Schrems 2.0: mixed messages from the court

For months experts have been predicting the demise of standard contractual clauses and possibly the privacy shield. The Court of Justice of the European Union has indicated that the former are valid but has expressed doubts about the latter. What should you do now to prepare?

The case is principally about whether the two of the key mechanisms which legitimise the transfer of personal data to countries outside the EEA offer enough protection, namely:

• standard contractual clauses (SCCs or model causes), and
• the Privacy Shield (ie, for transfers to the US).

These mechanisms play a major role in oiling the engine of the world economy by keeping data flowing between the EEA, which has the protection of the GDPR and many of its major trading partners that don’t.

The case was brought by Austrian lawyer and privacy activist Max Schrems, who is concerned about transfers of personal data to the US that are subject to subsequent surveillance by US intelligence.

In his legal opinion, the Advocate General surprisingly validated SCCs as still being an appropriate method to protect personal data. This was only on the basis however that the country of destination to which data is being sent or accessed also has a right of action against the data controller which they can and should enforce.

Also it is a requirement on the data controller or supervisory authorities to suspend such transfers where the laws of the country to which the data is flowing to or accessed from conflicts with the SCCs. In other words, the Advocate General has reminded everyone about the limitations of SCCs and the need for data controllers and supervisory authorities to suspend or prohibit such transfers where SCCs conflict with local laws.

The decision is in the context of transfers to the US but does not provide a view from the Advocate General about whether the US privacy laws generally conflict with the SCCs or not, which will be considered in the Schrems case specifically again later. There is no reassurance therefore that transfers to the US using SCCs will not be challenged. 

The Advocate General was prepared to indicate at this stage, however, concern about an alternative safeguard used for transfers to the US. The privacy shield is a self-certification procedure found to provide an adequate level of protection of such transfers to organisations that sign up to it. The Advocate General expressed doubts as to its conformity with the GDPR predicting, perhaps, problems in the future for the privacy shield.

While this is only the opinion of the Advocate General, it may well be that the Court of Justice of the European Union does not endorse his approach when it gives its judgment on SCCs in the first half of 2020. The result of all this? Businesses have been put on notice that SCCs do not have the automatic validity for global transfers that everyone thought they did - even assuming the Court of Justice follows this opinion - and businesses need to put in place a more robust and longstanding process to legitimise some or all of their data transfers.

It is important to note at this stage that opinion isn’t a binding verdict. The Advocate General’s role at the court is advisory, and he won’t play any part in the decision-making on this case. Indeed, it’s known for the Court to disagree with the Advocate General.

However, in most cases the court follows the opinion of the Advocate General so it looks likely that SCCs are here to stay but with closer scrutiny about global conflicts needed. The Schrems case will continue to consider the US transfers specifically, and probably the privacy shield in more detail.

So what happens next?

The full judgment is likely to come out in the first half of 2020. Later decisions in the Schrems case may clearly have further implications.

If SCCs or the privacy shield are invalidated, other options for the protection of international transfers are somewhat limited at the moment.

As a result, there is likely to be fresh impetus for certain key safeguards to be developed such as:

• codes of conduct: where you adhere to an approved code of conduct drawn up by trade associations and representative bodies and approved by the ICO (none have been approved yet), and/or
• certification: where you adhere to an approved certification mechanism as provided for in the GDPR (again, none have been approved yet).

In the absence of these, many multinational companies are increasingly looking at binding corporate rules (BCRs). BCRs are a framework that allows cross-border transfers of data from controllers and processors within the EEA to group companies outside of the EEA.

Other solutions include looking at the somewhat narrow list of derogations which can be relied on if there is no adequacy decision or appropriate safeguards in place. The bad news? The European Data Protection Board has issued guidance saying that such derogations, ‘must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive’.

What should you think about doing now?

• Know your data flows. What countries outside the EEA are you sending personal data to? Check your records of processing. Are they vital to your business? What would happen if these flows were switched off? Are there any workarounds, ie, do you need to send this personal data or is there an alternative - say, you send the personal data to a data centre in the EEA as opposed to a data centre outside the EEA?
• What contingency plans do your suppliers and other key stakeholders have in place? What risk appetite do they have? Are they less or more willing to tolerate risk than you?
• Are BCRs an attractive proposition for your multi-national business?
• Are any of the derogations feasible for your business in the short, medium or long term?
• Is your board and senior management aware of the potential, albeit seemingly less likely,  invalidation of SCCs? What resources does your business have to deal with this?

Whatever happens, the case is also a good opportunity to make sure that your business is complying with the principles of the GDPR generally, such as data minimisation: ensuring the personal data you are processing is adequate, relevant and limited to what is necessary. Do you really need to process certain personal data and then send it overseas? As always, the more you process, the more responsibilities you have to look after it.

In the meantime, keeping an eye on developments is vital. Shoosmiths’ Privacy and Data team can help globally.