8 minute read 31 Mar 2021
Female photographer in glacial ice cave waterfall

What are the main trends in regulatory responses to Schrems II

By Fabrice Naftalski

EY Global Head of Data Protection Law Services

Lecturer in Information Technology & Data Protection Law. Faculty member of IAPP. CIPP/E and CIPM holder. Certified EuroPrise Legal Expert. EY France DPO.

8 minute read 31 Mar 2021
Related topics Law Tax

After the Schrems II decision, the regulatory environment remains uncertain for organizations transferring data internationally.

Three questions to ask
  • How can international organizations obtain clarity about their data privacy obligations?
  • What data transfer mechanisms will Supervisory Authorities (SAs) deem acceptable?
  • What are governments doing to promote smooth data transfers while protecting individual rights?

The landscape has changed for organizations European Union (EU) citizens’ personal data to jurisdictions outside the European Economic Area (non-EEA) following last year’s Schrems II decision. This article explores some of the recent regulatory and enforcement trends that organizations transferring data internationally should be aware.

Schrems II: A reminder

On July 16 2020, the Court of Justice of the European Union (CJEU) issued a landmark ruling in Case C-311/18 (“Schrems II”). In this decision, it ruled that the Privacy Shield framework governing data transfers between the EU and the US was invalid. The primary grounds for the decision were:

  • The lack of any safeguards to limit access by US law enforcement authorities to the personal data of EU data subjects once it had been transferred to the US, especially in cases where US authorities derived their permission for such access from US surveillance laws
  • The lack of judicial protection against US surveillance programs and effective recourse to a body offering guarantees substantially equivalent to those required by EU law

Further, the CJEU examined the role of traditional mechanisms for enabling data transfers to non-EEA jurisdictions, including Standard Contractual Clauses (SCCs) between the EU-based data exporter and the data importer. It concluded that SCCs would remain a valid mechanism for data transfers where:

  • the exporter carried out a pre-transfer assessment of the third country, designed to confirm whether third country laws meet an equivalent level of protection required by the EU’s General Data Protection Regulations (GDPR) or the EU’s Charter of Fundamental Rights
  • if the assessment exposes gaps between EU and non-EU regimes, the data exporter must implement additional measures (technical measures, according to the CJEU)
  • if the exporter concludes that an effective level of data protection equivalent to European law cannot be ensured, it must suspend or terminate the transfer

European Data Protection Board issues response to Schrems II decision

For a full discussion of the Schrems II decision and the EPDB guidance, please download our flyer

Download PDF

Cargo port and harbor in Hong Kong
(Chapter breaker)
1

Chapter 1

Regulatory response to Schrems II decision

Conflicting positions between Supervisory Authorities leads to confusion.

European Data Protection Board (EDPB) position

Following the Schrems II decision, on 24 July 2020, the EDPB published a ‘Frequently Asked Questions’  document. The EDPB noted that Schrems II has particular impact on other transfer mechanisms, not only Privacy Shield and SCCs but also, for example, Binding Corporate Rules (BCR). The EDPB issued long-awaited guidance on 11 November 2020 further clarifying the steps required for data exporters to undertake prior to transferring data to a non-EEA jurisdiction – not only the US. The EDPB guidance document also makes it clear that there is no grace period and enforcement would commence right away.

Post-Schrems II: Regulatory grey area

While the Schrems II decision and the subsequent EDPB guidance provided some direction, further analysis and commentary left many organizations still grappling with whether or not they could legally and safely transfer data outside the EU (in particular, to the US) and, if so, what was the correct procedure to follow.

While the EDPB guidance may have been intended to clarify the steps for a permitted data transfer for implementing organizations, when these organizations turn to the SA in each Member State, they may face conflicting interpretations of Schrems II and the EDPB guidance. Multinational organizations face an increased compliance obligation in trying to understand and synthesize the positions of different regulators across the EU, as well as any non-EEA jurisdictions in which they have operations. Given the EDPB guidance stipulated that “the competent supervisory authority is required to suspend or prohibit such a transfer”, there is a significant risk that both data subjects and transferring organizations may experience a fragmented application of European law, where the same transfer could be deemed valid by one SA but not by another.

Following the Schrems II decision, some SAs declared any data transfer to the US to be illegal, and called for caution and minimization of transfers. The European Data Protection Supervisor (EDPS), tasked with safeguarding the EU’s own data protection policies and compliance (pdf), also called on the EU institutions to "to avoid processing activities” that involve transfers of personal data to the US and instructed the EU institutions to complete “a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data.” At the same time, other SAs noted that Schrems II validated the use of SCCs as a transfer mechanism, providing that additional measures were implemented.

