27 October 2020

Is this the end for personal data transfers to the US?

Since 16 July 2020, companies transferring personal data from the EU to the US, including employees' personal data, have had a difficult nut to crack. The Court of Justice of the European Union invalidated the decision in the Privacy Shield case, depriving companies of the possibility of basing data transfers to the US on this basis. However, the Court's judgment (so-called Schrems II) may have serious consequences for companies transferring data to other countries outside the European Economic Area as well.

Privacy Shield - end to transfers on this basis

In light of GDPR provisions, it is generally only possible to transfer personal data to a third country, i.e. outside the European Economic Area ("EEA"), if a decision of the European Commission concerning the provision of an adequate level of data protection is issued in relation to a given country or if appropriate safeguards specified in GDPR are ensured (e.g. by means of standard contractual clauses or binding corporate rules).

Companies transferring data to the US have so far benefited from Commission Implementing Decision 2016/1250 on the adequacy of protection provided by the so-called EU-US Privacy Shield. However, in its judgment in case C-311/18, the CJEU ruled that this decision is invalid due to the fact that the US does not provide an adequate level of protection for personal data transferred from the EU. The CJEU allegations mainly concern programmes that allow US authorities to access personal data transferred to the US for reasons of national security. In such cases, local laws do not grant data subjects rights that could be enforceable against US authorities before the courts.

This means that those companies that have transferred personal data to the US, including employees' personal data on the basis of the Privacy Shield, should, once the CJEU has delivered its judgment in Case C-311/18, immediately cease transferring personal data on that basis.

Are standard contractual clauses a solution?

In a situation where the Privacy Shield has been invalidated, it would be reasonable to turn to standard contractual clauses. In its judgment, the CJEU also referred to this safeguard for transfers to third countries. The CJEU upheld the validity of the decision on the clauses, holding that there are no arrangements which could affect the validity of the Commission's decisions in this respect. The CJEU, therefore, did not challenge the possibility for companies to use this basis for data transfers.

Importantly, however, in its judgment, the CJEU puts an end to the automatic application of standard contractual clauses. Indeed, the CJEU points out that it is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. The CJEU thus emphasised that entities transferring data to third countries should not automatically consider that the use of the standard contractual clauses will be sufficient to ensure an adequate level of data protection. This issue should be examined on a case-by-case basis in relation to the country to which the data are to be transferred.

What does this mean in practice? Companies transferring data to third countries may use standard contractual clauses. However, the transfer should be preceded by an analysis of whether the country to which the data will be transferred complies with data protection to the extent required by EU law. Only then will it be possible to establish whether the guarantees provided by the standard contractual clauses can be respected in practice. If this is not the case, the company transferring personal data should consider whether it is able to apply additional measures to ensure data protection at an appropriate level. In practice, it may prove difficult to comply with these requirements, especially for an individual assessment of whether a country provides an adequate level of protection. Conveniently, the European Data Protection Board ('EDPB') is working on guidelines for additional measures to complement the standard contractual clauses. It has also set up a task force to deal with complaints following the CJEU judgment in Case C-311/18.

What about transfers to the US using standard contractual clauses? In its explanations published after the CJEU judgment, the EDPB indicates that whether or not you can transfer personal data on the basis of standard contractual clauses will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with standard contractual clauses, following a case- by-case analysis of the circumstances surrounding the transfer, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.

However, it appears that, in light of CJEU findings concerning the failure by the US to ensure an adequate level of data protection, an individual assessment by the data transferor leading it to different conclusions would have to be carried out with caution. One of the problems raised by the CJEU is the opportunity for US authorities to access data in transit towards US territory, by accessing underwater cables on the Atlantic floor. An entity transferring data to the US would therefore have to ensure, among other things, that the measures it has taken prevent such access.

In its explanations EDPB confirms that the CJEU's observations on the verification of ensuring adequate protection also apply to the application of binding corporate rules.

Can data be transferred on another basis?

It is worth remembering that in the absence of a decision of the European Commission confirming an adequate level of protection or the absence of adequate safeguards, the transfer of data to a third country may take place on the basis of the exceptions specified in Article 49 GDPR. These include, among others, the explicit consent of the data subject informed about the possible risks which, due to the absence of the aforementioned decisions or safeguards, the transfer may involve, the necessity of executing an agreement between the data subject and the controller or the need to conclude or execute an agreement concluded in the interest of the data subject. There is no doubt that this provision will now be the subject of in-depth analysis among companies.

What should companies do in practice?

It is not clear, also for European supervisory authorities, how data transfer to third countries will now take place in practice. Nevertheless, the starting point for companies should be a detailed overview of data transfers outside the EEA (including those carried out through processors).

The review should primarily identify transfers to the US, including their legal basis. In the case of transfers under the Privacy Shield, transfers to the US should be discontinued (if the transfer is made in connection with the use of a particular IT tool, it is worth verifying whether the provider allows the use of servers located in the EU), or carefully consider a transfer on another basis.

In the case of transfers pursuant to agreements based on standard contractual clauses or binding corporate rules, an analysis should be carried out to determine whether the country to which the personal data are transferred provides an adequate level of data protection and, if not, what safeguards can be applied to ensure it.

Undoubtedly, the guidance published by EDPB should continue to be followed up, as well as the development of cases pending in relation to the complaints lodged following the CJEU judgment in Case C-311/18 by NYOB (an organisation founded by Max Schrems), including the Data Protection Authority, which may prove helpful in ensuring compliance with the requirements specified by the CJEU.

Katarzyna Żukowska, Karolina Romanowska