The Schrems II Decision: What Now?
CJEU Invalidates Privacy Shield
U.S. companies are finding themselves on uncertain terrain as they struggle to understand the implications of the recent EU decision to strike down the Privacy Shield agreement. As noted in our alert on July 20, 2020, the Court of Justice of the European Union (CJEU) - in what has been labeled as the “Schrems II” decision after the key plaintiff Max Schrems - invalidated the Privacy Shield agreement which had allowed signatory firms to transfer EU resident personal data to the U.S.. The CJEU found that the Privacy Shield agreement did not adequately protect EU citizens’ fundamental right to privacy as enshrined in the EU’s Charter of Fundamental Rights. In particular, the CJEU found that U.S. intelligence gathering practices such as the bulk data collection practices conducted under the authority of the Foreign Intelligence Surveillance Act (FISA) Section 702 and under Executive Order 12333 fail to provide EU citizens with enforceable rights against U.S. authorities and that the role of the Privacy Shield ombudsman had insufficient authority to deter or alter the data collection practices of U.S. intelligence services. As a result of this ruling, firms relying on Privacy Shield for transatlantic personal data transfers are now required to implement an alternative mechanism(s) to legitimize the transfer of data from the EU to the U.S.
Providing some degree of relief in this situation, the General Data Protection Regulation (GDPR) does spell out alternative mechanisms for personal data transfers outside of the EU. Article 46 enumerates different safeguards including standard contractual clauses, binding corporate rules (BCRs), certifications, and codes of conduct. Article 49 contains several derogations that firms may rely on in specific situations such as explicit consent, performance, or conclusion of a contract, or in very limited circumstances, the firm’s compelling legitimate interest. To stay in compliance with GDPR, firms that had been relying on Privacy Shield will immediately need to identify and implement alternative safeguards and/or derogations to facilitate the lawful transfer of personal data from the EU to the U.S.
Standard Contractual Clauses Under Increased Scrutiny
The impact of the decision by the CJEU, however, appears to have gone well beyond invalidating Privacy Shield. In fact, the case before the courts was focused on the validity of standard contractual clauses (SCCs), not Privacy Shield. While the CJEU’s ruling upheld the validity of SCCs as a data transfer instrument, the court also emphasized that businesses relying on SCCs must also consider the specific nature and context of the transfer and, where appropriate, implement additional safeguards to minimize the risk U.S. or other national surveillance practices pose to the fundamental rights of EU citizens. Because U.S. businesses cannot change the way the U.S. conducts surveillance, firms who continue to transfer data outside of EU/EEA are being required to conduct further analysis of international data transfers. This further analysis is intended to determine whether a firm’s current practices are adequately protecting the data rights of EU citizens, or whether additional safeguards will need to be implemented to legitimize these data transfers.
An Unclear Path Forward
While firms wait for the courts and the regulators to sort out the particulars of the Schrems II decision – and this could take several years in the courts – important questions remain around what steps firms can take today to lawfully transfer personal data from the EU to the U.S. and to any other jurisdiction outside of the EU/EEA that has not received an adequacy decision. For example, when the courts suggest that continued use of the SCCs requires further analysis of the nature and context of data transfer practices, what is meant by this further analysis and what other safeguards and practices should firms consider implementing to ensure that data transfers remain lawful? Relatedly, have the EU Data Protection Authorities (DPAs) or the European Data Protection Board (EDPB) published guidance on how impacted firms can address the CJEU ruling? Unfortunately, as of this writing, neither the EDPB nor the DPAs have provided any more than an initial response to the ruling, and as one might expect, the DPAs are not all on the same page. Several EU DPAs (e.g., Berlin Commissioner) have interpreted the ruling to mean that all transfers to the U.S. are by definition not lawful, while other DPAs (e.g., CNIL) and the EDPB have suggested that data transfers to the U.S. remain permissible as long as firms conduct additional diligence and implement additional safeguards where appropriate. Additionally, the EDPB has indicated that further guidance is forthcoming, but whether this guidance sufficiently illuminates a path forward remains to be seen.
