A time bomb has exploded in the world of international data transfers!
On 16 July 2020, after seven years of wrangling, the Court of Justice of the European Union has delivered its ruling in the Schrems II case, which both calls into question data transfers to the US and makes it very complicated to transfer data to third countries outside the European Economic Area (EEA). And don’t forget that it also qualifies as a transfer if your company’s hosting or cloud service provider is in one of these countries!
Who is affected by the Schrems II judgment?
The latest Schrems judgment could affect a wide range of businesses, as it is not only about sending data (e.g. by email) to a third country outside the EEA, but also about a cloud service provider storing the data in a third country. Businesses often use US hosting providers and the US is also a third country in light of the Schrems II judgment.
Which country is a third country?
EEA member states include EU member states plus Iceland, Liechtenstein and Norway. All other countries are third countries under the Schrems II judgment, but there are exceptions. The judgment does not affect third countries for which the EU Commission has decided that the country provides adequate protection for the processing of personal data (e.g. Japan, Canada and Argentina). The list is regularly updated by the European Commission on this website. If we transfer data to the countries on the list, it is as if the transfer had taken place within Hungary, so from GDPR perspective it is practically irrelevant whether we transfer the data to a Hungarian city or Japan.
What about the US?
The US is considered a third country under the Schrems II ruling, which invalidated the Privacy Shield legal framework that previously governed data transfers to the US. The main reason for this is that US national security services have access to all ‘transiting’ data via submarine cables which cross the Atlantic Ocean.
How can we transfer data to third countries?
As a data controller, we can only transfer personal data to a third country if we can provide adequate safeguards to ensure that the level of protection of the data in the third country is not compromised under the GDPR. There are a number of models for providing adequate guarantees, out of which the following two models have been most commonly used in the past.
The Standard Contractual Clauses adopted by the EU Commission are a pre-drafted form of contract that does not require supervisory approval. Therefore, this form of contract could be used relatively quickly.
The other model is the Binding Corporate Rules, which requires supervisory approval. However, it is also more costly and time-consuming, and only suitable for transfers within a group of companies and cannot be used for transfers to external companies.
What is the significance of the Schrems II judgment?
So far, businesses have mostly used the General Data Protection Clauses developed by the Commission. They have simply signed this model contract form and and the issue has been left behind. The Schrems II judgment breaks with this approach; it makes it clear that it is not enough to sign standard contractual forms, it is not just a paperwork but that data controllers are obliged to examine , on the basis of a prior assessment, whether adequate safeguards are in place to manage the risks of data transfers to third countries.
How can we assess the risks of data transfers to third countries?
There are no detailed practical guidelines put in place for carrying out a preliminary assessment. On the basis of the Schrems II judgment, questions such as who has access to the data in the third country, under which legislation and to what extent, or whether technical measures such as encryption or pseudonymisation can prevent access to the data by the authorities in a confidential manner, need to be addressed.
If we do not know the legal environment of the third country, we can also ask the data recipient receiving for help. When conducting an investigation, it is worth while to agree in advance who will be responsible for what and how responsibilities will be shared.
What can we do if the investigation leads us to conclude that there is a risk of transferring data to a third country?
In this case, we should inform the data subjects of the potential risks of transferring their data and ask for their explicit consent to the transfer. It is questionable whether after the notice the data subject would then give such consent, not to mention that in certain situations consent is difficult to interpret (e.g. in the case of employment relationships where the voluntary nature of consent is questionable due to the subordination of the legal relationship).
If the consent of the data subject cannot be secured, the transfer of data is only possible in specific cases, including, for example, where the transfer is strictly necessary for the performance of a contract between the data subject and the controller or for the establishment of legal claims.
In conclusion, it is recommended that the investigation is always carried out and documented. Our expert lawyers will be happy to assist you and answer any questions you may have on the subject. In the light of the Schrems II judgment, it is quite possible that in future data protection authorities will pay particular attention to the legality of international data transfers.
