Schrems II: Answering your questions


Recently we hosted a webinar delving into the recent Schrems II judgment of the Court of Justice of the European Union (CJEU). Perhaps unsurprisingly, there were many questions from attendees.

We have collated those questions and our answers below. To refresh your memory of the background and the outcome of the case, our article on the judgment can be read here. You can also watch the recording of our webinar.

If you have any further questions or wish to discuss the impact of the Schrems II judgment for your organisation, please get in touch with a member of our Data, Privacy and Cybersecurity team.

Do you have any suggestions for data transfers to the US which are on a processor to sub-processor level and have so far been done on the basis of the sub-processor’s Privacy Shield? There don’t seem to be any alternative options on the basis of a) Privacy Shield being invalidated and b) SCCs being intended for controller-processor use.

There is no clear answer here, and guidance will be invaluable to give a steer on how regulators expect organisations to approach this challenge. However, it is worth considering the alternative options potentially available in such circumstances. For example, the derogations contained within Article 49 of the GDPR could be relevant, such as contractual necessity or the data subject's explicit informed consent. However, in most situations, these exceptions are unlikely to be practicable, and the EDPB has reminded exporters in a recently-released FAQs document that many of those derogations are limited in their application. Alternatively, we anticipate that corporate groups may increasingly begin to implement Binding Corporate Rules (BCRs), which require each group company to comply with the BCRs thereby allowing transfers across the group worldwide. However, this involves a rigorous approval process and can take up to a year to implement. The EDPB’s FAQs also made it clear that when using BCRs to transfer data to the US, exporters will be expected to conduct a similar assessment as with SCCs. Companies may also choose to rely on Codes of Conduct, which must also be approved by a supervisory authority.

Ultimately, there is not an easy way to overcome this challenge at the moment. Helpfully, the EDPB’s FAQs do suggest that it may be possible to use SCCs for US transfers if additional safeguards are in place, and the EDPB will release guidance on what such safeguards might look like.

If we can no longer export, via SCCs, to any country that failed an adequacy application, is there a list somewhere of those countries?

There is no absolute barrier to relying on SCCs to transfer personal data to countries that have failed the European Commission's adequacy assessment. However when SCCs are relied upon in these circumstances, the data exporter's risk assessment of these countries may need to consider the adequacy of the country in more detail before concluding that the transfer of data is appropriate. We are not aware of a definitive list that is available of countries that have failed an adequacy application. Australia failed its assessment in 2001 but has not since reapplied. Many other countries with data protection laws (such as Hong Kong, Singapore and Taiwan) have not applied for adequacy.

Ultimately, if SCCs could only be relied upon in circumstances where the Commission deems a country to be adequate, the SCCs would effectively be made redundant. We do not anticipate that guidance will seek to restrict their use to such an extent as this is not the stated or implied intention of the judgment, and would seem contrary to the structure of various lawful transfer mechanisms, including SCCs, that the legislation uses. There are different ways to assess what is an "appropriate" level of protection. Some countries may, for example, have laws that are not equivalent to the GDPR in some areas, but that are sufficiently protective in other (key) areas, such as surveillance and redress for data subjects, to make a specific transfer under SCCs justifiable to a country without an adequacy decision.

Do we see large-scale data repatriation or data localisation being a natural (and perhaps unintended) consequence of the judgment?

Repatriation/ localisation could be a consequence of the Schrems II judgment, and we are already seeing some companies investigate those possibilities. We would not be surprised to see providers changing their infrastructure arrangements, so that less data can be accessed outside of the EEA. That said, it is worth noting that full repatriation of data will difficult to achieve within the context of cloud services, because almost all providers rely on international transfers outside of the EEA, to allow for 24/7 support, to provide backup or failover assistance, and for other back office purposes. This may also result in increased reliance on smaller suppliers that could have a greater emphasis on localisation of data – however, that in itself runs the risk of controllers moving to processors with less robust security arrangements than the largest US-headquartered providers, and falling foul of GDPR obligations around having appropriate technical and operational arrangements to achieve security purposes.

Is it still OK to rely on SCCs for a UK importer receiving personal data from an EU exporter?

Assuming that the European Commission does not provide an adequacy decision in favour of the UK, the data exporter will be required to carry out an assessment of the UK's levels of protection of personal data in order to rely on the SCCs. In practice, whether the SCCs can be relied upon will depend on how far the UK diverges from the GDPR following the end of the Brexit transition period, and the UK's relationship with the US. For example, if the UK decides to ignore the Schrems II judgment and continues to allow data transfers with the US without requiring any further adequacy mechanisms, the EU may take a more a restrictive stance in assessing the UK's adequacy, which could impact the EU exporter's ability to rely on the SCCs when transferring data to the UK importer. This is another area where the answer will become clearer with time and guidance, and progress in Brexit trade deal talks.

Given that the EDPB (with EU supervisory authorities) already decides which countries have deemed adequacy, what role do they play in deciding at the top level which countries are acceptable for SCCs? Why should tens of thousands of controllers in the UK/EU do the same due diligence many times over for the same countries?

The exact nature of the assessment to be carried out by the exporter is not yet certain, and further guidance will be needed before anyone is able to accurately explain the burden that controllers will now have. Organisations may not need to do the same assessment multiple times: it may be that they can decide which countries the SCCs are currently used for and conduct the assessment in relation to the riskiest countries, and apply the same findings for the remaining lower risk counties or in relation to similar future transfers. The key for exporters at this stage will be to understand and document data flows that rely on SCCs and identify the most relevant and high risk countries for which to conduct this risk assessment.