A Framework to Conduct “Further Analysis”
In the wake of the court’s decision, there is going to be considerably more attention paid to international transfers by the DPAs. This means firms will need to move beyond past practices wherein cross-border transfers were treated as a “check-the-box” compliance exercise rather than a risk-based approach that underpins both the CJEU’s ruling and the GDPR framework itself. Short of clear and actionable guidance from the EDPB and the DPAs, firms are largely being left to their own devices when assessing whether one or more of the GDPR approved safeguards and/or derogations can be relied on to ensure that the data transfer is lawful. Given that firms will continue to transfer personal data until this issue is sorted out by the courts and the regulators, what should firms be doing today to address the CJEU’s ruling?
It currently remains unclear what firms can do to completely eliminate risk – other than halting data transfers from the EU to the U.S. – to satisfy the CJEU’s concern that transfers to the U.S. and other jurisdictions may violate the rights of EU citizens. Nevertheless, there are steps firms can now take to begin to assess and address the risks associated with cross-border transfers . The CJEU has already indicated that firms must conduct “further analysis” by assessing the nature and context of the data transfer when relying on the SCCs or other safeguards for the lawful transfer of data. Preparing for this further analysis will be a key first step when answering the important questions of whether the importer of the data (and the importing jurisdiction) can protect EU citizens’ fundamental rights. At a high level, each firm will need to address the following four areas to conduct this further analysis for the purposes of identifying and implementing solutions to legitimize transfers of data outside of the EU:
- Understand the specifics of the transfer itself
- Clarify the contextual factors of the transfer
- Recognize potential risk factors involved in data transfer
- Specify mitigations to reduce the firm’s risk exposure
By completing the first two steps, firms will gather information about the risks associated with the nature and context of their international data transfers. In turn, this information can be leveraged to identify measures that can be implemented to either partially or fully mitigate the identified risks. As is the case with most privacy compliance activities, the implementation of effective safeguards and controls to protect personal information rests on prior data discovery exercises that produced an inventory and mapping of the firm’s personal data assets. Knowing what data you have, where it is stored, and with whom it is shared allows for the identification of privacy risks and provides firms with a view of where the firm should concentrate its risk mitigating activities.
Key Steps to Assessing and Mitigating Data Transfer Risks
In the section above, we outlined a four-step framework for firms to consider when assessing solutions to legitimize transfers outside of the EU. Within this section, we want to take a look at the application of this framework in the context of the firm’s understanding of its cross-border data transfers. The following is a list of steps firms should consider to further understand their current data environment and transfer mechanisms, assess their current data transfer practices and, where appropriate, implement additional safeguards to mitigate risks to both EU citizens and the firm itself.
- Review data inventory and current data transfer mechanisms
The first step firms need to take is to review their data transfers. Firms should have a good handle on what data transfers are occurring and which transfer mechanism is being relied on. This population of transfers should be documented in a Personal Data Inventory or a Record of Processing Activity.
- Perform Data Transfer Impact Assessments (DTIAs)
Despite the CJEU’s ruling that SCCs are still valid, other points of the ruling indicate that transfers to the U.S. and other countries will likely be assessed. Firms should anticipate this assessment and determine in advance whether the transfer of data is protected, and whether EU citizens have a legitimate and valid recourse method. This assessment should also uncover the risks associated with the transfer and help identify mitigation measures for these risks.
Here are five sample assessment questions that can help firms understand the nature, context, and risks associated with a given cross-border transfer:
- Are you transferring data out of the EU/EEA?
- To which countries might the data be transferred?
- Do any of those countries hold an adequacy decision?
- What are the surveillance practices of the government within the identified countries and how do the third country’s law enforcement practices impinge on EU citizens’ rights?
