Schrems II - back to square one?
Who said that a sequel never beats the original? While that may be a truism in Hollywood, it surely does not necessarily translate to Luxembourg. Based on the ruling handed down from the Kirchberg earlier this month, companies involved in transatlantic transfers of personal data will long remember the name of Schrems, Oscar Schrems.
On July 16 2020, the Court of Justice indeed issued its long-awaited ruling in the case Data Protection Commission v. Facebook Ireland, Schrems, commonly referred to as Schrems 2.
Schrems 2 essentially torpedoes the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies relied so far to conduct trans-Atlantic trade in compliance with EU data protection rules.
The decision also cast a long shadow over other personal data transfers from Europe to the U.S., given the Court’s statements about the nature of U.S. government access to private sector data. While the decision upholds the validity of standard contractual clauses, it requires companies and regulators to conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred meet EU standards.
This will impact companies in the U.S. and well beyond.
The Court has highlighted that the data controllers and (if the controllers are inactive) the Data Protection Authorities have a duty to act to suspend or prohibit data transfers when they lack a valid legal instrument for a transfer. This means there is no chance for a “grace period” in this case.
Under the GDPR there is a penalty of € 20 Mio or 4% of the global turnover if you continue to transfer data without a valid legal instrument. NGOs, workers’ councils or individual users can bring complaints or file lawsuits, including for emotional damages.
In many cases, external non-EU/EEA providers were chosen with little consideration of the ramifications.
Many companies rely on the so-called Standard Clauses (SCC) to assuage any privacy concerns when performing transatlantic data transfers via their chosen and contracted provider. However, according to Schrems 2, data controllers and the relevant provider need to do a “case by case” analysis (para 134 of the Judgment), to check if there are any national laws which this provider is subject to that violate the GDPR and the Charter of Fundamental Rights.
This is far from a theoretical exercise, as many US providers of data processing services (like Google, Facebook and Amazon) fall under FISA 702 (which gives US government far reaching insight into processed data and falls foul of the Schrems 2 benchmar). As a result, EU data controllers may not be able to use them anymore, at least based on SCC reliance.
You may be able to switch to an EU/EEA provider (or a provider from an “adequate” country like Switzerland) in many cases and thereby avoid any issues around data transfers altogether.
Even if using an EU/EEA provider may seem costlier initially, the time spent making a non-EU/EEA transfer legal may cost you more than what you save on a cheaper offer from abroad.
If you conduct a business involving regular data transfer across the pond, you may want to reach out to your DPO or privacy professional to find out how the legal summer blockbuster that is Schrems 2 affects you.