Featured In Focus

Schrems II: what’s new for EU-US data transfers?

Schrems II GÉANT

On 16 July 2020, the judgement of the Court of Justice of the European Union (CJEU) in the Schrems II case (case C-311/18) declared the Privacy Shield invalid. While this decision was the CJEU’s response to an individual case, it led to major consequences on the way international transfer of personal data is regulated and on data protection and privacy in the EU. We analysed the impact of this ruling and how it translates for the GÉANT Community.

The Schrems II judgement

Operational since August 2016, the Privacy Shield, the mechanism regulating data transfers to the US was issued right after a 2015 ruling invalidating its predecessor “Safe Harbour”.

With its rushed introduction, the Privacy Shield brought a lot of uncertainty around its durability and was often considered by privacy professionals a not fully trustworthy mechanism for international transfers and presumed to be destined to the same fate as the Safe Harbour.

Additionally, the General Data Protection Regulation (GDPR) had been adopted a few months earlier (April 2016) but became enforceable only in 2018. This meant that – in order to ensure full compliance with the GDPR – the Privacy Shield would have had to incur inevitably in some changes.

That finally happened in July 2020 with the decision taken by the CJEU on the Schrems II case. Specifically, the Court considered that the requirements of US domestic law – and in particular certain programmes enabling access by US public authorities to personal data transferred from the EU to the US for national security purposes – resulted in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are not in line with those required under EU law (GDPR), and that in particular the US legislation did not grant data subjects actionable rights before the courts against the US authorities. As a consequence, it was decided that transfers of personal data could no longer take place based on the Privacy Shield.

At the same time however, the CJEU highlighted that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU remain valid and will be revised soon (Commissioner for Justice Didier Reynders promised the new proposal before end of 2020).

How does Schrems II impact GÉANT and its Community?

The GÉANT network is connected to the R&E networks in the US, and for such transfer actors will need to rely on the Standard Contractual Clauses.

Consequences deriving from the Schrems II case will also be instrumental to fulfil the EU’s twin goals of strategic autonomy and technological sovereignty, which apply for all sectors, including of course ICT networks. Moreover, as a result of political considerations and developments, in the past few years routes to regions that were traditionally connected via US intermediaries have already been progressively replaced with direct connections.

GÉANT is also operating in this direction, and will continue to do so, by contributing through key initiatives as the BELLA Programme, which will provide a direct connection between the research networks in Europe and Latin America via EU submarine cable technology.

What now? How can your organisation react to Schrems II?

Following the invalidation of the Privacy Shield, international transfers to third countries may continue on the basis of SCCs. However, as the European Data Protection Board highlighted, while relying on SCCs there must be effective mechanisms that ensure compliance with the level of protection guaranteed within the EU by the GDPR, while transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses  or in case of impossibility to honour them.

In that regard, the Court points out, in particular, that the 2010/87/EC Decision introducing SCCs imposes an obligation on the data exporter and on the recipient of the data (the “data importer”) to verify – prior to any transfer, and taking into account the circumstances of the transfer -whether that level of protection is respected in the third country concerned. At the same time it requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clauses, making then the data exporter obliged to suspend the transfer of data and/or to terminate the contract with the data importer.

Whether your organisation can or cannot transfer personal data on the basis of SCCs will depend on this assessment, taking into account the circumstances of the transfers, and any supplementary measure put in place. These supplementary measures along with SCCs – would have to ensure that US law does not impinge on the adequate level of protection they guarantee, following a case-by-case analysis of the circumstances surrounding the transfer.

If your organisation comes to the conclusion that – taking into account the circumstances of the transfer and possible supplementary measures – appropriate safeguards would not be ensured, then it is required to suspend or end the transfer of personal data. However, if your organisation intends to keep transferring data despite this conclusion, the competent Supervisory Authority must be notified.

Despite the invalidation made by the judgement, absolutely “necessary” data flows can continue to flow under the provisions of Article 49 of the GDPR. Any situation where users want their data to flow abroad is still legal, as this can be based on the informed consent of the user (Article 49(1)(a) of the GDPR), which can be withdrawn at any time. What is more, data transfers are possible when the transfer is necessary for the performance of the contract between data subject and the controller (Article 49 (1)(b)) or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of data subject between the controller and another legal or natural person (Article 49 (1)(c) of the GDPR).

In simple words: the data transfers to US have now lost their privileged positions and must be realised in line with the provisions regarding international transfers. Nonetheless, EU international cooperation will continue to be based on reciprocity, both towards the US and towards other regions, and to respect the fundamental values included the EU legislations around data, as the individual right to privacy, and the right to information, which guarantee all democratic institutions and procedures.