There has been a lot of discussion about whether the recent Schrems decision means that you can no longer export personal data to the US and what hoops you have to jump through to export personal data elsewhere.
We have cut through the complexity to set out below what the decision says and what this means from a practical point of view in 10 bitesize takeaways.
Our data protection lawyers are experienced with all aspects of data export and related regulatory issues. Contact us today for legal advice and support for your business about the Schrems decision and other data protection matters.
- What's the background to the Schrems case?
- What are the rules around exporting personal data?
- What happened in the Schrems case?
- Who is affected?
- Can we still transfer personal data to the US?
- How have the US and European Regulators responded?
- How Have Other Countries Been Affected?
- Does this mean that it will be difficult to get personal data from the EU into the UK from 1 January?
- What can you do?
- Where do we go from here?
1. What's The Background To The Schrems Case?
The Schrems case is about the export of personal data from the EEA (the EU plus Liechtenstein, Iceland and Norway) to countries outside the EEA.
Data export has been a contentious issue for a number of years, and was regulated under the old Data Protection Act 1998, which predated GDPR.
At one point, during the discussions around GDPR, there was some talk of relaxing the rules to recognise that the world has become more globalised and large IT suppliers might have locations around the world. The Edward Snowden revelations put paid to that and GDPR regulated data export in a very similar way to under the old law.
Although GDPR preserved the regulation of data export, Privacy campaigners have been unhappy with the protections for individuals and worked for years to get this tightened up.
This came to a head in two cases spearheaded by privacy activist Max Schrems.
In both cases, he argued that the protection for his personal data was inadequate when Facebook exported it to the US.
Back to top
2. What Are The Rules Around Exporting Personal Data?
Organisations can send personal data from countries within the EEA to other countries in the EEA without putting export safeguards. However, stricter controls are in place under data protection laws if they send personal data to a country outside of the EEA. This is to make sure that individuals have the same level of protection and rights over their personal data as if that personal data had remained in the EEA.
When thinking about exporting personal data you need to consider not only actively sending personal data to a country outside the EEA, but also giving someone access to the personal data, even if it stays on your servers, such as an IT provider or outsourced IT support.
If you are planning on exporting personal data to countries outside the EEA then additional safeguards need to be in place. Common ways to export personal data Pre-Schrems included the following:
- The EU Commission had reviewed the country in question and found it to provide adequate protection to the personal data exported to it. There are many countries on this list from Uruguay to Jersey and Israel to the Isle of Man
- If the personal data was going to the US, the business it was going to was on the privacy shield register run by the US Department of Commerce
- Parties to the export had the EU Commission's approved standard contractual clauses (“SCC”) in place
- The transfer was intra-group and the group had approved “Binding Corporate Rules” in place between the group companies.
There are also some limited exemptions that organisations could rely on for ad hoc occasional transfers.
Back to top
3. What Happened In The Schrems Case?
In 2015, Max Schrems successfully had Safe Harbor, the precursor to Privacy Shield, declared invalid in his first case against Facebook. He was unhappy with his personal data being sent by Facebook in Ireland to the US on the basis of Safe Harbor as he considered that the security services could access his data and he would have little recourse.
Schrems II continued the complaint against Facebook Ireland around the transfer of his personal data to the US. In Schrems II, the validity of using Privacy Shield and SCCs to transfer personal data to the US was considered by the Court.
On 16 July 2020, the EU Court of Justice (“CJEU”) released their judgment which ruled that:
- Privacy Shield was invalid. The Court didn’t feel that the US gave sufficient protection for personal data because of access by the US security services, and the right to get redress for breach of Privacy Shield was also insufficient.
- The SCCs remained valid and could be used to export personal data in principle, but due diligence had to be done on the legal system of the country the personal data was being exported to, to show that there are adequate protections for personal data. The controllers of the personal data now need to be comfortable that there is an ‘adequate’ level of protection for the personal data in that country, using the adequacy test in Article 45(2) of the GDPR.
The Court’s assessment above also applies in the context of Binding Corporate Rules (“BCRs”).
Back to top
4. Who Is Affected?
Any organisation sending personal data outside of the EEA.
While the focus has been on the export of personal data to organisations in the US, the judgment applies to all countries outside of the EEA. Any organisation which exports personal data outside of the EEA should review the transfer mechanisms and see if they meet the new requirements set out in the judgement.
Back to top
5. Can We Still Transfer Personal Data To The US?
While the SCCs are still valid, the same concerns around access by security services and the lack of redress should also apply to the SCCs and any BCRs if you have to do due diligence.
