Exporting data from the EU after Schrems II: what to do now

As previously discussed, the European Court of Justice’s recent Schrems II decision both (i) invalidated the US privacy shield; and (ii) threw into question alternative justifications for the export of personal data from the EU to the US.

Whilst there is yet to be a substantive response from the European Commission, initial reactions from the European Data Protection Board and national regulators (e.g see UK’s ICO 27 July response) provide some initial guidance as to how companies should react.

In summary:

  1. Any company exporting data to the US should stop using Privacy Shield and replace with Standard Contractual Clauses (SCC).
  2. Any company exporting data using SCCs, binding corporate rules (BCRs) or other contractual protections to countries without adequate data protection (including the US) should now carry out (and document) their own assessment as to whether the measures they have in place provide sufficient protection, and:
    • if their assessment shows that sufficient protection is not secured, stop their data export;
    • if their assessment shows that sufficient protection has been secured, they can continue data export but should notify their supervisory authority.
  3. Companies should also:
    • consider whether they can rely on a derogation as an alternative basis for data export (but note their narrow scope).
    • review their supply chain and ensure that their data processors are also compliant with the new rules.

Pending future guidance from the EDPB, since it is not yet clear what ‘supplementary protection measures‘ could be applied and the narrow scope of the derogations, as a practical response many organisations will need to consider whether they can operate their European divisions without data export to the US, and review whether they can put in place arrangements to operate without data export to the US.

European Data Protection Board 23 July 2020 FAQs

In addition to the judgment, the key source of guidance is the 23 July FAQs published by the European Data Protection Board. The answers in the FAQs were:

  1. Firstly, to summarise the ECJ’s judgment: Privacy Shield is invalid, SCCs are valid but may not always provide sufficient protection.
  2. Others bases for data transfer also may not always provide sufficient protection.
  3. There is no grace period: companies should stop using Privacy Shield immediately and use an alternative basis for data export.
  4. Companies using SCCs or BCRs (or any other basis such as bespoke contractual protections) as a basis for data export to the US should carry out their own assessment of the adequacy of protection and consider potential supplementary measures. If they conclude that they cannot ensure adequate protection, they should stop data export: if they conclude they can ensure adequate protection they should notify their supervisory authority (see para 145 of ECJ judgment).
  5. Data export is still possible based on one of the GDPR Article 49 derogations:
    • explicit, specific and informed data subject consent;
    • on an ‘occasional‘ basis for the performance of a contract;
    • necessary for important reasons of public interest (but note this is a narrow derogation unlikely to be useful for most commercial transfers)
  6. The same considerations apply with respect to data export to countries other than the US that the EU Commission has not found to provide equivalent protection.
  7. No specific guidance was provided as to what type of legal, technical or organisational ‘supplementary protection measures‘ could be considered, although the EDPB committed to provide more guidance in the future.
  8. Reminded data controllers that they are responsible for data export by their processors, and that controllers should review their supply chains and consider prohibiting data export to the US.