On July 16, 2020 the Court of Justice of the European Union (“CJEU” or the “Court”) upheld a cornerstone judgment in the Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems case (Case C-311/18—or the “Schrems II judgment”), concerning data transfers under EU Regulation 679/2016 (“GDPR”) and in particular transfers from Europe to the United States.
In the judgment, the Court struck down Decision 2016/1250 on the adequacy of protection granted by the EU-U.S. Privacy Shield (for further details check out our latest article here) and confirmed the validity of European Commission Decision 2010/87/EC on Standard Contractual Clauses (hereinafter, “SCCs”). To be more specific, what was at issue was not the validity of the SCCs, but their effectiveness. In fact, because of their contractual nature, SCCs are not binding upon the authorities of other countries to which the data may be transferred.
Therefore, the Court added that SCCs are considered valid as long as European Commission Decision 2010/87/EC includes effective mechanisms to ensure that non-EU countries comply with the essential level of data protection guaranteed in the EU by the GDPR. In that regard, the Court pointed out that the data exporter should verify, on a case-by-case basis—and, where appropriate, working in concert with the data importer—whether the law of the destination country complies with the level of protection that the EU affords personal data transferred under the standard protection clauses, and, if necessary, provide safeguards in addition to those offered by such clauses.
The Schrems II judgment created many uncertainties about the legal basis for future data transfers from Europe to the United States and the rest of the world. Indeed, even the European Data Protection Board (“EDPB”), which was supposed to clarify how the companies that transfer data to non-EU countries should implement the measures provided under the Schrems II judgment, seems to be struggling with the consequences of this decision. Indeed, the threshold set by the Court for transfers to the United States also apply to transfers to other non-EU countries whose legal system have not been declared adequate by the EU Commission,
Below is guidance for transferring data in compliance with the statement of the CJEU in Schrems II, pending any clarification from the EDPB. Preliminarily, it should be noted that:
The Schrems II judgment did not hold SCCs invalid, so they can still be used to transfer data. However, the CJEU found that U.S. law does not ensure an essentially equivalent level of data protection. Therefore, whether or not it is possible to transfer personal data on the basis of SCCs depends on an assessment, made by the data exporter working with the data importer, about the compliance of U.S. law with the EU level of protection of personal data. The assessment should be conducted while taking into consideration the circumstances of the transfers and any additional safeguards that could be provided by the parties. The same assessment should be conducted for any other transfers to non-EU countries that have not been deemed adequate in this regard by the EU Commission. In relation to transfers to the United States, it is unclear how the case-by-case assessment conducted by an EU exporter could override a negative assessment conducted by the CJEU.
The CJEU did not specify aspects that companies should consider in their assessments. Pending any clarification from the EDPB about the way to perform such assessments, exporting companies should carry out due diligence on three aspects: a) the legal system in the non-EU country receiving the data, in order to verify the rules for disclosure and access by governmental agencies; b) the legal system applicable to the importer to determine if it is subject to such laws; and c) the compliance of the importer with the EU level of data protection, ensuring that it has in place a procedure for notifying the exporter if a government demands access to the imported data.
If the laws of the importer’s country do not offer an equivalent level of protection, international transfers may still take place so long as both the data importer and the data exporter enter into SCCs and implement “additional safeguards.”
Therefore, as we await further clarification from the European authorities, the data importer and the data exporter may adopt the following additional safeguards on a case-by-case basis: a) a prior assessment of the data that need to be transferred, in light of the principles of proportionality and privacy by design; b) additional clauses that impose on the importer an obligation for prior notification to and consent of the exporter in the case of any request from the public authorities of the destination country; c) encryption of the data in transit; d) data pseudonymization; and/or e) cooperation between the importer and the exporter to provide data subjects with their rights to challenge disclosure of the data.
The Schrems II judgment did not BCRs, invalid. However, if according to the CJEU SCCs are not able to grant an EU level of data protection, the same would apply to BCRs. In fact, the EDPB specified that the possibility of transferring personal data under BCRs depends on the result of an assessment made by the data exporter working with the data importer about the compliance of U.S. law (or the law of any non-EU country whose legal system has not been deemed adequate by the EU Commission) with the EU level of protection of personal data. The assessment should be conducted while taking into consideration the circumstances of the transfers and additional safeguards that could be provided by the parties.
Nevertheless, case-by-case assessment of BCRs would deprive such rules of their main strength: legal certainty.
Article 49 GDPR provides the conditions under which transfers of personal data to non-EU countries may take place absent an adequacy decision under Article 45(3) GDPR or appropriate safeguards under Article 46 of the GDPR. However, the EDPB has cautioned, on two different recent occasions, that the derogations provided under Article 49 GDPR are not meant to be used for “systematic” transfers. This position prevents the use of Article 49 derogations as substitutes for systematic data transfers based on Articles 45, 46, or 47 GDPR.
An alternative solution for the EU exporter could be not to transfer data to the United States or any other non-EU country whose legal system has not been deemed adequate by the EU Commission. Indeed, the Berlin Data Protection Authority called for data currently stored in the United States to be relocated to the EU. However, this solution seems to ignore business reality. As a matter of fact, data storage in the EU is a valid solution only if no one from non-EU countries has access to the data. This seems to be unlikely, given current widespread business models, since it seems likely that at least some companies will want to store their data in the EU but then will want non-EU technical support to have access to the stored data whenever necessary. Moreover, data localization may incur higher costs for businesses. Such costs could be passed on to consumers and may trigger further data localization initiatives abroad, which would run contrary to the Commission’s objective to facilitate data flow and help EU companies to be competitive.
As for EU-U.S. data transfers, the best solution would obviously be to renegotiate a new, third arrangement to replace the Privacy Shield.
That could lead either to a “quick fix”–which would risk being rendered invalid again in the future by the CJEU—or to a more desirable and reasonable arrangement. However, U.S. commentators have expressed doubt that there is any chance of establishing a long-lasting EU-U.S. agreement that will operate from a position of legal certainty and as a valid legal basis for future transfers of data.
Despite that, there is still hope that in the coming years experts from both sides of the Atlantic will work together to create a solid arrangement for transatlantic data transfers.
The Schrems II judgment left a climate of uncertainty surrounding the future of data transfers. As we await further guidance from European authorities, companies should act promptly to develop and implement their own strategies.
 See the Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximilian Schrems, issued on July 23, 2020.
 See Guidelines 2/2018 on derogations of Article 49 under Regulation 679/2016, adopted on May 25, 2018. See also Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data, adopted on July 10, 2019.