U.S. Passing the bucket by approving BCRs with the caveat that individual transfers have to be assessed case-by-case would render BCRs devoid of what makes them popular in the first place — legal certainty.

The Court of Justice of the European Union's judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country. 

However, the judgment does not indicate that this evaluation of public authorities' access to personal data is required to rely on the derogations, in part because, unlike other transfer mechanisms, the derogations acknowledge and accept that the legal system of a third country does not provide adequate data protection. More importantly, the derogations do not demand companies implement countermeasures to "raise" the data protection level of the data recipient in the third country (with the exception of the "compelling legitimate interest" derogation in Article 49 (1)(2) of the GDPR).

Put another way: The receiving country's legal system and adequacy of its data protection level do not generally play a role in determining the applicability of the derogations. Thus, companies that can currently rely on the derogations should be able to continue to do so (although this may be different for the "compelling legitimate interest" derogation, see below).

There are, however, some key data privacy considerations that companies must consider before relying on the derogations as an alternative to the EU-U.S. Privacy Shield or SCCs, given their limited applicability, and the operational challenges of minimizing the scope of personal data transferred.

The title of Article 49 alone, "Derogations in specific situations," suggests derogations have a limited scope of applicability. Further, the European Data Protection Board made it clear in its 2018 guidance that derogations only apply where there are no other transfer mechanisms available, and companies have considered other solutions. Therefore, the derogations only serve as an exception to the requirements for cross-border transfers and should not be a standard, everyday solution to cover such transfers. This becomes more clear when we consider key privacy considerations for the most relevant derogations.

1. Consent. Relying on consent requires highlighting, specifically, in the consent language presented to data subjects that their personal data will be transferred internationally, and the risk associated with such transfers. While companies should mostly be able to address these requirements, consent presents some challenges as a reliable basis for data processing. The right of withdrawal leaves it to the data subject to decide at any time whether an international data transfer must be stopped. This can be an issue in cases in which a data subject withdraws consent and the actual data processing can no longer be performed by the company without significant adjustments to the technical data flows to avoid an international data transfer. Moreover, consent may not be a valid solution in many human resources scenarios due to questions about the validity of employee consent given the perceived imbalance in the employer-employee relationship.
2. Necessity. These derogations allow companies to transfer data internationally for the performance of a contract or to enforce or defend itself against legal claims and are subject to the “necessity” and “occasional” test. A company can only rely on these derogations when a data transfer is “strictly required” for these purposes (this requires a narrow interpretation under the EDPB’s Guidelines, 01/2019, Article 6 (1)(b)) and only when the transfers occur occasionally. Given the technical challenges that companies may face minimizing the personal data transferred to what is truly necessary, relying on these derogations may be a challenge for everyday international data transfers.
3. Compelling legitimate interests. Lastly, the key requirements for relying on the "compelling legitimate interest" derogation (Article 49(1) subparagraph 2 of the GDPR) does not make it an easy catchall solution for international transfers of personal data not covered by the derogations above. In particular, this derogation can only be used as a last resort and, if relied upon, calls for companies to implement "suitable safeguards with regard to the protection of personal data." Considering the rationale of the "Schrems II" judgment included companies taking steps to ensure adequate safeguards are in place for transfers under the SCCs (see above), there will be more attention and pressure on companies to ensure they implement similar safeguards under this derogation to ensure adequate protection of such transfers. Further, the requirement that companies exporting personal data notify the competent supervisory authority of such transfers and document its underlying assessment of the safeguards in place are key considerations to keep in mind prior to relying on this derogation as a transfer mechanism.

Speaking of documentation, generally, all the derogations call for clear cut documentation of the assessment that led to their use, ensuring compliance with the accountability principle of Article 5(2) of the GDPR and to be able to explain and demonstrate why no other transfer option was available.

To sum it up, the "Schrems II" judgment will likely not fuel the rapid use of the derogations, given the limitations on the derogation's applicability and key privacy compliance steps, and should be reviewed closely before being relied upon as an alternative mechanism for international data transfers. Despite the statement in the CJEU's judgment (see Paragraph 202 in the judgment), it is unlikely derogations will be able to entirely fill the gap that comes from the judgment. 

