The New Challenges in Personal Data Transfers
The transfers of personal data from the European Union (“EU”) to third countries underwent some major changes in 2020 following the Schrems II decision of the Court of Justice of the EU (CJEU)and is bound to become even more complex after Brexit is finalized. Currently, companies are facing new challenges in order to be GDPR compliant in their data transfers.
Changes in the existing data transfer mechanisms
When the GDPR came in force in 2018, it placed restrictions on when data transfers may take place. There are four alternative grounds on which a data transfer to a third country may be lawful. Those are the adequacy decisions of the European Commission (“EC”), standard contractual clauses (“SCCs”), binding corporate rules (“BCRs”), and derogations for specific situations. The recent changes in the area of data protection in the EU affect primarily the first two mechanisms.
“Adequacy decisions” are adopted by the EC when a third country provides guarantees for data protection which are essentially equivalent to those in the EU. When such a decision is adopted by the EC, no barriers for data transfer to the third country will exist. An adequacy decision does not have to expand to all types of data transfer to a third country. For example, in 2016 when the Commission took an adequacy decision in regards to the EU-US Privacy Shield, data could be transferred only to specific certified companies in the US, and not to all American companies. The change that occurred following the 2020 Shcrems II decision of the CJEU is that this adequacy decision for EU-US transfers is no longer valid. Therefore, if companies want to transfer data from the EU to the US, they will have to rely on a new mechanism for data transfers.
In the absence of an adequacy decision, companies have the option to turn to one of the three other legal bases for data transfers. While the general rules for binding corporate rules and derogations for specific situations remained the same in 2020, this is not the case with SCCs which were part of the subject of the Schrems II decision.
SCCs, which are issued by the EC, essentially constitute a contract between the data exporter and the data importer.They contain the obligations on behalf of the parties engaged in the data transfer and the rights of the persons whose data is being transferred. The Schrems II decision had a significant impact on the way that companies evaluate whether SCCs are the most suitable transfer mechanism for them. The Court upheld that the parties to the SCCs must verify “on a case-by-case basis” whether the law of the data importer ensures adequate protection for personal data as required by EU law. This practically means that it will not be enough for companies to only sign SCCs with the non-EU entities to whom they want to transfer data. Rather, the companies will need to make an assessment whether additional guarantees for data protection need to be put in place and carefully examine whether it will be at all possible for the data importer to be compliant with the SCCs.
In order to assist companies in adapting to the changes in data transfer mechanisms that occurred after Schrems II, the European Data Protection Board issued its “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. The recommendations cover the application of the principle of accountability to data transfers, and they contain a non-exhaustive list of additional safeguards that can be implemented by companies in case that such safeguards are found necessary.
Future of EU-US Data Transfers
As mentioned above, the Privacy Shield that allowed the transfer of personal data from the EU to specific companies in the US which were certified under the Shield was invalidated by the CJEU. The Court considered that the ability of US intelligence agencies to gather data under US law was not accompanied with sufficient privacy protection for EU citizens. Thus, organizations can no longer rely on the Privacy Shield for ensuring the lawfulness of data transfers.
Moreover, the Schrems II decision gave organizations no grace period to adapt. Companies that continue to rely on the Privacy Shield for data transfers are at a high risk of facing sanctions under the GDPR. The latest example is the American giant Amazon against which there is a pending trial in front of the German courts. The claimant is the European Association for Data Protection, and it accuses Amazon of continuing to use the Privacy Shield as a basis for transferring the personal data of its customers to the US. In order to avoid similar situations, companies will naturally turn to other instruments provided under the GDPR. The most commonly used ones would be the SCCs or the BCRs.
However, the Court already assessed that US surveillance programs are an obstacle in front of sufficient privacy protection. Now organizations face the question whether those concerns are applicable in their particular transfers and whether they can be remedied through additional safeguards. Moreover, companies must also determine whether effective judicial remedies for the data subjects exist. Hence, it will not be enough to just sign SCCs without further assessment on whether there is sufficient privacy protection and how that privacy protection can be improved through additional safeguards.
Data transfers post-Brexit
Not only the EU-US relationship in the field of data protection undergoes significant changes. As the United Kingdom is approaching the point where it will become a third country to the EU, new rules on data transfers will also apply between the EU and the UK. The Brexit “transition period”, during which EU laws are still applicable in the UK, will end on 31st December 2020.
It is still unclear whether the UK will leave the EU with an automatic “adequacy” status. Unless the potential Brexit deal specifically covers data transfer arrangements, the EC would likely go through an assessment process before “adequacy” is granted. If the Commission does not reach an affirmative decision by the end of the transition period, new restrictions on data transfers from the EU to the UK will apply.
Those restrictions will first impact the legal bases that organizations use to transfer data. Companies established in the UK and receiving personal data from the EU will most likely need to use SCCs as a legal basis for the transfers. Many multinational companies with UK entities within them will also turn to drafting and implementing BCRs since they would be a sufficient legal basis for data transfers. Moreover, already existing BCRs or SCCs may need amendments after the UK becomes a third country. When it comes to transfers from the UK to the EU, the UK government stated that they will remain unaffected and the free flow of personal data from the UK to the EU will continue.
Additional rules that will apply to UK-based organizations with no establishment in the EU who offer goods or services to EU data subjects include the appointment of an EU representative. The representative must be established in one of the Member States where the data subjects, whose personal data are processed or whose behavior is monitored, are. The same will apply to international organizations providing goods to the EU and whose EU Office is in the UK.
How can companies adapt?
Companies that are affected by the changes in the EU-US and the EU-UK transfers will most likely need to re-evaluate their legal basis for transferring data. If it is SCCs, an assessment on whether additional safeguards are needed would also be necessary. Moreover, the data subjects need to be aware of any changes in the legal basis used for the processing of their data. Hence, part of the adaptation process for companies that transfer data to the US or the UK would be reviewing and updating their privacy policies and privacy notices.
Finally, the rules on data protection are always evolving, and it is vital for companies to keep themselves informed about changes in the GDPR regime. The most recent example is the draft implementing decision of the EC on SCCs for the transfer of personal data to third countries. The Commission proposes modernized SCCs that will need to be implemented by companies within 12 months of the decision’s adoption. The proposal can be found on the EC’s website and is open for feedback until 10 December 2020. Being informed about and engaged in the process through which such decisions are adopted makes it easier to adapt to them.