Schrems II and sharing personal data overseas: back to the drawing board
The recent ECJ judgment in Schrems II has shaken up data sharing arrangements outside the EEA. We look at the impact of the decision on charities.
The recent case of the European Court of Justice (“ECJ”) in Schrems II has thrown the means for lawfully sharing personal data outside of the EEA up in the air. This case is likely to have a significant impact on charities which routinely share personal data with sister organisations outside of the EEA or undertake work overseas.
Below we look at the case and decision in further detail and steps charities should be taking to overcome the issues presented by this judgment. It will be of particular significance to charities with overseas operations and those who utilise IT services and servers based outside of the EEA.
Sharing personal data outside the EEA
Under the General Data Protection Regulation (“GDPR”), personal data can only be shared outside of the EEA (and the UK, under the withdrawal agreement following its exit from the EU, until 31 December), in one of three circumstances:
- Adequacy decision – an adequacy decision made by the European Commission, confirming that the third country recipient has data protection laws which provide adequate protection of personal data, allows the sharing of personal data as if that country was a member of the EEA.
The European Commission has made several adequacy decisions in respect of different countries.
- Additional safeguards – data sharing with a third country can take place (with or without an adequacy decision) by putting additional safeguards in place.
Whilst various additional safeguards can be put in place, the most common safeguard used is the implementation of the European Commission’s “standard contractual clauses” (“SCCs”).
There are several different forms of SCCs for different relationships between the two parties sharing and receiving personal information (as data controller to data controller, or data controller to data processor). The European Commission is due to update the standard clauses shortly, but they all provide contractual protections to enshrine data protection into the relationship between two data sharing parties.
- Derogations – derogations can apply where there is no adequacy decision or additional safeguard in place. Derogations include where the explicit consent of the data subject is obtained (set to the high GDPR standard) or where the transfer to a third country is necessary for the performance of a contract with the data subject. In practice it is rare to see the derogations being relied upon for systematic data sharing outside of the EEA and these are not discussed further in this article.
Facts of the case
Mr Schrems, who had previously succeeded in striking down an EU-US adequacy decision known as “Safe Harbor”, was not satisfied that Facebook was still transferring his personal data into the US using SCCs. He therefore challenged the validity of SCCs.
While the case was being decided, an amended version of Safe Harbor, providing an adequacy decision where US companies have signed up to the EU-US Privacy Shield, had been agreed by the European Commission. The ECJ therefore also examined the validity of the EU-US Privacy Shield arrangement in its judgment. Many organisations which transfer personal information from the EU into the US have relied on the EU-US Privacy Shield to do this lawfully. If the Privacy Shield was found to be invalid, this would have a fundamental effect on the ability for organisations to make those transfers.
- The court found that the EU-US Privacy Shield was invalid, as it failed to provide adequate protection for data subjects
- The court ruled that, whilst SCCs were lawful, putting SCCs into an agreement alone are insufficient to provide sufficient protection to data subjects.
The ECJ ruled that, when sharing personal data outside of the EEA, the data controller sharing the personal data from the EEA is under an obligation to ensure that there is adequate protection of personal data in the third country. Where no such assurance can be given, the ECJ ruled that the data controller exporting the personal data is prevented from sharing personal data under the GDPR.
The judgment also emphasised that SCCs should be more than a formality. The obligations under SCCs should be reviewed carefully and complied with to the letter. The ECJ also suggests additional safeguards above and beyond SCCs may be required to further protect information in some circumstances.
Response from Data Protection Authorities
The European Data Protection Board, the umbrella group of European data protection authorities, has issued a holding statement as it reviews the judgment.
The UK’s data protection authority, the Information Commissioner’s Office (“ICO”), is also reviewing the judgment and has said it stands ready to support organisations following the judgment.
What steps should charities be taking?
Whilst data protection authorities consider the impact of the judgment, it is important that charities which share personal information to countries outside of the EEA review their current arrangements for doing this lawfully. This is particularly relevant where they are transferring data into the US.
Charities sharing personal data with third countries should ensure they take the following steps as a priority:
- Identifying information shared outside the EEA – all information being shared outside of the EEA should be identified, the country it is being shared with should also be noted and the mechanism by which such third country data sharing is being undertaken recorded (i.e. an adequacy decision, appropriate safeguards or derogation-
- Privacy Shield data sharing – any data sharing based on the EU-US privacy shield should be reviewed as a priority and alternatives put in place (e.g. SCCs) as the adequacy decision has been declared invalid by the ECJ;
- Data sharing under SCCs – data sharing taking place under SCCs should be reviewed. It is hoped (though by no means confirmed) that data protection authorities will step in and assist organisations in analysing third countries’ data privacy protections. In the meantime, charities should take the following steps:
- Charities should review the obligations placed on parties in the SCCs it has in place to ensure both the exporting and receiving entity are meeting their obligations under the SCCs (such as reporting and security requirements);
- Charities may wish to review whether they need to share personal data to a third country, whether it could be effectively anonymised or kept within the EEA;
- Whilst the judgment stopped short of saying that sharing information to the US under SCCs would breach the GDPR, a clear inference which can be drawn from the ECJ’s decision to strike down the Privacy Shield is that the ECJ is not satisfied that personal data held by US entities provides sufficient data protection.
Additional contractual clauses (over and above the SCCs) might be required to enshrine data protection when personal data is transferred into the US or other countries where data privacy is at a lower standard than the GDPR, whilst steps to limit the sharing of particularly sensitive personal data might also need to be considered.
Our view is that drastic steps might reasonably be held back at this stage until guidance from data protection authorities has been issued.
- Further guidance – look out for additional guidance from data protection authorities such as the ICO and the European Data Protection Board. Rumours of a new Privacy Shield and/or amended SCCs have surfaced since the judgment, but the guidance from data protection authorities is likely to be the place to find any definitive change in position.
The case has confirmed the ECJ as a court which takes data privacy seriously, but it leaves charities with uncertainty as they try to ensure that they can effectively operate in countries outside the EEA. It is to be hoped that guidance from data protection authorities will clarify the regulatory position quickly and pragmatically.
If you would like to discuss any aspect of this article further, please contact Nick Dunn or any of the Charities and Social Economy team on 0113 243 6100.
You can also keep up to date by following Wrigleys Charities team on Twitter
The information in this article is necessarily of a general nature. Specific advice should be sought for specific situations. If you have any queries or need any legal advice please feel free to contact Wrigleys Solicitors.