The recent Schrems PRISM and Privacy Shield case (Schrems II) is important. The issues at stake are the interpretation and legality of the:
Data transfers of personal data from inside to outside the EU are subject to a default transfer ban. Only if a particular transfer can fit within one of the limited exemption or legitimising mechanisms, may a data transfer become permissible.
The new Schrems decision upholds the validity of the SCC Decision – and hence the existing data transfer contracts and clauses which are compliant with the SCC Decision.
Data transfers can continue insofar as they are compliant with this transfer mechanism – but importantly new such contracts may have to be read in light on this new decision (see below). New data contracts will become more involved and complicated as a result of the decision.
One Brexit related impact is that the decision puts an even greater spotlight on political negotiations and the preferred Brexit solution of an EU Adequacy Decision finding. The case also suggests to some that such an ultimate outcome is likely unsuccessful.
The decision is helpful, therefore, to the extent that it re-emphasises that UK and UK based firms might wish to avail of the standard contracts route to ensure lawful data transfers to the UK.
Given that the Privacy Shield up to now would have encompassed UK data transfers to the US, the question then arises as to what the impact is for ongoing or future UK – US transfers. This question becomes more complicated in the Brexit context. Firms will need to consider whether they can demonstrate lawful receipt of data from the EU, and then whether they are permitted to send some or all of this data to the US.
Where data originates in the UK and may wish to be sent to the US raises other interesting considerations. On one hand it is UK data arguably unaffected by EU considerations. From another perspective, any company which has EU dealings may not wish for a variety of reasons to be sending even UK data to the US in a manner which is less than equivalent to that expected under EU rules. Additionally, if a practice were to build up of unregulated or less than equivalent data transfer between the UK and US, this could become yet another problem issues in terms of the UK’s (anticipated) application for an Adequacy Decision.
Further considerations arise also in terms of ascertaining the type of company or indeed industry sector involved, as certain companies may be treated differently for the purposes of US law and US law safeguards.
As is pointed out elsewhere in this edition, there are significant issues facing UK politicians in terms of assuring businesses – particularly City financial firms and international firms – that Brexit will be as smooth as possible and will avoid any unnecessary speedbumps. There would certainly be adverse consequences if, for example, UK business could not continue to trade as normal and to receive EU data as part of its normal activities. The implication of Brexit is that post-Brexit the UK will be a deemed third country outside of the EU, and as such the default data transfer ban kicks in. The UK can no longer receive EU data as it is not (yet) a recipient country which the EU has assessed and validated as being safe and equivalent for receiving EU data. Such a decision needs to be validated in a formal Adequacy Decision.
While applying for, processing and receiving an EU Adequacy Decision is time consuming and complex, some commentators are suggesting after the current Schrems case that the UK will not at all be successful in obtaining an Adequacy Decision.
Mr Schrems while deliberately avoiding a detailed view on Brexit, does state that after the decision there ‘may be a huge problem for UK adequacy.’
In that scenario, and even in prudent preparation for Brexit itself, it may be incumbent on firms to look to standard contracts as their means to legally continue to have data interactions with EU countries. The new Schrems case offers assurance in this regard that this is a viable route – even if the complexity and level of detail required is now much more onerous.
Perhaps the lesson is that while a successful Adequacy Decision is aspired to, one cannot hold one’s breath waiting on uncertain political and administrative processes. The standard contracts become a matter of primary practical importance. (Note also that for certain large organisations the additional route for inter-group international data transfers may lead towards the Binding Corporate Rules (BCRs) transfer mechanism for certain transfers).
However, the decision issues referred to above will require to be carefully monitored for further official guidance and potential official decisions on data transfers. At the same time, those proposing to engage in data transfers will need to examine the feasibility of contract mechanisms (and also BCC mechanisms) as appropriate. In addition, those with pre-existing executed standard contracts arrangements would be prudent to review their existing documentation. It may be that contracts or practice documentation might be enhanced further.
The EU and US authorities are already in contact and will discuss the avenues available. It may, for example, be possible to consider a Privacy Shield 2.0 or other updated arrangement.
Controllers and Processors should note that current best practice never stands still. A contact or practice which was legal last year may have to be reviewed, updated or replaced today. Legal compliance is an ever ongoing task – and as the judgement confirms, can become more onerous over time.
Paul Lambert is the author of A User's Guide to Data Protection. This work is a first port of call, providing clear guidance through the complex web of data protection issues and regulation in relation both to internal issues affecting employees, agents and contractors as well as external issues concerning customers, prospective customers and users across all data
