Published by Alisha McKerron on 19 August 2019
Under the General Data Protection Regulation (GDPR), we are not allowed to transfer personal data to countries outside the European Economic Area (EEA). If we do, we must use a lawful method of cross border transfer (art. 44 GDPR) which is designed to ensure an equivalent level of protection to that is in the EU.
This seems straightforward; it is merely a question of identifying what lawful methods of cross border transfers are available, and choosing the least onerous one. In reality, however, it is anything but, especially with Brexit looming and two important cases pending in the Court of Justice of the European Union (CJEU).
SCC and the EU-US Privacy Shield
Two popular methods of transfer are being challenged in the CJEU – namely, transfers on the basis of EU Commission approved standard contractual clauses (SCC) in the case of 311/18 (also known as Schrems II), and transfers on the basis of there being an adequate EU-US Privacy Shield, in the case of 511/18 La Quadrature du Net. (It’s worth noting that until either challenge is upheld, both methods continue to be valid).
La Quadrature du Net has been postponed, pending the outcome of the Schrems II case. A decision in the Schrems II case is unlikely before the end of 2019 or early 2020, although a hearing of Schrems II took place on 9 July this year. Whilst we wait for a decision, we would be foolish to ignore the fact that a successful challenge will put businesses in a hugely difficult and worrying position.
If SCC and the EU-US Privacy Shield are no longer valid
For starters, SCC and the Shield are widely used by businesses within the European Economic Area (EEA) to legitimise the transfer of personal data to countries outside the EEA. Alternative methods of transfer are not really suitable because they are either limited, expensive, take time to put in place, are not yet available or a combination of all of those things.
If either of these methods are struck down, there could be rather unpleasant consequences: the court could halt data flows outside the EU, third parties could claim for compensation, and possible GDPR revenue-based fines and regulatory sanctions could follow. Companies would also have to pay the cost of remedying the problem as soon as a solution was found.
You may be wondering why we could be placed in this situation, after using transfer methods which have, after all, been approved by the Commission. Shouldn’t data controllers or processors be found accountable only to the extent that they did not adhere to the SCC? Perhaps the CJEU will find that even if transfers to the U.S. are problematic organizations, do not have to stop using SCC or the Shield; instead, data protection authorities would have to suspend problematic data flows and the Commission would be asked to revise the SCC and reconsider the Shield.
However this line of thinking ignores a central challenge that is being made in the Schrems II case – namely, the failure of the SCC to provide EU citizens with a meaningful redress to mass surveillance by US authorities.
This failure, according to DLA Piper, has given rise to the widely held expectation amongst privacy professionals that the CJEU will reach a finding to invalidate SCC (which would be consistent with its approach in an earlier Schrems I case ). Worse still, once a decision has been made by the CJEU, it will take effect immediately and apply retroactively!
What you should do
Accordingly, it is vital that you plan for the worst – particularly given that any infringement of the of GDPR regulations has the potential to attract a fine of anything up to 4% of an organisation’s annual worldwide turnover, or €20,000,000 – whichever is largest (!).
You should assess your exposure to cross-border transfers of data (by finding out to whom, where and on what basis are you transferring personal data). You should draw up an action plan – for example, consider either stopping some types of cross border transfers, or investigate alternative methods of transfer. Perhaps you could use data centres inside the EEA. You should discuss contingency plans internally and with suppliers.
However, the principle of safety in numbers might well still apply; you will certainly not be the only one to be affected, should either the SCC or the Shield be struck down by the CJEU. There may be a period of leniency, since there are no readily available alternatives for large-scale cross border transfers of personal data to outside the EEA. In any case, contingency planning should help you assess the impact of the CJEU’s decision and enable you to hit the ground running.