The Schrems II judgment in mid-July was a bombshell for companies that transfer data between Europe and the United States, effectively invalidating many (if not all) of these agreements. The effect of the decision ripples out to the rest of the world as well, as it also forces U.S. companies to evaluate the security adequacy of any third-party vendors in other countries who handle this data. Much-needed European Data Protection Board (EDPB) guidance began to emerge late last week in the form of a “frequently asked questions” document, and the picture looks about as grim as possible for impacted companies thus far.
Perhaps the single biggest key takeaway from this early EDPB guidance is that a transitional grace period, something requested by numerous US companies and that had precedent in the 2015 strikedown of the prior Safe Harbor data agreement, will not be forthcoming. Organizations will be forced to adapt to this new reality immediately. Standard contractual clauses (SCC) will remain a potentially viable tool, but in many cases will be subject to an assessment before they can continue. The new EDPB guidance also clarified that Binding Corporate Rules (BCRs) will be treated in the same manner as SCCs under the Schrems II terms.
Schrems II ruling creates a tough road
After the Schrems II decision came down, a number of American companies called for a grace period to negotiate the substantial logistical difficulties of getting their data flows into compliance. A similar grace period (of about three months) had been granted in 2015 when the original Schrems v. Data Protection Authority case was decided. There will be no such arrangement under the new EDPB guidance. The Privacy Shield agreement is already null and void and companies are technically no longer protected by it, though it remains unclear as to when enforcement actions will actually begin.
The Schrems II ruling leaves SCCs and BCRs intact, but requires that each business partner in the United States (and any third-party vendors in other countries that those companies might have relationships with) have standards of data security and privacy that are at an “essentially equivalent level” of the terms of the EU General Data Protection Regulation (GDPR). The central problem here is that the court invalidated Privacy Shield primarily on the basis of reports of U.S. government spying on international data transfers, stemming initially from the Edward Snowden revelations in 2013. What this means is that each data partner in the U.S. now bears the legal burden of demonstrating that the country’s government does not have a level of access to this data that would violate the GDPR. And if the U.S. partner uses third-party vendors, their national governments must in turn be shown to not have the same sort of access — a requirement that could put an end to having data transferred to countries such as China and Russia.
It is still possible to express this level of data security via an SCC or BCR in accordance with the Schrems II ruling, but it will be difficult. The new EDPB guidance establishes that these agreements will be subject to an assessment. If a U.S. data partner does not believe that they can meet the new standards, or if they report to a data protection authority (DPA) for an assessment and fail it, they are required to stop transferring all data immediately.
One of the other areas of immediate interest for US organizations is the potential use of the GDPR’s Article 49 derogations for exceptions in cases where explicit consent to transfer personal data has been granted by the end user. The current EDPB guidance indicates that these derogations can still be used, but depend heavily on the circumstances of the transfer and require a restrictive interpretation so that exceptions do not become the new default means of getting things done. Necessary fulfilment of legally binding contracts appears to be the clearest circumstance to which this applies in the context of the Schrems II decision.
Further EDPB guidance required
The current EDPB guidance is essentially just the first draft of what is considered a “living document”; further, more detailed guidance on the transfer of personal data is forthcoming.
One of the key indications in the EDPB guidance is that “supplementary measures” are being developed that may shore up existing SCCs once implemented, but these have not been described in detail as of yet.
So what can organizations do in the face of a seemingly impossible situation that goes into effect immediately? Bridget Treacy and David Dumont, Data Privacy Partners at Hunton Andrews Kurth in London and Brussels respectively said: “As matters stand, it is by no means clear how affected businesses can navigate these challenges, yet they cannot stand back and do nothing. A risk based approach will be required … Based on the FAQs, the EDPB does not seem to consider that transfers to the U.S. are no longer possible. That said, data exporters and importers will need to carry out a difficult, case-by-case transfer risk assessment … This ruling is likely to encourage data localization, with some already calling for EU data to be processed in the EU. There is also a possibility that the legal framework in certain countries will be regarded as too risky to accommodate EU personal data, with potentially serious repercussions for global commerce.”
Ultimately, all of this runs through the DPA of the country (or countries) in question. Some of the DPAs are unofficially indicating that they will not launch immediately into scrutiny of existing transfer mechanisms and enforcement, granting something of an unspecified grace period in their territories. And some, such as Ireland’s DPA, were already so backlogged with cases prior to the unexpected Schrems II decision that it seems unlikely they will be able to pivot to prioritizing enforcement anytime soon.