'Schrems II' as a sales versus compliance topic

Customers and prospects in the EU worry about legal impediments and risks associated with using cloud storage, mobile apps, software-as-a-service, managed security, call centers, business process outsourcing and a variety of other services they are using for employee and customer data. Not only providers of information technology services are affected, but more and more products also come with connectivity, remote access for tech support and other data-processing features.

Also, within affiliated groups, companies provide services to subsidiaries and parent companies. To succeed in selling data-processing services and features, companies have to help their customers overcome compliance concerns. Thus, companies not only have to address their own compliance obligations, but they also have to help customers and subsidiaries address their concerns.

Supplementary measures and verification duties

In "Schrems II," the CJEU notes the limitations that SCCs inevitably have. Contracts can bind only the contracting parties, but not government authorities or others that might threaten data privacy. Therefore, the CJEU states in Sections 133 and 134 of the judgment, companies in the EU may need to adopt “supplementary measures” and “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.”

The concept that a data exporter has to assess and continuously monitor whether data importers can and do comply with their contractual obligations to protect personal data is not entirely new. According to Clause I(b) of the SCC 2004 (controllers), the data exporter in the EU must use “reasonable efforts to determine that the data importer is able to satisfy its legal obligations.” According to Clause 4(c)-(e) of the SCC 2010 (processors), the data exporter in the EU must “warrant … that the data importer will provide sufficient guarantees,” “that after assessment of the requirements of the applicable data protection law, the security measures are appropriate” and “that it will ensure compliance with the security measures.”

Consequently, companies in the EU that have relied on SCC for cross-border data transfers have always had a duty to determine whether the data importer can and will comply with the SCC. Moreover, controllers have to conduct due diligence assessments also when they engage processors within the EU: The “controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” pursuant to Article 28 EU General Data Protection Regulation. Pursuant to Article 5(2) of the GDPR, the controller must document that they diligently select and supervise processors within and outside the EU.

Extra scrutiny ex-EU

Even though due diligence duties are not new, due to the heavy emphasis that the CJEU places on the impact of government surveillance and privacy law frameworks in other countries, companies in the EU may perceive a significant increase in compliance burdens associated with cross-border data transfers.

Realistically, few companies in the EU or elsewhere have sufficient resources to competently assess other countries’ data protection law regimes, surveillance practices or compliance realities. Local or national data protection authorities are also hardly in a position to provide helpful information or guidance when even the European Commission struggles with such assessments: The European Commission’s current list of “adequate” jurisdictions contains a seemingly random selection of only 12 countries after more than 25 years of assessments, and the CJEU has invalided the commission’s adequacy decision regarding the U.S. twice in five years. In fact, the CJEU itself only addresses a few provisions of U.S. law, does not even begin to examine or compare data protection standards in actual practice within and outside the EU, and formulates due process requirements regarding national security programs that few countries outside or within the European Union can meet (for more information on war and peace in cyberspace).

Consequently, companies in the EU will inevitably feel an increased pressure to keep personal data within “Fortress Europe” (or, more specifically, within the — shrinking — EU) and may have to brace for further disruptions if governments in the U.S. and other countries retaliate with trade protectionism of their own, despite the generally positive potential of knowledge- and information-sharing for economies and societies. 

Proactive, practical steps

What can TMT service providers do?

At a minimum, providers must offer the contractual safeguards their customers need to buy and use their services in compliance with applicable law. According to the GDPR, this means unmodified SCC and national data protection laws pile on requirements in some countries.

TMT service providers can also help their customers shoulder compliance burdens by presenting an EU-based contracting entity so that the customer transfers data within the EU and the provider takes on the cross-border data transfer challenge. An EU-based provider may benefit in certain cases from the “one stop shop” treatment under Article 56 of the GDPR, which may become a critical advantage if data protection authorities across the EU form divergent views regarding the legality of cross-border transfers.

To some TMT providers, they can support research, public debates and the publication of comparative studies on national surveillance programs and privacy laws to help governments, DPAs and companies form objective views on the relative strengths of civil rights protections and threats (read examples of existing comparisons here). Trade associations, privacy advocates, law firms, universities, research institutions and other non-governmental organizations can play an important role, too, and, in a few years, more competent and objective assessments may emerge.