- How can EU citizens’ right to privacy be upheld throughout the processing lifecycle?
- Mitigate risks
Firms should document the risks identified in the DTIA and for each risk identified, document the firm’s current safeguards and controls in place to mitigate the risk, or document proposed safeguards (including the specific transfer mechanism(s)) to mitigate or eliminate the associated risks. Example mitigation measures that firms can consider include the following:
- Apply the concept of data minimization
- Apply the concepts of anonymization and pseudonymization as possible
- Apply the concepts of data obfuscation or encryption (in certain use cases)
- Ensure DPAs between parties include all requisite Article 28 provisions
- Implement new contract provisions that require firms to challenge overly broad/inappropriate government requests
- Evaluate governmental requests for personal data
- Validate that processes are in place for key SCC obligations
While firms can go a long way in reducing their risk exposure by conducting a DTIA for each of their GDPR-implicated international data transfers, the CJEU’s ruling also points to broader considerations when addressing this new area of risk. For example, the reliance on data inventories, data maps, and the selection of transfer mechanisms presupposes that parts or all of a privacy program are already in place. Relatedly, firms should validate that they have appropriately implemented robust third-party risk management processes to ensure that data processors (third-parties) and sub-processors (fourth-parties) have the capability to adequately protect the rights of EU citizens across the firm’s third- and fourth-party relationships. In other words, the DTIA process should not only consider the nature and context of specific international data transfer but should extend the “further analysis” to validate that the firm’s privacy and third-party risk management programs are appropriately implemented and documented.
What are the consequences of failing to act? The CJEU ruling requires DPAs to scrutinize data transfers on a case-by-case basis. We should therefore expect a significantly heightened level of scrutiny from the community of EU regulators. Failure to reassess your firm’s international data transfer practices could put your firm in position of considerable risk for non-compliance with GDPR. Failure to protect the fundamental rights of EU citizens could result in one or more of the following enforcement actions:
- Fines at 4% of global revenue or $20 million, whichever is higher
- Halt of the flow of data out of the EU
- Informing the public of non-compliance resulting in reputational harm and potential loss of clients, customers, and business partners
In addition to the heightened risk of fines and bad press due to enforcement actions, firms also have to consider the impact with third-party business partners and clients. These parties may be reluctant to do business with parties that cannot demonstrate compliance with their privacy requirements.
Getting It Right
While the exact ramifications of the Schrems ruling are still unclear, there is much that firms can do to be prepared. Developing and implementing data privacy and third- and fourth-party risk mitigation programs commensurate with the firm’s data risks are key steps firms can take to minimize the likelihood of an enforcement action. These programs should include a review of current data and third/fourth party inventories, as well as current data transfer mechanisms. They should also include performance of DTIAs and application of risk mitigation procedures.
Following the Schrems ruling, firms should expect heightened inspection from regulators, as well as an uptick in due diligence scrutiny from partners and clients. The correct preparation will help firms withstand these pressures, fend off potential enforcement actions from regulators, and even gain increased confidence and patronage of business partners and customers.
How We Help
ACA Aponix has unique insight with respect to our client’s data transfers. We’ve helped many clients create their data inventories and therefore have an in-depth understanding of the types of data and purposes for processing the data. Our experienced privacy team has also worked with many multi-national firms to implement controls to meet their obligations under various privacy regulations and data transfer mechanisms, including the SCCs. This puts us in a unique position to help many firms understand their requirements to identify impacted data transfers, perform and document DTIAs, and help to legitimize their data transfers.
ACA Aponix also has a leading third-party risk management program with our VMOS solution. This is a key element to help firms explore and evaluate their third-party and fourth-party ecosystem to help firms evaluate what their risks are and identify controls to mitigate those risks.
ACA Aponix offers the following services related to the GDPR and other data privacy regulations:
If you have any questions, please contact your ACA Aponix consultant or email us at [email protected].