International Data Transfers – while we are waiting for Schrems II
As organisations are slowly finding their way back to regular business, it may be timely to look back to the Advocate General Mr. Henrik Øe’s opinion in the case of Schrems II and the possible implications for organisations of a coming ruling from the European Court of Justice (ECJ) from December 2019 . The case concerns international data transfers and the validity of the European Commission’s standard contractual clauses for the transfer of personal data to processors established in third countries.
But before getting ahead of ourselves and going right to the opinion, let’s focus a bit on why the case matters and the larger picture of data transfers.
What is an international data transfer?
In the course of this paper, the term “data transfer” will be used. To ensure an alignment around the term, it is beneficial to give a definition. In this paper, “data transfer” will be used in situations where personal data leaves, either by virtue of transmission or accessibility, a “regulated area”. A regulated area means a jurisdiction where the processing of personal data is subject to legislation, e.g. GDPR for the European Economic Area (EEA).
If you are part of an international organization, you will find that information on employees, customers, partners and other data subjects, are flowing throughout the systems and organisational layers, i.e. from local to global and vice versa. Being able to share, store or maintain data across countries and entities allows for a better use of available resources, whether that be due to creation of shared service centres (e.g. HR or financial services), centralization of IT systems, use of cloud services, SMEs in global functions etc.
So, while the benefits of data transfers are evident and easily observed, they come with a cost when those transfers concern personal data as defined in the various privacy legislation across the world and data leaves a regulated territory or country.
The idea of data sovereignty
Within EEA, which accounts for EU, Iceland, Norway and Lichtenstein, a data transfer out of the territory requires that certain legal criterion are met as described in chapter 5 of GDPR. As the overriding principle, personal data may only be transferred outside EEA if the level of protection to individuals is adequate to that of EU legislation. For the recipient or data importers this means that data processing, applied systems and governance may be impacted based on the origin of the personal data. Similar rules apply in varying degrees for other jurisdictions. Take for instance, the Russian Data Localisation Law from 2014 that requires that the primary data processing of Russian citizens’ personal data collected in Russia takes place in Russia, or the Chinese Cybersecurity Law prohibiting a transfer of sensitive data out of China.
The three regulatory exampless mentioned above all relate to the evolving global trend of data sovereignty, and the idea that data is regulated based on the origin of the personal data. Irrespective of the justification of data sovereignty, organisations who do make use of hyperscale public cloud services, apply centralized solutions or otherwise share or access personal data must make certain initial assessments before personal data from a country with data sovereignty rules are transferred and put in place relevant safeguards. For instance, in the case of GDPR, one safeguard may be to conclude a standard contractual agreement, drafted by the European Commission, to allow for the transfer of personal data out of EEA. By doing so, the data importer becomes subject to requirements of European data protection legislation and third-party rights for individuals whose personal data is transferred is also legally introduced. Aside from the group-oriented Binding Corporate Rules and the so-called adequacy finding of the European Commission (so far 13 countries outside EEA have an adequacy finding), there is the possibility to rely on consent and some exceptions that are quite narrow and in practice, only relevant for very few industries and situations.
This brings us back to our teaser – Schrems II – and the possible implications for companies as based on the opinion of the General Advocate.
Opinion in Schrems II case
On its face value, Schrems II deals with the essential question of whether the aforementioned standard contractual clauses for use with processors may be used when transferring personal data out of EEA. The case is a request for a preliminary ruling from the High Court in Ireland to the European Court of Justice. Such requests are necessary when ruling on EU legislation.
More specifically, the case concerns Facebook’s use of the European Commission’s model clause agreements as a means of transferring personal data from its Irish affiliate to the US. In Schrems I, the former law student and now head of the EU-based privacy organization None of Your Business, Max Schrems, successfully managed to land a fatal blow to the EU-US Safe Harbor collaboration triggering the foundation of the EU-US Privacy Shield now in place between the two. After this, he filed a complaint with the Irish supervisory authority, the Data Protection Commissioner, concerning Facebook’s transfer of personal data which was now based on the standard contractual clauses. The agreements are widely used by organizations, not only Facebook, and not only for transfer to the US but worldwide. Curiously however, in this case it is the Data Protection Commissioner that represents the view that the standard contractual clauses are invalid, not Schrems. The reason being that US laws do not offer effective remedies according to the DPC. Since the standard contractual agreements only apply between the data exporter and the data importer and not to the data importing country, it would not be possible to make up for that deficiency by use of the agreements – and thus, in the view of the DPC it should be considered whether the clauses were valid at all.
