International transfers of personal data – Schrems II and what it all means?

The recent judgment (instigated by privacy campaigner, Max Schrems) handed down by the European Court of Justice (CJEU) on 16 July 2020 has created shock waves across the data protection world.

In a nutshell, it ruled that the EU-US Privacy Shield, a previously legitimate mechanism under GDPR to lawfully transfer data between EU and the US, is no longer permitted as it does not afford data subjects with the equivalent level of data protection within US compared to that, enshrined under GDPR.

In addition, the Court also looked at another commonly used safeguard to transfer personal data between EU and ‘third countries’ – that of standard contractual clauses (SCC). These take the form contractual obligations between parties which are prescribed by the European Commission.

The Court raised some doubt over the legality of SCCs and how EU organisations that wish to use SCCs for transfers to US (as well as to other third countries) need to assess, amongst other factors, the legal system and local legislation in the third country to determine whether the protections contained in the SCCs will be held enforceable in the recipient country to the same standards afforded under the GDPR. It should be done on a case by case basis.

If not, both the data exporter and data importer must see whether they can include any supplemental measures to bridge the gap. It’s not clear at this stage what form these supplemental measures may take. However it is most likely to be a combination of technical, organisational and security measures and commitments.

If supplemental measures (together with SCCs) still don’t help organisations meet the requisite objective GDPR standard when transferring personal data across their international borders, the organisations must stop the transfers immediately given the lack of protections and proper redress by data subjects in that third country.

This will often be the case in countries who don’t have the rule of law or where there is little regard for legal justice.

It therefore requires an early assessment by international organisations as well as an ongoing evaluation of the nature and circumstances of the transfer and the local law and commitment by the third country to determine whether SCCs is an appropriate and adequate safeguard.

In addition, countries like the USA that cite national security as a reason for processing by governmental authorities of personal data under a very broad remit may impinge on the standard of protection afforded under GDPR and therefore may weaken the ability of organisations to blankly rely on SCCs (even in conjunction with additional supplementary measures) as a lawful mechanism to make international transfers to the US.

We will continue to watch this space with much interest.