If SCCs and BCRs are under question, then there's doubt over the legitimacy of export to the US unless the ad hoc exemptions apply. Given the $7.1 trillion economic relationship between the EU and the US, there will be pressure on both sides of the Atlantic to limit the negative impact of the judgment and find a solution.
There are ongoing discussions about a new version of Privacy Shield (see below) and there are suggestions that the type of personal data concerned could be looked at to see if that improves the position on the due diligence.
At the moment, however, the position is uncertain. What we can say is that you can't use Privacy Shield but at present SCCs remain valid and organisations need to carry out the risk assessment and be comfortable on a case-by-case that the export on the basis of SCCs is compliant.
Back to top
6. How Have The US And European Regulators Responded?
As expected, there has been a mixed reaction both across Europe and in the US.
A number of regulators across Europe have said that there is no grace period and as of 16 July, the Privacy Shield is invalid, can't be used as a transfer mechanism to safeguard Personal Data, and due diligence under SCCs is necessary.
The Irish Data Protection Commissioner has been outspoken on the matter and has said logically the judgment means that it would be difficult to show that any transfers to the US would meet the requirements of showing that individuals have the same level of protection for their personal data. In August she issued a preliminary order requiring Facebook to suspend transfers to the US about its EU. The Irish High Court considers this to be hasty and on 14 September held that Facebook Ireland could challenge the decision. The next court hearing is scheduled for November.
The UK Information Commissioner’s Office has advised that, for the time being, businesses relying on the EU-US Privacy Shield can continue to do so until new guidance becomes available, but any business not currently relying on the framework should not start now.
On 10 August, the US Department of Commerce and the European Commission released a joint statement to advise that they have started discussions an enhanced Privacy Shield framework to comply with the judgment. They commented that they recognised the vital importance of data protection and the significance of cross-border transfers to individuals and economies.
Since the judgment, the European Data Protection Board has created two task forces: one to prepare recommendations to support controllers and processors regarding their duties and the second to handle and review complaints received by the regulators in the EEA. Guidance on what has to be done to meet the due diligence requirements would certainly be welcome!
While there is no formal grace period, we would hope that data protection authorities delay taking enforcement action until clear guidance is available.
Back to top
7. How Have Other Countries Been Affected?
The US isn't alone in having strict surveillance laws and it remains to be seen how the judgment will affect adequacy decisions and whether data protection authorities highlight any countries whose surveillance regimes mean that SCCs can’t be used as the due diligence requirements cannot be met. At the moment, this is just speculation and what happens in relation to other countries still remains to be seen.
Back to top
8. Does This Mean That It Will Be Difficult To Get Personal Data From The EU Into The UK Fom 1 January?
As of 1 January 2021, the UK won't be in the EU and won't have the benefit of the transitional arrangements. It will therefore be in the same boat as the US in relation to the export of personal data unless a deal is done.
The government has gone on record as saying that it would like to be given an adequacy decision by the EU in the same way as Japan or New Zealand. As adequacy decisions usually take 3 years, this is unlikely to happen before January.
The government’s aspiration was dealt a further blow on 6 October when the CJEU ruled that the ‘mass surveillance’ regime in the UK (as well as France and Belgium) was illegal. It determined that the government cannot indiscriminately retain data, or transfer it to security agencies, for the purpose of combatting crime or safeguarding national security. This gives rise to similar concerns as were raised in relation to the US and could make the transfer of personal data from the EU to the UK very difficult after 1 January.
Back to top
9.What Can You Do?
As a first step, organisations should review their data flows to identify data exports, where data goes, and what safeguards they have used to date. If you rely on Privacy Shield, you'll need to replace it.
Changing to SCCs is the obvious choice if the country the personal data is going to provides adequate protections and can meet the due diligence requirements. If the requirements can’t be met, then you need to look at ad hoc exemptions. If they don’t help, then either the data export must stop or the organisation will have to be comfortable with the level of risk it's taking on by not being able to meet the due diligence requirements.
Back to top
10. Where Do We Go From Here?
It is a case of 'watch this space'. As highlighted above, the European Commission, the US and the EU regulators are all working towards putting in place alternative transfer mechanisms and updating the SCCS to ensure compliance with the GDPR.
However, there's no question that the more an organisation knows about its data flows, the countries it transfers to, and its transfer mechanisms the better.
Back to top
Learn more about how our data protection lawyers can help your organisation stay compliant