Double Trouble For Data Transfers Post-Brexit And Post-Schrems II?
The recent landmark Court of Justice for the European Union (CJEU) case C-311/18 (Schrems II), and the end of the Brexit transition period on 31 December 2020, will have a significant impact on the smooth running of international business.
On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor. It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.
Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield selfcertification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.
As a consequence of Schrems II, companies with operations in Europe must now check whether or not their suppliers, and any of their suppliers’ subcontractors or vendors, were relying on Privacy Shield. If they were, those businesses must now use an alternative method of legal compliance.
The most popular method of alternative compliance is the use of Standard Contractual Clauses (SCCs). These are form contracts published by the European Commission and executed between data exporters and data importers. They permit the lawful export of personal data from the European Union and essentially provide that personal data is protected to a European standard. SCCs contain a provision that requires the exporter and importer to check that there is no local law or other circumstances that could adversely affect the protection of the personal data.
The CJEU also ruled in relation to these SCCs. Companies must now assess each SCC to make sure there are no local laws that can adversely affect the protection of personal data to European standards. Many companies will have thousands of these contracts in place. Although it is often easier for the data importer to undertake this assessment, as they will have the same contract in place with many of their European customers, under law it is the data exporter, or the customer, that is responsible for this assessment being done correctly and on a case by case basis.
Technically, the United Kingdom has already left the European Union. Practically, however, the United Kingdom is in a transition period, during which all laws remain as they were until 31 December 2020. After this date, no EU laws, including the General Data Protection Regulation (GDPR) will form part of UK law. One key feature of the GDPR is that it permits the free flow of personal data amongst EU Member States.
Although the UK Government has already passed the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019, which will ensure that, on 1 January 2021, the UK data protection regime is essentially equivalent to the GDPR, this will not on its own be sufficient to allow the free flow of personal data from the European Union to the United Kingdom. What is required is for the European Commission to determine that UK data protection law is “adequate”.
This will require a complex and comprehensive assessment, made more complex because, like the United States, the United Kingdom has extensive legislation allowing for bulk surveillance of communications. The EU assessment will therefore need to examine not just that legislation, but also the ability for individuals in Europe to have adequate redress against the UK Government where their consider that their European data protection and privacy rights have been infringed.
In a recent communication, the European Commission recognised that an adequacy determination by December 31 is unlikely, and that companies should immediately take compliance steps to ensure that personal data can be legally transferred from the European Union to the United Kingdom, and that personal data previously received from the European Union is protected. The most obvious compliance mechanism are the SCCs, but as we now know from Schrems II, rather than just signing these contracts, companies must undertake a case by case assessment.