An invalidation would not only deal another blow to Facebook but would also leave other organisations with international data transfers involving GDPR regulated personal data in peril.
The Advocate General’s opinion: “The standard contractual clauses are valid.”
Obviously, that is a relief for most organisations. However, in the opinion of the Advocate General, data exporters and supervisory authorities alike will be required to do more in terms of assessing the laws of the data importer on a case by case basis. Specifically for the data exporters, this means an examination that entails “a consideration of the circumstances characterising each transfer, which may include the nature of the data and whether they are sensitive, the mechanisms employed by the exporter and/or the importer to ensure its security, (…) the nature and the purpose of the processing by the public authorities of the third country which the data will undergo, the details of such processing and the limitations and safeguards ensured by that third country”, further noting that “(t)he factors characterising the processing activities carried out by the public authorities and the safeguards applicable in the legal order of that third country may, in my view, overlap with those set out in Article 45(2) of the GDPR”.
The nature of the data and the mechanisms employed to ensure its security should be known by the data exporter merely by completing the annexes to standard contractual clauses, however knowing if and on which conditions data may be processed by public authorities in the data importing country is a different matter. Today, the practical solution is found in clause 5(b) of the standard contractual clauses in which the data importer agrees and warrants that it has no reason to believe that legislation prevents it from complying with the clauses and promptly alerts the data exporter if it becomes aware of such legislation.
It will be interesting to see what the ECJ decides on and whether it agrees with the Advocate General’s view on prior examination by the data exporter. There is a risk of significant impact organisations like cloud service providers that do not offer regional or nationally hosted data centres.
Impact beyond the EU and US
One of the dangers during these periods of intense scrutiny and debate about EU and US trade relations is a tendency to forget about the ramifications of any decisions beyond the US. The importance of EU/US relations means that whatever well-intentioned disruption is caused, the adverse effect is likely to be temporary. A bi-lateral solution will be prioritised and implemented. This will not be the case for regions such as the Middle East, Africa, Asia-Pacific and Latam where standard contractual clauses are fundamental enabling mechanisms for the legitimate transfer of personal data across international jurisdictions. The risk of an outcome where standard contractual clauses are no longer available as a data transfer mechanism, reinforces the importance of countries in locations like the Middle East and Africa double-clicking on implementation plans for GDPR-inspired data protection laws which will support adequacy claims. Doing so will likely position these countries positively in an era of accelerated digital transformation and help differentiate them from regional competitors.
The current pandemic has re-emphasised the interconnectedness of our global economies and highlighted the thought leadership and financial role that Europe can play in the recovery of many of these emerging markets, particularly during a period where nationalist policies sees the US influence diminishing in many of these geographies. Enabling the delivery of outsourced digital services, or re-establishing local tourism industries or providing EU citizens with access to emerging market investment opportunities has the potential to help kickstart these economies and deliver a sustainable future.
What you should do now
Irrespective of the ruling of ECJ, it is highly recommended to have a consolidated overview of data transfers utilised by your organization. The overview should enable you to determine:
- the nature of the personal data, and more precisely, the origin and whether special categories of personal data are processed;
- the identity and countries of the data exporter and data importer; and if required:
- the legal basis justifying the transfer of personal data (e.g. standard contractual clauses etc.);
- A reasonable understanding of any data sovereignty and data protection regulations (or lack thereof) in markets where you are intending to expand operations, either directly or through a supply chain partner.
In case you are based in EU, much of the information here will already be part of your art. 30 records.
As data transfers are added, modified and removed continuously, you also need to have process around the overview to ensure that your information is up to date.
Your checklist for getting ready for Schrems II:
- Assess your organisation´s current data transfer practices and their maturity,
- Close any gaps by implementing robust practices for evaluation of data transfer implications and requirements,
- Assign clear responsibility for the process to relevant units (e.g. legal, procurement),
- document your data transfers,
Different tools are available that will make it easier for your organisation to keep your data transfer records evergreen. This will allow you to better identify, assess and remedy risks in relation to international data transfers, keeping in mind that data sovereignty is not only limited to GDPR.