Max Schrems’ journey with Meta (previously Facebook) and the Irish Data Protection Commission highlights the care organisations must observe when they deal with the personal data of the international community. Although there is an 80% similarity in privacy laws across the world, the extent to which each region or country protects the rights of its data subjects is not always consistent. Cross-border transfer laws and regulations aim to align and promote the protection of data subject rights in this data-driven global economy. The GDPR and the EU Charter of Fundamental Rights (CFR) emphasise not only the importance of a data subject’s rights but the responsibility and obligation placed on organisations that transfer personal data across borders.

In 2021, the global privacy community grappled with the effects of the Schrems II decision. The question at the centre of the Court of Justice of the European Union (CJEU)’s landmark judgement was the adequate protection of data subject rights within a global economy. For your organisation, this judgment means that you’re going to have to carefully look at how the new standard contractual clauses (SCCs) affect the data processing agreements (DPA) you either have in place or plan to put in place. 

Schrems II, a necessary fuss

On 16 July 2020, the CJEU invalidated the Privacy Shield. The Privacy Shield framework allowed EU-based companies to share the personal data of data subjects from the European Economic Area (which is essentially the European Union (EU)) with companies based in the United States of America (US) that were on the Privacy Shield list. Organisations from these two regions with personal data-driven business models relied on this framework, especially those with personal data from the international community. 

The framework essentially provided the US with an adequacy declaration – a regulatory mechanism that confirms that a data subject’s rights enjoy the same legal protection in the importing country as the degree of legal protection available in the data subject’s country of origin. To this end, EU data subjects should’ve enjoyed the same protection of their privacy rights in the US as in the EU because of the Privacy Shield. This wasn’t the case, as Max Schrems advocated.

In the Schrems II decision, the CJEU highlighted the far-reaching possibilities of surveillance under US national security laws. These laws regulate US authorities’ access and use of personal data imported from the EU into the US. However, they do not provide controls to sufficiently protect EU data subjects who may become the target of US national security investigations. The Court found that data subjects could not enforce their rights against US authorities because the Privacy Shield Ombudsman (who was the Regulator of EU-US personal data flows) did not have the power to implement decisions that would be binding on US intelligence agencies. 

The old SCCs

Next, the CJEU looked at whether the then- SCCs were an appropriate cross-border transfer mechanism – they weren’t. 

The Court in Schrems II doubted the extent to which the EU Commission’s then-SCCs could legitimise cross-border transfers, and noted that they did not reflect the transfer requirements in the GDPR. However, it did affirm that SCCs were still a valid transfer mechanism in principle. The CJEU directed the EU Commission to rework the then-SCCs to sufficiently protect data subject rights, in line with the GDPR. 

The old SCCs only catered for either controller to controller or controller to processor processing relationships. They failed to deal with common cross-border processing activities appropriately, like where:

  • EU-based companies use US-based infrastructure to provide their services to their EU customers, for example, cloud servers based in the US; or
  • US-based companies use EU-based infrastructure to provide services to their US customers – which made it difficult to return personal data originating from the US.

This gap created uncertainty on the lawfulness of those processing activities because they did not quite fit into the categories addressed by the old SCCs.

The CJEU emphasised that organisations that rely on SCCs to transfer data cross-border must ensure that the data subject enjoys the same level of protection essentially equivalent to that in the GDPR. Organisations can no longer rely on SCCs alone. In certain instances, they will have to adopt additional measures to address the shortcomings in the legal systems of non-EU countries. 

A new era

The EU Commission’s current SCCs emphasise a risk-based approach to cross-border transfers. They are modular and paint a more vivid picture of the measures that must be in place for the processing activities contemplated in the global economy. The new SCCs cover four specific processing relationships:

  • controller to controller;
  • controller to processor;
  • processor to (sub)processor; and
  • processor to controller.

While the SCCs deal with these specific processing relationships, they are framed in the context of a data importer (the receiver of the personal data) and a data exporter (the sender of the personal data).  The SCCs specify the responsibilities of importers and exporters of personal data in the global economy. For example, they introduce an obligation on the importer to notify the exporter of any law enforcement requests made to it. The Court’s decision in Schrems II heavily influenced this obligation.

The CJEU found that exporters of personal data are obligated to assess whether the SCCs will provide adequate protection of personal data. If not, they need to determine whether supplementary measures are necessary to bridge the gap. The European Data Protection Board (EDPB) has also published guidelines on the CJEU’s decision. The current position requires both data importers and exporters to assess the importing country’s laws and practices to determine whether anything prevents the parties from fulfilling their obligations in the SCCs. This is now known as a transfer impact assessment. The assessment must consider the:

  • circumstances of the transfer;
  • laws and practices of the importing country; and
  • specific contractual, organisational, and technical measures in place over and above the SCCs.

The current modular framework of the SCCs also means that an organisation can focus on the contractual clauses that speak to the specific processing relationship it has with the other party. 

Why should you care?

On 27 December 2022, the old SCCs will no longer be valid for any deals and transactions. If your organisation wants to rely on SCCs as a transfer mechanism, it must rollout the new SCCs in its DPAs by the December deadline. Your failure to do so may attract regulatory penalties.

If your organisation falls into the following categories, you must begin assessing the impact of Schrems II and the new SCCs on your operations:

  • EU based exporters;
  • Non-EU based exporters; and
  • Non-EU based importers.

How does this affect your DPAs?

Organisations generally use SCCs for DPAs between controllers and processors when processing happens across borders. The new SCCs affect the DPAs that you may currently have in place. You may need to review your existing DPAs with vendors, partners, and customers to ensure they are up-to-date with the current SCCs. Not only do you need to replace the old SCCs in those agreements, but there may also be conflicts between the provisions of the SCCs and contractual terms in your DPAs that you need to address. If there is a conflict between the two, the SCCs will prevail. 

Further, you cannot modify the new SCCs. So if you want to use them, you have to use them as is.

With Schrems II, you may also need to adopt supplemental measures if the SCCs do not provide adequate protection of data subject rights. The outcome of your transfer impact assessment on the importing country’s laws and practices will determine if you need supplementary measures. The EDPB guidelines offer details on how you can perform this assessment.

Actions to take

If any part of this article has gotten you nervous, you can: