On 16 July, the European Court of Justice (CJEU) struck down the controversial Privacy Shield arrangement for transferring data from the EU to the US. Cue widespread alarm as businesses reliant on such transfers scrambled to work out what other solutions were available.
Fortunately the CJEU also clarified that Standard Contractual Clauses (SCCs), an alternative mechanism for transferring data, remain valid. Essentially, SCCs are template or form contracts set out by the European Commission that allow transfers of European citizens’ data to take place legally. However, while confirming that SCCs are valid, the Court underlined that they can only be relied upon when risks have been properly assessed and cannot amount to a “tickbox exercise.”
Given the number of transfers certain international tech giants make daily, that could pose a challenge.
Nonetheless, CCIA said: “We are encouraged that today’s ruling recognises Standard Contractual Clauses as a trustworthy mechanism for transferring data outside of Europe.”
Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE was also upbeat: “Today’s ruling on SCCs provides clear reassurance for the thousands of companies who use them as the main tool for international data transfers. These clauses are vital to Europe’s digital economy, which depends on companies of all sizes and from all sectors operating across borders.”
On a more cautious note, Tanguy Van Overstraeten, Partner and Global Head of Privacy and Data Protection at LinkLaters pointed out: “This is less of a win for businesses than it appears. Large companies have complex webs of data transfers to hundreds, if not thousands, of overseas recipients. The CJEU has made it clear companies cannot justify them using a ‘tick box’ exercise of putting SCCs in place. Instead, the risks associated with those transfers need to be properly assessed.”
Susanne Dehmel, member of Bitkom’s management board, was also concerned: “Even the hitherto valid practice of Standard Contractual Clauses is thrown into doubt by the Court’s decision. For companies with data processing activities in the US this decision creates significant legal uncertainty.”
Those businesses hoping that they may be granted some leeway to get their house in order will have to act fast as European data protection authorities are not inclined to grant any sort of amnesty.
The European Data Protection Board is currently analysing the Court’s judgment “to determine the kind of supplementary measures that could be provided in addition to SCCs or Binding Corporate Rules (BCRs), whether legal, technical or organisational measures, to transfer data to third countries where SCCs or BCRs will not provide the sufficient level of guarantees on their own.”
However, in the meantime it issued a Frequently Asked Questions document on 23 July to help companies navigate this tricky time, which in answer to the question “Is there any grace period during which I can keep on transferring data to the US without assessing my legal basis for the transfer?” bluntly answers: “No.”
For businesses already relying on SCCs, the news was similarly grim: “Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place,” explains the EDPB.
Transfers must be assessed on a “case-by-case analysis of the circumstances surrounding the transfer,” said the board and if appropriate safeguards cannot be ensured, businesses are required “to suspend or end the transfer of personal data.”
It also adds that “if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.”
The same goes for Binding Corporate Rules (BCRs) – these are essentially the same as SCCs but where the data transfer takes place within the same corporate group rather than a separate “exporter” and “importer.”
In light of this companies are also looking hard at the derogations under Article 49 of the GDPR, specifically: consent, public interest, and performance of a contract. The EDPB reminds businesses that consent must be explicit, specific and informed, but had more to say on the matter of performance of a contract.
“With regard to transfers necessary for the performance of a contract between the data subject and the controller, it should be borne in mind that personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”. In any case, this derogation can only be relied upon when the transfer is objectively necessary for the performance of the contract,” warned the board.
Ben Rapp, founder of data privacy consultancy Securys also highlighted this point: “For basic commerce there is the possibility of relying on Article 49 derogations, but the Commission has been clear that these should not be used for repetitive transfers. Broadly this means that US websites can make occasional sales to EU/UK citizens on the basis of Article 49 and the need to fulfil a contract, but can’t provide ongoing services or routine data processing, particularly in bulk.”
“What happens next will be cumbersome and expensive for business,” he continued. “Multinational organisations and joint ventures can consider using BCRs for internal data transfers to the US, but only to parts of their own enterprise. BCRs are complex to set up, especially in a joint venture or fractional ownership environment, and require entities to accept liability for litigation by data subjects. Critically BCRs have to be formally approved by the organisation’s local EU regulator, which may be difficult to achieve in this new context and will certainly introduce significant delay.”
“Policymakers and those in the business should not be lulled by this moment of calm into inaction,” added John Miller, Senior Vice President of Policy and Senior Counsel, ITI. “We should not overlook the fact that the root causes cited by the court in invalidating Privacy Shield – and the EU-US Safe Harbour before it – remain largely unchanged, and that any fair reading of the CJEU decision suggests that SCCs, too, could meet a similar fate. The court’s decision plainly indicates both that the parties to SCCs as well as DPAs are obligated to assess whether the laws of third countries provide an adequate level of protection regarding potential government access to personal data transferred pursuant to SCCs or other transfer mechanisms.”
Inaction is indeed the last thing companies should be considering. Assessment seems to be the watchword Europe’s data protection authorities are relying on – the phrase “case-by-base” is used five times in the six-page document. Invalidation of Privacy Shield was never going to be easy for companies, but SCCs or BCRs are not the easy solution some have hoped.