How will invalidity of the Privacy Shield and new rules for Standard Contractual Clauses affect UK data transfers?

Europe

In a recent ruling, the EU Court of Justice struck down the EU-US Privacy Shield and, though it ruled that standard contractual clauses remain valid for transfers of personal data outside the EEA, interpreted their use as subject to potentially onerous conditions for businesses. What does this mean for businesses transferring data to and from the UK, and how might the end of the Brexit transition period further complicate the issue?

Background

On 16 July 2020, the Court of Justice of the European Union (“CJEU”) published its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (“Schrems II”). The CJEU followed the Advocate General’s Opinion in finding that Commission Decision 2010/87 on standard contractual clauses (“SCCs”) for the transfer of personal data to processors established in third countries remains valid though data exporters and importers will be subject to greater due diligence requirements.

The CJEU also found that Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (which replaced the previous Safe Harbor Agreement) was invalid as it infringed certain rights in the EU Charter of Fundamental Rights (the “Charter”), including the right to an effective remedy, and so could not be relied upon to facilitate transfers of personal data from the EEA (and, currently, the UK) to the US in future.

CMS has produced a full summary and analysis of the CJEU judgment here and of the Advocate-General’s Opinion here, which explain the background to the case and the CJEU’s findings in further detail. This article focuses on putting the judgment into context for transfers of personal data by businesses to and from the UK.

It remains to be seen what impact the judgment will have in respect of the UK - which will soon be treated as outside the EEA for personal data transfers - and the extent to which the UK will seek to reflect the CJEU findings in its own data protection regime following the end of the Brexit transition period. Under the terms of the EU Withdrawal Agreement, the UK is currently bound by EU law and the rulings of the CJEU and treated as though it remains in the EU for the purposes of personal data transfers until 31 December 2020.

Key elements of the judgment and its relevance to business transfers to and from the UK

Application of the GDPR and relevant considerations for a UK adequacy decision

In following the Advocate General’s Opinion, the CJEU confirmed that EU law and, specifically, the General Data Protection Regulation (“GDPR”) applies to the transfer of personal data outside the EEA if the transfer is for commercial purposes, irrespective of whether, at the time of the transfer or thereafter, that data is processed by the authorities of the third country for the purposes of public security, defence or national security.

This concerns not only transfers from the EEA to the US and other third countries, but also comes at a time when consideration as to whether the European Commission will make an “adequacy decision” (enabling free flows of personal data) in respect of the UK by the end of the Brexit transition period (31 December 2020) is underway. In cases in which the Commission has made an adequacy decision, the CJEU states such decision shall be binding on all Member States, unless the decision is declared invalid. Without such provision, businesses wishing to transfer personal data to the UK thereafter will need to provide for “appropriate safeguards” for international transfers, such as SCCs or binding corporate rules (“BCRs”) for inter-group transfers, or, alternatively, satisfy the criteria to rely on a derogation.

Transfers from the UK following the end of the Brexit transition period

While the UK has already provided for transitional arrangements to enable transfers to continue to the EEA and other third countries as previously in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 after the end of the Brexit transition period, it is unclear how it will respond to the CJEU’s latest judgment. Current UK legislation envisages that the GDPR will largely be retained in UK law, subject to certain modifications. It isn’t yet clear if the UK will seek to continue to reflect the CJEU’s approach in full in its new data protection regime.

Level of data protection should be essentially equivalent to the EU

The CJEU has confirmed that the appropriate safeguards, enforceable rights of data subjects and effective legal remedies available to data subjects must ensure a level of data protection essentially equivalent to that provided for by the GDPR read in the light of the Charter. Furthermore, in assessing if the requirements for appropriate safeguards have been satisfied in the case of SCCs, the judgment noted that consideration must be given to both the SCCs agreed between the data exporter and the data importer as well as the legal system of the relevant third country. It is likely that the same requirements apply to BCRs.

This will, firstly, affect businesses wishing to transfer personal data from the UK from the present time (as there is no ‘grace period’ in respect of the judgment) and, secondly, affect the criteria businesses must satisfy if they wish to continue to transfer personal data to the UK following 31 December 2020 in the absence of an adequacy decision.

What steps can businesses take in practice?

Unless the European Commission has issued an adequacy decision in respect of a third country, businesses wishing to export or transfer personal data to that third country will need to:

  • Ensure that a transfer meets the GDPR requirements for appropriate safeguards, for example in respect of SCCs or BCRs, or, alternatively, rely on a derogation;
  • If businesses choose to rely on SCCs, they will need to implement an effective mechanism to ensure that the SCCs are complied with and that transfers are suspended when required under the SCCs. This will significantly increase the burden on data exporters and require additional steps to be taken such as:
    • making an initial assessment of the level of protection offered by local laws in the importer’s country and whether these conflict with the protections under the SCCs;
    • regular monitoring of processors and other recipients of personal data outside the EEA to ensure that the controller’s instructions and the SCCs are being complied with; and
    • proactively asking processors and other recipients of personal data outside the EEA for updates on changes in local legislation or other applicable law.