Further, the fact that the EDPB has not found a country adequate does not mean that the country does not have appropriate levels of protection. A number of countries with fairly robust data protection laws have not applied for adequacy but may well provide an appropriate level of protection for the purposes of relying on SCCs. The exporter's finding may also depend on the nature of the processing and the type of personal data being transferred.

One risk for companies with exposure to data protection supervisory authorities in multiple countries is regulators start to publish contradictory assessments of different countries, in the absence of formal Commission adequacy decisions. A company would be faced with the decision of whether it should ‘forum shop’ the findings of the most permissive regulator, or take a ‘lowest common denominator’ approach of assuming a country is not adequate if one regulator says so, even if other regulators indicate it is adequate.

Should we wait for a decision on Brexit and review all agreements then?

In an ideal world it would be valuable to understand how far the UK decides to diverge from the GDPR and to wait until its relationship with the US becomes more clear following Schrems II. However, the realities of Brexit for data flows may not become apparent until very close to the end of the transition period. We are advising our clients to review their data processing arrangements (particularly as regards international transfers) so they are ready to react when the position on trade deals and an EU adequacy decision for the UK is clearer, and to be mindful that there may be changes they have to make at speed once the situation becomes clearer.

Where does the liability rest for a processor using a sub-processor who transfers data outside the EEA?

Under the GDPR there is no separate definition of a "sub-processor", meaning that all regulations relating to processors apply equally to sub-processors. Overseas transfer restrictions apply to controllers and processors, and both are responsible to ensure that an appropriate adequacy mechanism is in place. Under the GDPR, a sub-processor would therefore remain directly liable. However the ultimate accountability for compliance rests with the controller, which also has an obligation not to allow onward transfers of personal data to third countries.

In relation to enforcement, it is not clear which entity a regulator would enforce against in the event of a sub-processor transferring data outside the EEA in contravention of the requirements.  It is possible that regulators could take a view on the nature of the parties involved when deciding where liability should lie. For example, where a large tech provider acts as a processor or sub-processor, with a start-up business as the controller, a regulator may decide to pursue the large tech provider rather than the smaller controller.

What if it is just that the cloud provider has a parent company in the US?

In circumstances where the controller and processor are both based in the EEA, but the controller has a parent company in the US, this will not be a restricted transfer simply by virtue of the fact that the parent company is based in the US. In other words, if there is a guarantee that no personal data will be accessed by a third country, the concerns raised in Schrems II regarding US adequacy will not apply. However, in practice, it is difficult to guarantee that no data processing will occur outside the EEA within the context of cloud services.

Can we, as a US business, expect to start receiving requests from those we interact with asking us how we comply with the SCCs? We cannot state that we are not subject to national security/surveillance laws, so where does that leave us?

A US business may expect to receive requests asking them to demonstrate compliance with the SCCs, however the view of the CJEU indicates that it is not a question of whether a data importer complies with the SCCs, but the fact that US laws do not enable importers to comply. On the assumption that this is understood by most controllers, we expect that US businesses are more likely to be approached to explain what alternative adequacy mechanisms may be relied upon to ensure continuity of the processing relationship. As and when the EDPB releases further guidance about what additional safeguards could be implemented to bolster the protection given by SCCs, US businesses are also likely to see approaches from EU exporters regarding implementing those safeguards.

In the event of taking a risk-based approach towards use of SCCs in the US, would you advocate controllers undertake a Data Transfer Impact Assessment, taking into account the profile of data sets and the potential impact of US Government access?

Yes - if a company is electing to rely on SCCs for US transfers despite the Schrems II judgment, on a risk-based approach, we would certainly recommend carrying out and recording a risk assessment in relation to those transfers. This should note the powers of US law enforcement agencies to access the personal data, and assess whether the risk is outweighed by the benefit to the business of transferring data to that jurisdiction. The EDPB’s FAQs indicate that the circumstances of the transfer can be taken into account in determining whether SCCs are appropriate for US transfers (or indeed transfers to other third countries), so the risk of the transfer, the nature of the data and the potential impact of US laws should always be considered.

Has the ICO indicated that it will provide any guidance on international data transfers anytime soon?

The ICO has confirmed that guidance will be made available following the Schrems II judgment, but has not provided a timeline. The ICO's interim guidance is to continue using Privacy Shield if this is already in place, but do not start using Privacy Shield where it is not already relied upon. We will continue to monitor the ICO's advice.

Is the issue around intelligence agencies present full stop when using US companies to process/store data even in UK/Europe due to the US CLOUD Act?

The CLOUD Act allows for federal law enforcement to require US-based cloud providers to disclose data stored on its servers within the context of a criminal investigation, regardless of whether that data is stored in the US or elsewhere. In 2018 the EDPB considered the interaction between the CLOUD Act and the GDPR, and concluded that the circumstances in which data would need to be handed over are very limited. Article 48 of the GDPR prevents foreign court orders or decisions of foreign authorities from being recognised and enforced in the EU, unless the Mutual Legal Assistance Treaty applies. As such, where a cloud provider complies with an order under the CLOUD Act, it is in risk of breaching the GDPR. The CLOUD Act does cause some concern, but the circumstances in which it applies are narrow, and the safeguards provided by the GDPR mean that, in practice, cloud providers would probably not be compelled to provide the personal data stored in the EEA to a US authority.

Taking a step back, the CLOUD Act may be a narrow concern for cloud providers, but the majority of controllers and processors are unlikely to be overly concerned.

Contributor: Harry Gillen


Get in touch

Related insights & events

View all

Hot topics

Related services