More immediately, providers can prepare informative briefings, FAQ and contractual representations to help customers in the EU get comfortable with the relative risk and meet their documentation obligations under Article 5(2) of the GDPR. Good data protection standards and documentation have already become a competitive differentiator, and the impact of "Schrems II" will likely raise the significance of a provider’s efforts in this respect.

Providers in many industry sectors can proactively substantiate that they are hardly the focus of government surveillance (e.g., medical devices, pharma, manufacturing). Cloud providers can show that their customers are much more likely directly exposed to government demands in their home jurisdictions than to indirect threats on their vendors. Companies in the U.S. can update companies and authorities in the EU on legislative developments in California and other states that have significantly expanded privacy laws and should qualify as more than adequate.

Customers and prospects can also take comfort — and reference in their own internal data transfer assessments — if providers publish transparency reports regarding government access requests, publicly commit to resisting access requests court orders and actually challenge authorities in courts.

At the same time, companies in the EU have to acknowledge limitations that companies face universally: If government authorities compel access to data for national security or law enforcement purposes based on applicable law from a company within their jurisdiction, the company typically has to comply. If a government authority demands in accordance with applicable law that an investigation remains confidential, the company has to comply. If a company in the EU demands that vendors elsewhere contractually promise to adhere to EU data protection laws or SCCs even if that means violating local law applicable where the vendors are headquartered, this will likely be counterproductive and may result in unenforceable contracts.

Therefore, providers and users of data processing services should make good faith efforts to examine and understand each others’ legal situations and work on realistic and practical arrangements that allow both sides to comply with applicable laws.

1. More Privacy Shield companies will implement alternatives. The CJEU opinion is complex, but one unmistakable point is that "Schrems II" invalidated the European Commission finding that Privacy Shield provides adequate protection for personal data transfers under the EU General Data Protection Regulation. As such, Privacy Shield companies will need to implement alternative solutions. SCCs will be a logical option to consider where the U.S. company receives personal data from EU companies, using the C2P SCCs if the U.S. company is a processor or the C2C SCCs if the U.S. company is a controller. Fortunately, the CJEU confirmed the validity of the C2P SCCs, so this should be a viable alternative, although subject to conditions (discussed below). For online consumer companies dealing directly with EU consumers, another alternative will be to look to derogations for specific situations under Article 49 of the EU General Data Protection Regulation, such as necessary to perform a contract with the data subject or the like.

2. An updated version of Privacy Shield will likely not emerge until after the U.S. elections in November. When the adequacy decision for the EU-U.S. Safe Harbor (the predecessor to Privacy Shield) was invalidated by the CJEU in 2015, the U.S. Department of Commerce and European Commission had already been negotiating for an updated trans-Atlantic program for many months. With "Schrems II," although the Commerce Department and EC have indicated that lines of communication are open, the discussions are not nearly as advanced. Moreover, although it will require further evaluation, it may be that the issues cited by the CJEU in "Schrems II" may require some form of legislative and not merely administrative action to address. As such, the process to update Privacy Shield is unlikely to be concluded in the next few months before the U.S. elections in November, particularly during the time of the pandemic and the associated economic challenges. Companies, therefore, must anticipate that the alternatives they implement will need to remain in place for the short to medium term.

3. No formal grace period for implementing "Schrems II" will be provided, but large-scale enforcement should be unlikely in the short term. The European Data Protection Board has indicated in its July 23, 2020, FAQ document that it will not be providing a grace period for companies to continue to rely on Privacy Shield (as the authorities had done for Safe Harbor following "Schrems I"). In practice, however, it would seem unlikely for there to be widespread enforcement actions solely on the basis that the companies were continuing to rely on Privacy Shield while implementing other solutions. Such an approach would be inconsistent with how data protection authorities have approached enforcement in the past, primarily seeking to help companies comply, rather than sanction them in enforcement actions. There can always be exceptions, particularly if a data protection authority feels pressed in a particular case, and DPAs have certain duties to investigate claims, but large-scale enforcement in the short term in this context seems unlikely (not to mention unfair).