Portugal algarv aerial view in morning
(Chapter breaker)
2

Chapter 2

‘Localism’ and rise of ‘Eurocentric’ approach to data governance

Flurry of changes promoting a ‘Europe first’ approach to data governance.

An example of the uncertainty has been recently observed in France, with the jurisdiction’s highest administrative court (the Conseil d’État) issuing a summary judgment that rejected a request seeking suspension of operations of the country’s central health data platform, ‘Health Data Hub’, currently hosted on EU-based servers by a major US technology company. This was contrary to the position of the French SA, the Commission nationale de l'informatique et des libertés (CNIL), which had issued a statement post-Schrems II asking affected organizations to stop storing health data "as soon as possible" on the Health Data Hub, and to utilize companies not subject to US law for hosting such data. The Conseil d’État’s decision acknowledged that the current Health Data Hub operations are subject to the risk of US intelligence services requesting the data from the US technology company (even if the data physically remains in the EU, because of the extraterritorial scope of US surveillance laws) and called for additional guarantees to be overseen by the CNIL. The French Health Minister sought to clarify the matter by indicating that the health data would cease being stored under the current arrangement with the existing provider within two years.

Rise in ‘Eurocentric’ approach to data governance 

CNIL has made statements encouraging the use of European suppliers, especially in the context of projects involving sensitive data. In addition, the European Commission (EC) wants to facilitate data sharing within the EU through the establishment of a European data governance and strategy, as demonstrated in the proposal for a European data governance regulation published on 25 November 2020. This regulation aims to establish harmonized rules and means for data usage and to support the development of “common European data spaces” (operated by data intermediaries, presumably limited to European companies). Commentators await with interest further details about a proposed European Data Innovation Board, to be created with the aim of facilitating the sharing of good practices by SAs. Although the EC has stated that it does not intend to introduce data localization requirements, especially regarding any common European data spaces, it notes that the EU must ensure that any access to EU citizens' personal data, particularly sensitive data, is in line with its values and legislative framework.

The EDPB has also been active in policy development following the Schrems II decision. It issued an opinion on the creation of a common space in the area of health, the European Health Data Space (pdf) (EHDS), in order to develop the positive potential of health data (e.g., improved clinical outcomes and care, personalized medical treatment, medical innovation, monitoring public health trends etc.) in a climate of trust and efficiency. The EDPB says it supports the “objectives of promoting health data exchange and fostering medical research” while underlining the “necessity for data protection safeguards to be defined” due to the sensitivity of the data to be processed within the EHDS. The EDPB is supportive of what it calls “initiatives to achieve European digital sovereignty” in order to secure health data. 

 
 
Explorer walking inside the cave
(Chapter breaker)
3

Chapter 3

Activism on the rise, reputations at stake

Data governance in multinational organizations should no longer be treated as an internal matter.

Multinational organizations should also note that several stakeholders with an interest in data governance and data subjects’ rights have commenced action against data holders following the Schrems II decision. For example, the activist group Noyb has recently filed 101 complaints against several companies because, the group claims, the companies continue to use US solutions on their websites. Organizations should be aware that the reputational risk from their approach to data governance is increasing in severity. 

Two surfers surfing in huge wave
(Chapter breaker)
4

Chapter 4

Conclusion: What should organizations be doing next?

How should multinational organizations minimize regulatory confusion regarding data transfers?

While most multinational organizations have become cognizant of the effect of changes in data protection legislation around the world on their operations, many are yet to grasp the increased burden imposed by the EDPB following the Schrems II decision.

Organizations should undertake the following steps without delay:

  1. Map their current data transfers to assess whether any are covered by Schrems II/EDPB guidance
  2. Establish a clear understanding of the mechanism(s) on which they rely to transfer EU data to non-EEA jurisdictions/suppliers
  3. Should the transfer assessment identify gaps with the current mechanism, institute technical or other permitted remediation, in accordance with EDPB guidance (see EY flyer for more details)
  4. Continue to monitor regulatory developments on data governance by EU bodies and Member State SAs, including obtaining professional guidance where necessary to clarify conflicting advice, to demonstrate commitment to European data protection principles

Summary

Given the regulatory uncertainty following the Schrems II decision and the subsequent regulatory activity, international organizations must proceed carefully to meet their data privacy obligations.

About this article

By Fabrice Naftalski

EY Global Head of Data Protection Law Services

Lecturer in Information Technology & Data Protection Law. Faculty member of IAPP. CIPP/E and CIPM holder. Certified EuroPrise Legal Expert. EY France DPO.

Related topics Law Tax