Data importers in a third country (which following the end of the Brexit transition period will include the UK) will, if relying on SCCs, need to:

  • certify that they have no reason to believe that the legislation or other law applicable to them prevents them from fulfilling the exporter’s instructions and their contractual obligations contained in the SCCs (or disclose issues to the contrary);
  • assist data exporters in making an initial assessment of the level of protection offered by local laws in the importer’s country and whether these conflict with the protections under the SCCs;
  • agree to subject themselves to regular monitoring to ensure that the controller’s instructions and the SCCs are being complied with; and
  • provide updates to data exporters on changes in local legislation and any other applicable law.

All of this will likely require additional resourcing and increase costs for all involved, including prompting negotiations on whether data importers can pass down their increased costs of compliance to data exporters. It is worth noting that any action plan implemented following the assessments described above may differ significantly from organisation to organisation, as such action plans will be dependent on the risk profiles of the organisations involved. For example, this is likely to be lower if the organisation does not carry out large volumes of transfers and they do not involve high risk processing. If an organisation does determine that the judgment necessitates a different approach, e.g. localisation of personal data within the EEA, the organisation will need to make sure that it has the right budget and resources, and (if relevant) cross-functional teams in place.

How have data protection authorities (“DPAs”) and other international bodies responded to Schrems II and what additional guidance may be available in respect of uncertain cases?

  • The CJEU has affirmed that, unless there is a valid adequacy decision, DPAs are required to suspend or prohibit a transfer of personal data to a third country using SCCs when the DPA is of the view that the SCCs are not, or cannot be, complied with in that third country and the protection of the data transferred that is required by EU law cannot be ensured by other means.
  • One of the areas of uncertainty contained in the judgment relates to whether businesses can comply with GDPR requirements for appropriate safeguards even in a case in which the laws of the relevant third country have not been judged “essentially equivalent” to those of the EU - as was the case for US law in Schrems II on the basis of US surveillance programmes and the lack of legal remedies available to EEA data subjects. In relation to this issue:
    • The judgment seems to refer to a possibility to rely on “additional safeguards” or “supplementary measures” to address this, but without providing practical examples. In its responses to frequently asked questions on the judgment, the European Data Protection Board (“EDPB”) has indicated that it will provide further guidance soon but for now has simply indicated that “these would have to be provided on a case-by-case basis, taking into account all the circumstances of the transfer and following the assessment of the law of the third country, in order to check if it ensures an adequate level of protection”. One possibility is that businesses may seek to rely to a greater extent on encryption and other similar technologies in future.
    • It may also be possible to argue that if third country laws which pose a challenge in demonstrating an adequate level of data protection clearly do not apply to a certain kind of data transfer, then they should not affect the overall assessment of appropriate safeguards. There is no specific guidance on this point as yet, though the EDPB’s responses to frequently asked questions did indicate that the scope of application of a third country’s laws may be relevant. (It noted that the US law referred to by the CJEU “applies to any transfer to the US via electronic means that falls under the scope of this legislation, regardless of the transfer tool used…”.)
  • In the UK, in its recent statements the ICO has indicated that it is considering the judgment “and its impact on data transfers which are vital for the global economy”. It has now drawn attention to the recommendations of the EDPB in respect of the need to conduct a “risk assessment as to whether SCCs provide enough protection within the local legal framework” and signalled that it will continue to provide “practical and pragmatic advice and support” as consideration of the impact of the judgment continues.
  • In the US, while noting the judgment, the Department of Commerce has so far stated that it “…will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List”.
  • By contrast, the Council of Europe has sought to put forward a separate global solution. It notes that: “Some influential voices have been calling, in the aftermath of the Schrems II decision, for a legally binding international agreement for the protection of privacy and personal data. This instrument exists: it is Convention 108+.” It goes on to note that it is the “only legally binding multilateral instrument on the protection of privacy and personal data open to any country in the world”.

Further potential consequences

There is a possibility that the judgment may result in greater data localisation, i.e. some companies may decide to store all data in the EEA, indirectly localising data. It is unclear however to what extent such a step could have unintended consequences, including the possibility of leading other countries or geographical regions to adopt similar approaches, with potential negative impacts for businesses and consumers alike if global data flows were seriously affected. By contrast, there may be a gradual move towards more globalised standards of data protection which could eventually lead to more standardised approaches to international transfers and less hindrance to data flows at an international level.

What else can businesses do?

Look out for further updates from governments, DPAs, the European Commission and the EDPB which are likely to be available soon. It is also possible that:

  • the Commission may shortly propose the adoption of new SCCs and that the UK could take a similar approach in future in respect of its own data protection regime; and
  • the EU and US may seek to negotiate a further arrangement to succeed both the previous Safe Harbor Agreement and EU-US Privacy Shield.