It has been nearly one year since the Court of Justice of the European Union (CJEU) handed down its decision colloquially known as “Schrems II” invalidating the Privacy Shield. The Privacy Shield served as the transfer mechanism by which data could be transferred from the EU to the US without additional safeguards. In addition to the Privacy Shield, the CJEU ruled that Standard Contractual Clauses (SCCs) could be used to fill the gap and allow continued transfers from the EU to the US and other third countries. However, the legality of SCCs remains in flux. Bruno Gencarelli, European Commission Head of International Data Flows and Protection, said in late April that organisations would be getting updated clauses “within weeks.” The updated SCCs are finally here!
Following “Schrems II,” privacy professionals have been waiting for a conclusive answer to the issue of data flows. The European Commission unveiled its draft implementing decision for the new SCCs last November and negotiations over an updated Privacy Shield have been “intensifying.”
The SCCs in their current form have not been updated for more than a decade so the update is welcome, hopefully, providing clarity to a situation that has grown increasingly opaque. The core idea, Gencarelli says, “is to use a number of models to cover as many as transfer situations and business models as possible.”
“The updated SCCs will cover more complex data supply chains accounting for different actors and a number of stages within the processing chain. Having a more agile instrument where more companies can adhere from the outset or join later is something that is very important and has been very welcome by stakeholders.”
In addition to using SCCs, the European Member States have begun interpreting the judgement in “Schrems II.” In particular, addressing the issue of European companies using America service providers employing the necessary safeguards to ensure “essential equivalence” with the laws in the EU. The cases have arisen even though the personal data stayed within Europe. In France, the Conseil d’État acknowledged the risk of access by US authorities despite the personal information remaining in the EU but found in favour of the defendants who had implemented SCCs and end-to-end encryption with the key held by a third party in the EU.
This case highlights organisations must go beyond implementing legal safeguards and include technical safeguards as well. While SCC updates will be coming in short order, a replacement for Privacy Shield is further down the road despite assurances from Gencarelli and his American counterpart overseeing negotiations, Christopher Hoff. Both have used the word “durable” to describe a Privacy Shield replacement seeking to avoid the pitfalls of the first two versions invalidated by the CJEU. It is not only large U.S. and European companies suffering around this uncertainty. Hoff noted that 70% of companies that were in Privacy Shield were small- and medium-sized enterprises. Whatever the next data transfer agreement will look like, it will be heavily influenced by the decision of the CJEU last July underscoring the influence of “Schrems II”as one of the most influential privacy cases to date. “We are using the “Schrems II” judgment as a blueprint,” Hoff said. “It is for the government to come to a solution because there’s more onus on companies now because of “Schrems II” to do these data transfer impact assessments.”
This raises the question about alternatives to SCCs as a mechanism to transfer data from the EU to the US. An often-overlooked mechanism that has experienced renewed interest in conjunction with recent comments by the judge-rapporteur in the “Schrems II” highlighting Article 49 Derogations.
Data Transfers and Derogations
Judge von Danwitz, the judge-rapporteur in “Schrems I” and “Schrems II,” understands the breadth and pervasiveness of cross-border data transfers in today’s digital economy: “data transfers to third countries are not rare incidents. It is common practice to outsource certain data-based services to third countries. This may be economically useful and desirable for enterprises, but it should not compromise the level of protection of personal data.”
On January 28, 2021, the German Federal Ministry of the Interior organised a conference celebrating the 40th Data Protection Day. One of the invited speakers was Justice von Danwitz. In his remarks, Judge von Danwitz acknowledged the complex tension between “the legitimate interests of economic operators and the promotion of international trade on the one hand, and the right to the protection of personal data on the other.” Judge von Danwitz explained that the entire discussion around data transfers “is about the much more fundamental question of what is the society we want to live in and our aspiration to shape this society in line with European law and values.”
As Judge von Danwitz explained the Court’s decision in his keynote address, the Court decided to annul the Privacy Shield in “Schrems II” with immediate effect because there was no legal void. He mentioned SCCs, Binding Corporate Rules (BCRs), and Article 49 derogations “cover the absence of an adequacy decision.”
