Schrems II – what’s all the fuss about?

14th July 2020 Media Law

By now, most of us will have heard murmurs about Max Schrems’s case against Facebook and the validity of cross-border transfer of European citizen’s personal data around the world by way of standard contractual clauses (SCCs). After a long wait, the CJEU will finally deliver its judgment on the Schrems II case this Thursday 16 July, which will determine the validity of the SCCs. But what will the outcome of the case actually mean for businesses operating within the UK and the European Economic Area (EEA)?

For a while now, it has been common practice for businesses to use SCCs as a relatively straightforward way to legitimately transfer personal data from within the UK and EEA to third countries outside the EEA. The question currently in front of the CJEU is whether the SCCs provide an adequate level of protection for data transfers from the EEA to third countries, and the level of protection given to personal data that is transferred in accordance with the EU-US Privacy Shield.

Whilst there have been a lot of comments and opinions given in relation to this case, the most noteworthy one is the opinion of the Advocate General (“AG”) of the ECJ, which was handed down in December 2019. Although the AG’s opinion is not legally binding, such opinions tend to be followed by the Court, and we believe it is highly likely that the CJEU judgment won’t differ too much from the AG’s opinion. So, what did the AG say?

Put simply, the AG concluded that SCCs are a valid mechanism by which to transfer personal data outside of the EEA. This would appear to be a neat ending to the whole saga, but in reality even if the CJEU follows the AG’s opinion, the decision could have consequences for international trade and movement of people, especially if personal data flows are hindered. By way of example, questions have been raised as to whether the CJEU judgment could impact other data export mechanisms, such as Binding Corporate Rules, Code of Conducts etc. as these are all mechanisms that also fall under the same Article 46 GDPR umbrella as the SCCs, and so it is possible that there could be repercussions for these too.

In addition, the current SCCs are not actually GDPR-compliant and the ICO has stated that they plan to update the existing SCC’s to be in line with the GDPR. As such, whatever happens on Thursday, the SCCs are likely to be required to be updated to make them GDPR-compliant in any case. This in turn will mean that companies currently relying on the SCCs mechanism will have to review and update the contracts they have in place, once the new clauses are published by the EU.

The waters get even murkier when looking at data transfers between the EU and the US. Currently, the EU-US Privacy Shield imposes obligations on US companies to protect European Citizen’s personal data. The Privacy Shield requires the US to monitor and enforce more robustly, and cooperate more with the European Data Protection Authorities. However, following the hearings concerning the Facebook/Cambridge Analytica data breach, alarms bells began to be heard around the Privacy Shield’s effectiveness, as both companies were certified under the Privacy Shield. Indeed, on 5 July 2018, the European Parliament passed a non-binding resolution directing the European Commission to suspend the EU-US Privacy Shield unless the US government complied with its terms. The future of the EU-US Privacy Shield is far from certain, and the judgment in the Schrems II case will have a direct impact on the EU’s continuing trade relationship with the US, and how data can continue to be validly transferred between the two.

Furthermore, companies in the UK will also need to start planning what to do after 31st December 2020, when the Brexit transition period ends.

To help businesses plan ahead for the outcome of the Schrems II judgment, and the end of the Brexit transition period, we have put together the following tips:

  1. Now is a good opportunity to review your flows of personal data, and to identify any key transfers from the EEA/US to the UK.
  2. You should review the mechanisms you currently rely on for transferring personal data, and in particular should seek to revise your SCCs when the new versions are released by the EU.
  3. If you are a multinational business, you should consider your use of any existing EEA-approved binding corporate rules to make transfers into and out of the UK – these will need to be updated to reflect that the UK becomes a third country at the end of the transition period.
  4. You should update your documentation and privacy notices to expressly cover UK to EEA data transfers under UK adequacy regulations.
  5. If you transfer data between the UK and the US, you will need to check that the US organisation you transfer data to has made the necessary update to their commitment to comply with the Privacy Shield.
  6. If you are a UK-based controller or processor with no offices in the EEA, but you are offering goods or services to individuals in the EEA, or monitoring the behaviour of individuals in the EEA, you will need to consider whether you must appoint a European representative under Article 27 of the GDPR. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing in this way are located. The reverse applies if you are an EEA-based controller or processor with no offices in the UK; i.e you will need to set up a representative office in the UK if you are not established there.
  7. Similarly, if you are a controller or processor based outside of the EEA but you are offering goods or services to individuals in the UK, or monitoring the behaviour of individuals in the UK, you will need to consider appointing a representative in the UK.
  8. Generally, you will need to review your privacy notices, data protection impact assessments, and other documentation to update references to EU law, UK-EU transfers, and your EU representative (if applicable).

JMW Solicitors can offer assistance for businesses who require representatives in either the UK or the EU, and are able to act as a representative on behalf of a business in both of these regions. If you have any questions regarding the above, do get in touch and we will assist you in ensuring that your business remains compliant. ​​​​​

We're Social

Hannah Ife is an Associate Solicitor located in Londonin our Data Protection department

View other posts by Hannah Ife

Let us contact you

*
*
*
*
*

COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest