Schrems II: The Implications for Data Transfers and SCC
More than a year on, the consequences of the SCHREMS II ruling are still being determined across the legal and business worlds. Below, we hear from Thomas Olsen, partner and data protection specialist at Simonsen Vogt Wiig, who discusses the ruling and the latest guidance issued by the European Data Protection Board. What new regulatory pitfalls should companies watch out for in the months ahead?
In brief, what was the Schrems II decision and how has it had such a widespread effect on international data transfers?
In a landmark ruling on 16 June 2020 (Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillan Schrems (Schrems II)), the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield with immediate effect. From the point of announcement, a large number of organisations on both sides of the Atlantic lacked a legal basis for their transfers of personal data from the from the EEA to the US.
However, the most significant effect of the Schrems II ruling is arguably related to the much-used EU standard contractual clauses (SCC) adopted by the EU Commission, which is also the most obvious alternative to the EU-US Privacy Shield for transfers to the US. While the CJEU found the SCC still valid, in order for the data exporter and data importer to rely on SCC they must verify that there is no reason to believe that any laws or practices applicable to the data importer hinders the data importer in fulfilling its obligations under the SCC. Thus, the CJEU has put a heavy burden on businesses to assess the surveillance and security laws of the third countries they transfer personal data to.
If there are problematic laws or practices in the country of destination, e.g. on third country government binding requests or direct monitoring of data, they would need to stop transferring personal data, e.g. move data processing to the EEA or terminate the agreements with the relevant service providers, unless they are able to establish efficient supplementary measures against the laws or practices. To be efficient, such measures would typically need to involve pseudonymization or encryption managed by the customer or a third party. Due to the stricter transfer requirements, most companies will need to make changes to their business processes and/or use of providers. For some companies, Schrems II has probably had a greater impact than the introduction of the General Data Protection Regulation (GDPR) itself.
The CJEU has put a heavy burden on businesses to assess the surveillance and security laws of the third countries they transfer personal data to.
What is the most recent guidance that the EDPB has issued regarding data transfers?
On 18 June 2021, the European Data Protection Board (EDPB) issued its much-awaited updated recommendations on the Schrems II decision and data transfers under the GDPR. The guidance was published following a public hearing on a first draft issued in November 2020. Despite heavy markup to accommodate many critical comments, the latest guidance maintains the six-step approach to carrying out a transfer impact assessment and sets a very high bar for using SCC and binding corporate rules (BCR) as a legal basis for transfers to the US and other third countries.
The most significant change is that it allows data exporters to make more concrete assessments of whether any problematic law or practice in the country of destination in practice have an impact on the transfer in question. In particular, as part of an overall assessment, which, inter alia, covers use of sub-processors, purposes of processing, categories and format of the personal data and security measures, the parties may take into account the data importers’ documented experiences related to prior instances of requests for disclosure from public authorities, or the absence of such requests. For example, the data exporter may be able to establish a robust assessment of instances of support from third countries if the provider can document that over the last years there have been no instances of requests from public authorities and this is corroborated with publicly available and reliable information.
The European Commission adopted new Standard Contractual Clauses (SCC) in June. How do these differ from the SCC used before Schrems?
Following the CJEU’s scrutiny of the “old” 2010 SCC adopted under the 1995 Data Protection Directive in the Schrems II case, the European Commission adopted new SCC under the GDPR on 4 June. Not surprisingly, the new SCC provide enhanced protection of personal data, in particular related to the handling of third country government requests to personal data. In line with the EDPB Schrems II recommendations, the parties commit to document and make available their assessments that there is no reason to believe that the laws and practices in the third country of destination prevent the data importer from fulfilling its obligations under the clauses.
Not surprisingly, the new SCC provide enhanced protection of personal data, in particular related to the handling of third country government requests to personal data.
The greatest innovation, however, is that the new SCC cover four modules to cater for various transfer scenarios. As under the old SCC, they cover controllers-controller and controller-processor transfers. The new SCC also have modules to cover processor-(sub-)processor and processor-controller transfers. This means that for the first time, a processor is able to establish a legal basis for its transfers to its sub-processors or controller customers outside the EEA. It is also important to note that the controller-processor and processor-processor modules fulfil the requirements for a data processing agreement. Contrary to earlier practice, there is no need of a separate data processing agreement in addition to the SCC. Hence, there is much more flexibility in how the parties set up the contractual framework to cover their obligations relating to data processing agreements and legal basis for transfer.