Where there is the determination that data transfers to third countries are absolutely necessary, then standard contractual clauses provide the standard approach. If SCCs are not possible because the process in the third country does not provide compliance, “then, of course, there’s the question of the transfer of data by relying on Article 49 GDPR” von Danwitz said. “In my opinion, the opportunities granted by Article 49 have not been fully explored yet.”
Derogations: What are they?
Article 49 of the GDPR is titled “Derogations for specific situations” and describes situations to transfer personal data outside of the EU when all the other legal mechanisms are unavailable. In the FAQ to the“Schrems II”decision, the European Data Protection Board (EDPB) writes “It is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR.” Each derogation comes with its own set of administrative and technical requirements.
Derogations for specific situations may be relied on to transfer personal data to a third country only in the absence of:
(i) an adequacy decision, and
(ii) appropriate safeguards such as SCCs, BCRs, or approved codes of conduct or certification.
Derogations are an exception to the general rules and are therefore often interpreted restrictively. Though speaking in a personal capacity, Judge von Danwitz stated, “I believe they [Derogations] are not so narrow that they restrict any kind of transfer, especially when we’re talking about transfers within one corporation or group of companies.”
Some guiding principles to keep in mind:
(i) if the third country is not covered by an adequacy decision, a controller should first try and put in place appropriate safeguards such as SCCs
(ii) Derogations can only be used for processing activities that are occasional and non-repetitive, excluding repeated transfers
(iii) the data transfer must be strictly necessary for the specific purpose of the derogation that is relied on and
(iv) the processing must comply with all GDPR principles and have a legal basis for the processing and one of the derogations under Article 49 must apply to the data transfer.
The Derogations listed in Article 49:
1. Explicit consent
For businesses relying on consent, the consent must be explicit, freely given, specific, and unambiguous. There is no limitation that the transfers be occasional or necessary.
2. Necessity for the performance of a contract between data subject and controller
This derogation applies if there is a direct relationship between the data controller and data subject. The data transfer must be necessary under the contract and occasional in nature. To pass the test of necessity, there must be a close and substantial connection between the data transfer and the terms of the contract.
3. Performance of a contract in interests of data subject between controller and another person
Here too, the criteria of necessity and occasional character must be complied with.
4. Necessity for important reasons of public interest
Under this derogation the essential requirement is the finding of an important public interest. It is important to note that this derogation is not limited to occasional data transfers, but the public interest must be recognised by EU or Member States’ law, and the transfer must still pass the test of necessity.
5. Establishment, exercise, or defence of legal claims
Must meet the occasional and necessity tests. The mere possibility of legal proceedings or formal procedures is not sufficient.
6. Necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legal incapable of giving consent
For example, in the case of a medical emergency
7. Transfer made from a public register
8. Compelling legitimate interests of the data controller not overridden by the interests or rights and freedoms of the data subject
The final derogation is a last resort when no other derogations or transfer mechanisms are available. Transfers under this derogation must not be repetitive and must concern a limited number of data subjects. This derogation also comes with a list of administrative requirements including notification of the data subject and the relevant Data Protection Authority. The decision to rely on this derogation should be documented with an assessment showing why no other mechanism is available. Companies should also note that the standard of compelling legitimate interest is a higher standard that legitimate interest.
Article 49 derogations go along with the requirement of the accountability principle, in particular the need to demonstrate and document that a layered approach has been followed. The data controller must first attempt to implement the appropriate safeguards. If this is infeasible, the data controller must make its own assessment that the conditions for a specific derogation are met with the risk that this decision could be later invalidated. What remains is several potential transfer mechanisms for organisations transferring data out of the EU with a renewed optimism as it relates to using the derogations under Article 49. It is worth reiterating that this option should follow rigorous consideration and attempts at implementing one of the other transfer mechanisms (SCCs or BCRs) as the use of derogations is inherently limited as an exception to the general rule.