The European Court of Justice (CJEU) recently published plans to issue its much awaited decision in CJEU case C-311/18 (also referred to as “Schrems II”) on July 16. The ruling will impact how organizations lawfully transfer personal data from the EEA to jurisdictions not providing an “adequate” level of data protection in accordance with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses (SCCs) and it may also affect operation of the EU-US Privacy Shield. On May 18, the European Data Protection Board (EDPB) published a report on its 2019 activities that may signal whether it plans to influence further development of this area.
Is the EDPB working on a successor for the SCCs?
Notably absent from the report is any indication that the EDPB has already undertaken work to outline general mechanisms that could survive a negative ruling from the CJEU. The annual report only indicates that the “expert subgroup” on International Transfers worked on guidance on the rules for international data transfers under Chapter V GDPR. However, it is striking that the report does not expressly mention any work of the EDPB relating to the approval of additional standard data protection clauses. Such standard data protection clauses may be adopted as an alternative to the SCCs and could therefore serve as a rescue in case of an invalidation of the SCCs in the “Schrems II” case. However, the EDPB’s program for 2019/2020 (published in February 2019) listed the work on standard data protection clauses under Art. 46(2) GDPR as one of the EDPB’ recurrent activities, which suggests that the standard data protection clauses are still on the EDPB’s agenda for the remainder of 2020.
Possible outcomes of the “Schrems II” case with regard to SCCs
Early signals in the case indicate that the CJEU may find that existing SCCs remain a valid international data transfers mechanism but there is a chance that the CJEU would (at least “partly”) invalidate not only SCCs but also the EU-US Privacy Shield Framework that offers an alternative mechanism for participating organizations to import personal data from the EEA. In its Opinion of 19 December 2019, the Advocate General of the CJEU (AG) concluded that companies exporting personal data to non-EEA jurisdictions must assess their use of SCCs by means of case-by-case due diligence for each particular transfer, in order to ensure the lawfulness of the transfer. In addition, the AG expressed “certain doubts” regarding the adequate level of data protection provided in the US, in particular considering the activities of US intelligence services. Given that the CJEU is not bound by the Opinion of the AG, most frequently discussed outcomes of the “Schrems II” case are the following:
- “Partial” invalidation of the SCCs: It is possible that, in line with the AG’s Opinion, the CJEU regards the SCCs valid in principle but rules that exporters and national data protection authorities must assess the ability of the parties to meet their relevant obligations under the SCCs, and in the absence of such practical ability, the authorities should suspend affected data transfers to certain countries. This may in particular concern data transfers from the EU to the US if the CJEU should find that the safeguards provided by the Privacy Shield are not sufficient to protect the rights and interests of data subjects in light of the surveillance activities of the US authorities.
- Complete invalidation of the SCCs: It also is theoretically possible that the CJEU rules that SCCs are completely invalid and cannot be used for international data transfers to data importers in non-EEA jurisdictions.
What to do now
With less than two months to go before the CJEU is expected to issue its ruling, the EDPB’s signal that it will take up the issue of international data transfers is welcomed. Companies that transfer personal data to jurisdictions outside the EEA should nevertheless mark July 16 on their calendars and make sure to take timely precautions that will allow them to be able to react quickly in the aftermath of the final decision of the CJEU, irrespective of whether the CJEU will follow the AG´s Opinion or invalidate the SCCs and/or EU-US Privacy Shield altogether. As a starting point, this may include the following precautions:
- Map international data flows: If not already done, such as through records of processing activities in accordance with Art. 30 GDPR, companies should map the international data transfers under their responsibility. This comprises both intra-company data transfers and data transfers to third parties, including vendors and other business partners.
- Perform adequacy due diligence: Once the relevant data flows are identified, companies should carry out case-by-case assessments of the safeguards they apply to data transfers as relevant under the GDPR. Where SCCs are used as safeguards, a more detailed assessment may be required of whether the data importer in recipient jurisdictions is able, in practice, to live up to its commitments under the SCCs by taking into account possible disclosure requests under local laws. In some scenarios, companies can also consider the use of vendor questionnaires in order to test how their service providers can help them to comply with rules on international data transfers.
Possible risk-mitigation measures
In any case, it is recommended to closely monitor the developments in the “Schrems II” case as well as the activities of the EDPB as 2020 progresses. In order to address potential risks resulting from the pending CJEU proceedings on the validity of SCCs and the EU-US Privacy Shield, companies may consider the following measures, as appropriate:
- Use “SCC plus” contract language: As a “quick-fix,” companies should assess options to address remaining concerns on the adequacy of the level of data protection in the recipient jurisdiction by the use of additional contract language. Such “SCC plus” contract language may, for instance, expressly set forth rules for the handling of government requests for access to personal data. Given that “SCC plus” language will not fully remove compliance risks and may not be accepted by all national data protection authorities, companies should simultaneously work on implementing alternative mechanisms, as outlined below.
- Rely on service provider Processor BCR: With regard to external service providers (e.g., cloud services), companies should check whether such service providers offer Binding Corporate Rules (“BCR”) for their activities as data processors. Such “Processor BCR” serve as appropriate safeguards where use of the services require international transfers to the service provider.
- Apply for approval of BCR: Companies seeking for a long-term solution for their international data transfers may consider applying for BCR to govern international data transfers within a group of companies.
- Apply for approval of ad-hoc clauses: As an alternative long-term measure, companies may also consider applying for approval of their own standard contractual clauses following Art. 46(3)(a) GDPR. Similar to the BCR, such approval is based on a coordination of the European data protection authorities, and therefore provides a high level of legal security.
- Check applicability of exemption rules: Where all else fails, it might also be possible to base a data transfer on an exemption rule listed in Art. 49 GDPR. However, the respective exemptions rules are interpreted very narrowly and will only work in exceptional scenarios, so should be avoided as a regular option.