What other factors related to the SCC should companies be aware of following 27 September?
Any new transfer agreements need to be based on the new SCC from 27 September, whereas already executed old SCC must be replaced with new SCC before 27 December 2022. Many of the major cloud providers have already rolled out new data processing terms which incorporate the relevant modules of the new SCC. If the customer is not in a position to negotiate, the customer is nevertheless advised to review and assess whether the new conditions are adequate before accepting. From a compliance perspective, the customer will often be better off by accepting the updated contractual framework. However, we see that where the parties have spent time negotiating the existing data processing terms, replacing the terms with the new SCC could trigger many of the lengthy discussions relating to liability and allocation of risk and costs which took the parties weeks or even months to negotiate in the past.
Any new transfer agreements need to be based on the new SCC from 27 September, whereas already executed old SCC must be replaced with new SCC before 27 December 2022.
Are there any other significant areas of data transfer regulation that have yet to be clarified by the EDPB or other relevant European bodies?
The GDPR transfer rules, the Schrems II ruling, and the EDPB recommendation all focus on the situation where personal data is being transferred from a data exporter to a data importer, i.e. processed in a third country or accessed by personnel in a third country. However, little light has been shed on the requirements in the common situation where an EEA customer has agreed with a cloud provider that all storage and processing shall take place in the EEA.
Arguably, this situation is clearly outside the transfer rules and the Schrems II requirements since there is no transfer of personal data. However, if the cloud provider is subject to third country surveillance laws it could equally be argued that the data is exposed to some of the same risk as if the data were transferred to a third country. The Norwegian supervisory authority has stated that while the transfer rules do not apply, the authority recalls the general requirements under GDPR art. 28 that the controller shall only use processors providing sufficient guarantees, including with respect to information security, to meet the requirements of the GDPR. Furthermore, if a customer considers entering into an agreement stating that the provider may disclose personal data to third country authorities if required under mandatory law, the Norwegian supervisory authority has signaled that this requires a legal basis for sharing data from the customer to the provider (who could be considered a controller when disclosing data according to mandatory requirements).
It remains to be seen whether this stance will be followed up by the supervisory authorities. Nevertheless, it adds to the list of complex assessments that companies are expected to carry out and illustrates some of the uncertainty regarding both transfers and data stored by international cloud providers in the EEA.
What advice would you give to companies that rely on international data transfers, and what regulatory developments do you expect to see in this area going forwards?
It is important that companies go through their lists of providers and business partners and map data transfers with a view of prioritising these based on the degree of exposure to the new, stricter transfer requirements. We believe the supervisory authorities will allow a reasonable time to implement supplementary measures or to move to alternative providers in relation to existing services. However, companies should be very cautious in engaging new providers where they are uncertain about compliance with the transfer rules.
Hopefully the EU and US will succeed in the ongoing negotiations for a transfer agreement to replace Privacy Shield in the coming months. Such an agreement would of course facilitate transfers to the US, although there is a risk that it could face the same fate as its predecessors Safe Harbor and Privacy Shield. Nevertheless, we believe that supervisory authorities will expect to see risk-based assessments as set out in the EDPB recommendations and in the SCC in the foreseeable future, and international data transfers will continue to be perhaps the most complex area of GDPR compliance.
Thomas Olsen, Partner
Filipstad Brygge 1 Oslo, 252 Norway
Tel: +47 922 56 404
Simonsen Vogt Wiig (SVW) is one of the largest Norwegian law firms. With its team of over 180 lawyers, the firm provides full service legal advice to international business clients from its offices in Norway and Singapore. SVW is also ranked number one among Norwegian law firms for being at the “forefront of digitalisation”, according to a customer survey conducted by Prospera.
Thomas Olsen is a partner at SVW whose areas of specialisation include data protection (GDPR), cybersecurity, IT & digitalisation and compliance & risk. He holds a PhD in data protection law and was previously the leader of the Norwegian Bar Association’s committee for ICT and Privacy. Thomas heads SVW’s data protection practice, which has been ranked number one in Finansavisen’s 2019, 2020 and 2021 survey of Norwegian lawyers.