How not to get (too) hurt by Schrems II judgment for your data transfers?

23.06.2020 - The Court of Justice of the European Union (CJEU) has recently announced that on 16 July 2020 it will deliver the judgment in CJEU case C-311/18 (also known as “Schrems II” case).

Roxana Ionescu & Madalina Bucur

The Court of Justice of the European Union (CJEU) has recently announced that on 16 July 2020 it will deliver the judgment in CJEU case C-311/18 (also known as “Schrems II” case).

Many companies have already marked in their calendars this date and are eagerly awaiting the CJEU judgment, since it will determine the validity of the Commission’s standard contractual clauses (SCCs). The stakes are high, as many companies constantly rely on these SCCs to ensure the adequacy of their data transfers outside the European Union, both for intra-group transfers and for transfers to third parties.

So what can companies do in preparation of the pending CJEU ruling?

Let’s take a look at certain aspects relating to Schrems II case and what measures all businesses shall think about if they wish to act fast, if necessary, following to CJEU judgement.

What are the SCCs?

 

  • Under the General Data Protection Regulation (GDPR), a cross-border transfer[1] of personal data may take place if the Commission decided that the third country ensures an `adequate level of protection’ of the data transferred to it.
  • In lack of such an adequacy decision, and subject to certain derogations, the transfer may occur only when ‘appropriate safeguards’ regulated under GDPR accompany it[2].
  • Of these, SCCs are probably the most common tool chosen in practice to legitimize cross-border transfers. These take the form of a contract between data exporter and data importer, providing certain requirements aimed to ensure the protection of personal data and of data subjects’ rights.
  • So far, the Commission has issued two sets of SCCs for transfers made to data controllers and one set of SCCs for transfers made to data processors established outside the EEA[3].
  • The validity of all three sets of SCC will fall under the CJEU judgement.
What is the dispute under the Schrems II case?

 

  • Schrems II case represents the continuation of a complaint made by Mr. Maximillian Schrems against Facebook in 2013, which led to the invalidation of US-EU Safe Harbor framework by the CJEU.
  • While the context of Schrems II case is quite complex, the main dispute concerns the validity of SCCs.
  • In short, Mr. Schrems argues that the guarantees afforded to cross-border data transfers under the SCCs are not sufficient to ensure a proper protection of personal data and of the right to respect for private life.
  • There are also some aspects raised on the US-EU Privacy Shield framework which, viewed from a certain perspective, would result in its validity being also challenged, at least indirectly.
What is the General Advocate opinion in Schrems II case?
  • In its opinion, the Advocate General found that:
    • the SCCs are a valid transfer mechanism under the GDPR;
    • however, with respect to particular transfers, data controllers (and afterwards, supervisory authorities in case data controllers fail) have to ensure that public authorities in the third country will not impair the protection granted in the EEA to the personal data transferred;
    • the validity of Privacy Shield framework is not a direct issue raised in Schrems II case, and thus the CJEU shall not rule on it; even so, the Advocate General noted that it has certain doubts as to the conformity of the Privacy Shield.
  • The Advocate General’s opinion is not binding for CJEU; however, in most cases, CJEU follows the conclusions of the Advocate General. It remains to be seen whether CJEU deviates in this case from its usual approach.
Why CJEU judgment in Schrems II case is so important?

 

  • In case CJEU will invalidate the SCCs (and more unlikely, the Privacy Shield framework), all companies which have been relying on these will have to direct their efforts in establishing other mechanisms for their cross-border transfers.
  • This may prove very challenging in practice, if we consider the alternatives safeguards available; is not new that none of these is ease or feasible to implement in practice to legitimize a systematic transfer of personal data to different countries outside EEA.
  • Until a solution is found, certain severe decisions may need to be made by companies (e.g., temporary cease the transfer of data to third countries) to avoid fines under GDPR and compensation claims from data subjects whose data are being transferred.
  • This is why companies should start preparing for the CJEU judgments, if not already done by now.
What to do to prepare for CJEU judgment in Schrems II case? Companies may consider taking at least the following precautions while waiting for CJEU judgment:

  1. Identify and map all data transfers outside the EEA which are based on SCCs, if not already in place;
  2. Assess the importance of these data transfers for the business operations;
  3. Try to identify alternatives which would not require further transferring the personal outside EEA;
  4. Assess the costs and formalities thereof relating to such alternatives and the business needs;
  5. Review the agreements in place with data importers, the remedies and risks if the agreements  could no longer be executed;
  6. Check if other safeguards (e.g., Binding Corporate Rules) are appropriate or feasible to rely on; assess the formalities that have to be undergone for putting in place such other safeguards;
  7. Initiate discussions with data importers to take their pulse in this matter;
  8. Assess the derogations under Article 49 of GDPR, if none of the above solutions are applicable;
  9. Prepare for receiving more data subject’ access requests than current numbers; Customer intensive sectors, such as banking, insurance, online retail, are expected to see the highest number of such requests based on current Romanian market trends;
  10. Review action plans that may have been adopted in the context of Safe Harbor invalidation, especially if they have proven to be useful in that instance;
  11. Make the management aware of the risks and present actions plan to mitigate such.

We are looking forward for the CJEU judgment in Schrems II case. Keep close for more updates on this subject.


[1] Transfer of personal data to countries outside the European Economic Area (EEA).

[2] The same rules apply in case of transferring personal data to an international organization.

[3] The SCCs sets are available here.