In essence:
EU-US Privacy Shield is not adequate;
The Standard Contract Clauses/Model Clauses are valid, BUT
Only if the data exporter AND recipient verify that meaningful remedies will be available in the receiving jurisdiction.
In essence, that means the US has to be treated as 50 distinct jurisdictions, arguably requiring a database of data subject enforcement measures in each.
A key practical point is that organisations cannot regard Standard Contract Clauses as a way merely to “paper over” the transfer of data. Verification of data subject rights/remedies is a crucial step. If that step is not taken, the data transfer is in breach of GDPR and (strictly) must stop
Standard Contract Clauses are valid – up to a point
The European Court of Justice (ECJ) has struck down the EU-US Privacy Shield, removing a key method for lawful transfers of personal data from the EU (and UK) to the US. As with its predecessor, Safe Harbor, the court considered that Privacy Shield could not provide adequate protection against the US Federal government’s bulk digital surveillance.
In the same judgment, the ECJ confirmed that Standard Contractual Clauses (SCCs) are a potentially valid safeguard for international transfers of personal data. However, the Court emphasised that the SCCs cannot be used merely to “paper over” a transfer of data. The data exporter and the recipient must verify, prior to any transfer, whether the required level of protection is adhered to in the state to which personal data is being transferred. If the SCCs cannot verifiably provide meaningful protection for data subject rights, then the data exporter is “obliged to suspend the transfer of data and/or terminate the contract” with the recipient.
What does this mean for EU (and UK) to US transfers?
Max Schrems, the Austrian privacy campaigner who brought the case to the ECJ, has suggested that SCCs cannot, in reality, be used to legitimise transfers of personal data to the US because the primacy of US Federal government digital surveillance means that verifiable and meaningful protection for data subject rights cannot be confirmed in any of the 50 States. That view is open to challenge, but it does mean that organisations must:
Be aware of any transfers of personal data to the US; and
More precisely, be aware of the particular US States to which personal data is being transferred; and
Seek specific confirmation that the receiving State affords meaningful protection based on the SCCs.
Without that State-by-State confirmation, the strict legal position is that personal data transfers must be suspended or terminated. If, as Schrems asserts, no US State can provide meaningful protection, then personal data transfers cannot be legitimised by SCCs.
Are regulators bound to act now?
When the EU-US Safe Harbor arrangement was struck down, EU data regulators adopted a pragmatic approach, essentially looking the other way until the replacement regime that became Privacy Shield was in place. Today’s judgment does not give regulators the same wriggle room. In particular, paragraph 121 states: “unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to SCCs if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country... and the protection of the data transferred cannot be ensured by other means”.
What other means might be available?
Unless the data exporter is part of a corporate group, with approved Binding Corporate Rules (BCRs), derogations based on GDPR Article 49 might provide the only available (and temporary) basis for EU-US transfers. The key derogations that might be relied on are:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;(d) the transfer is necessary for important reasons of public interest;(e) the transfer is necessary for the establishment, exercise or defence of legal claims;(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
However, with the possible exception of explicit consent, the Article 49 derogations cannot be relied on to support “business as usual”. They are intended to provide cover for occasional and small-scale transfers of personal data. Consequently, while the smoke clears in the aftermath of Schrems II it is likely that many organisations will resort to explicit consent, perhaps supported by SCCs, as representing at least a defensible response to the demise of Privacy Shield.
The SCCs and other “third countries”
Today’s ruling confirms that the SCCs are potentially valid for international transfers of personal data, but that they are reliable only if accompanied by verification that they will provide meaningful protection. That confirms the need for a risk-management approach that asks:
Is there an adequacy decision in relation to the third country to which personal data is being transferred?
If not, is the transfer within our corporate group, and do we have BCRs in place?
If not, do we have verification that SCCs will provide meaningful protection in the third country to which personal data is being transferred?
Data flow mapping: the key to compliance?
As with all elements of GDPR compliance, accurate and ongoing data flow mapping is crucial. Do you know how and where personal data is being transferred from your organisation? If you are using cloud services, then data might be transferred to and stored in several countries, with a strong likelihood that at least some of the servers will be in the US.
If you have deployed any services based on technologies such as blockchain/distributed ledger, then you need to know whether the blockchain is public, private or “hybrid”. A public blockchain can be joined from anywhere in the world, and each time a new “node” is created or the ledger is updated, there is a transfer of data. If those transfers include personal data, then SCCs might be required. That risk might be addressed by keeping personal data “off the chain”, or by adopting techniques such as “zero knowledge proof” – but such measures are only likely to be considered if you are aware that the transfers are taking place.
Time to review GDPR compliance?
Today’s ruling in Schrems II is a major wake-up call in relation to GDPR compliance. Removal of Privacy Shield requires a specific check to determine whether your organisation has been relying on that regime for any transfers of personal data to the US. More generally, the ECJ’s emphatic ruling, that SCCs are not enough in themselves, and that there is a specific responsibility to verify meaningful protection for data subjects, provides a compelling argument for accurate and ongoing data flow mapping to ensure that your organisation is not caught out by unnoticed, or inadequately protected international transfers of personal data.
About the Author: Malcolm is a commercial and regulatory lawyer with extensive experience of contractual regulatory and legislative drafting in the UK and other common law jurisdictions.
Since qualifying in 1994 Malcolm has advised commercial, government and public sector bodies on a wide range of issues affecting electronic communications, transport, infrastructure and other development projects.
Malcolm is an internationally-accredited provider of legal and professional training. He has designed and delivered training on issues such as contract risk management, contractual and statutory drafting and regulatory policy in the UK, Africa, South-East Asia and India.
In 2013, Malcolm was appointed lead training consultant to the Law Society of England and Wales International Division, and more recently he has delivered training on Public Private Partnership laws and contracts on behalf of UKTI and the Foreign and Commonwealth Office Prosperity Fund in Liberia, Sierra Leone, Nigeria, Namibia, Zimbabwe, Zambia, Kenya, Tanzania, Uganda and South Africa