4. Many Privacy Shield companies will continue to participate in the program for some time, even though the adequacy decision has been invalidated for the EU. Despite the CJEU ruling, there still can be some legal benefits to participation in Privacy Shield, including that the EU-Swiss Privacy Shield decision has not been invalidated, and certain authorities — most notably, the U.K. Information Commissioner's Office — may still recognize that Privacy Shield's practical commercial privacy protections. The Privacy Shield program is still fully functioning, and noncompliance with Privacy Shield promises are still subject to enforcement by the U.S. Federal Trade Commission. Privacy Shield also requires 90 days of advanced notice to the Commerce Department and other conditions to withdraw, so it's not as easy as simply deleting the Privacy Shield promises in the company's external-facing privacy statement. Moreover, depending on the business context, Privacy Shield companies may have customer agreements that require Privacy Shield participation until an alternative solution, such as the execution of SCCs with appropriate conditions. Some companies may also consider that they have built an entire program around Privacy Shield. These companies may wish to remain in the program in anticipation that the Commerce Department and EC will eventually be brought back to the negotiating table to work out a creative solution for many of the same reasons (protection of personal data and certainty for trans-Atlantic commerce) that brought them together more than two decades ago for Safe Harbor and more recently for Privacy Shield.

5. More companies will pursue BCRs, but this approach will not scale to the level of use of SCCs. The EDPB has indicated that companies relying on BCRs must undergo the same type of assessment of the laws and practices of the recipient countries as companies that rely on SCCs. In practice, BCRs may still be viewed as being safer than other approaches because the data protection authorities themselves would have participated directly in the approval of the BCRs and may be unlikely to take such companies to task as being a test case. Ultimately, however, BCRs will be unlikely to scale in the volume of participants until the authorities move beyond time-intensive case-by-case approvals and instead follow a more innovative approach, such as where (similar to SCCs) a "model" BCR or perhaps a code of conduct is available that will be deemed to provide adequate protection for personal data transfers if adopted without modification.

6. When doing the assessment of government law and policy in recipient countries, companies will tend to focus their analysis on their own industry vertical and actual practices (case-by-case analysis). One of the more challenging aspects of "Schrems II" is the obligation that is imposed on companies to assess whether the level of protection in the recipient country is essentially equivalent to the level guaranteed by the GDPR on national security. As summarized by the EDPB in its FAQ, the Privacy Shield adequacy decision was invalidated because the CJEU "considered the requirements of U.S. domestic law, and in particular certain programmes enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities."

Now, companies need to do this type of assessment when using other data transfer vehicles under Article 46 of the GDPR (e.g., SCCs, BCRs). This can be a significant challenge for a company sending data to multiple jurisdictions globally. How does a company assess the national security law and practice of each of these recipient jurisdictions? And, what recipient country's law and practice would realistically survive a strict reading of the CJEU's opinion? For example, what country allows foreign nationals to enter local courts and challenge the practices of the country's intelligence services? In practice, and perhaps as a first step until some guidance is forthcoming from the EDPB, EC or other authorities, companies will tend to focus their due diligence analysis on their own industry vertical and their own experience with national security demands (case-by-case analysis). They may also be looking to confirm or perhaps update their contract terms with third-party vendors on these points, including subcontractors, covering to some degree the legal position under recipient country laws, as well as any available information about actual practices impacting data about the company's industry sector or the like.

In addition, the company may seek assurances that the vendors have policies and practices on government demands that seek to minimize disclosures and provide transparency customers. And, taken these threads together, the companies may wish to document these types of reviews in order to demonstrate later, if ever needed, that they have done a suitable assessment of these issues.

7. Commercial cross-border data transfers will become more difficult in the next three to five years. "Schrems II" is, unfortunately, just one example of a broader trend within the global privacy and regulatory environment that is making it more difficult to transfer data across borders. Russia data localization has been with us for several years but is getting more strict with enforcement. China is implementing its Cybersecurity Law to exert more scrutiny on outbound data transfers and require data localization in some cases. India is considering legislation that would require data localization in some cases. Brazil and other jurisdictions are adopting GDPR-like data protection requirements with cross-border transfer restrictions. Given that the landscape is changing and developing rapidly, companies considering long-term investments in information technology and cloud applications will need to evaluate how to build in geo-flexibility as a hedge against data localization and privacy risk. It goes without saying that this broad privacy and regulatory trend cuts directly against how data collection, use and transfer is becoming increasingly important to business in the digital age. As such, the road ahead will be quite interesting and challenging for privacy professionals.