Almost a year after last summer’s CJEU decision to invalidate the Privacy Shield EU-US data transfer agreement, now SCCs have been called into question as a valid safeguard for transfers to certain third countries. This blog looks at the latest developments, and evaluates what options remain open to EU businesses for data transfers.

Ever since the CJEU rejected Privacy Shield, businesses have been scrambling for valid alternatives to continue their business-critical international transfers. Yet on 14 May, the Irish High Court rejected Facebook’s claim that transferring data it holds about us to the US was legal and should be allowed under the mechanism of standard contractual clauses (SCCs).

What privacy experts had discussed since the CJEU ruling, a court has now confirmed. Without additional technical safeguards, SCCs – and potentially binding corporate rules (BCRs) – cannot offer sufficient protection for data transfers to countries that do not offer an “essential equivalent” level of protection.

What next?

As a result of the High Court’s decision, the Data Protection Commission – as the supervisory authority in Europe for Facebook – has 21 days from 14 May to decide on its action. In the wake of this escalation, the EU Parliament also threw its weight into the debate, criticising “national authorities in the EU for failing to enforce the GDPR properly, as MEPs consider them to have overlooked international data transfers and failed to take meaningful corrective decisions.” Maybe as a direct consequence, the Berlin data protection authority (‘Berlin Commissioner’) was quick to announce its plans to participate in the Germany-wide examination of international cross-border data transfers to third countries.

In light of these developments, it looks highly likely the DPC will confirm the High Court decision and tell Facebook to stop transfers using SCCs. At that point, all the other European data protection authorities (DPAs) will review the decision. If any of them object, a review and subsequent vote will be triggered at EU level within four weeks. At that point, the final decision will apply to all international transfers.

The consequences of the pending decision could be significant. In the extreme scenario, the world’s biggest data exporters such as AWS, Microsoft, Yahoo, and Google would have to set up large and costly server centres in Europe to fully comply with the ruling.

Clarity needed on EU transfers

Businesses are now left with an impossible task trying to find a solution that allows them to continue critical business relationships with companies holding their data. Relationships that have been built over many years and are now embedded both operationally and technically. MEPs recognise these challenges and called on the relevant EU authorities “to set clear rules in line with the Court’s findings”.

What your business needs to do

So, what does this mean for most businesses operating under the scope of the GDPR? Essentially it means that for certain international transfers, such as data transfers to the US, the only option at the moment seems to be to apply additional technical safeguards. For example, encryption would ensure the data cannot be accessed in that third country.

But this won’t be possible for all international transfers. For example, an organisation might have a helpdesk operation or a customer support call centre in the US, and its support staff may need to have access to the information ‘in the clear’, or unencrypted, to provide support.

What are my options?

The selection of the right option very much depends on the type of transfer. Here are some options and considerations:

1. Wait for a new EU/US Privacy Shield agreement. But keep in mind it is far from certain if any new agreement can be reached given the surveillance laws in the US
2. Use Binding Corporate Rules (BCRs) – but be aware this is a long process and some question whether they are considered an ‘essential equivalent’
3. Derogation – this works for some, but not all transfers
4. Stop transfers and move data to the EU where possible
5. Rely on promises from cloud providers like AWS or Microsoft that US requests for data will be resisted.

Right now, there is a stalemate as we wait for the final decision and further guidance from EU authorities. But that is not an excuse for inaction. Instead of waiting for the guidance before deciding to act, we recommend that, if not already done, companies should start understanding their situation today through a transfer risk assessment.

Transfer risk assessment

Organisations must review their international transfers to be ready for when we have more firm guidance from European Authorities. Companies should know where their data is going, what processing happens internationally, and what processing is being done in countries where it’s an issue, and which processing activities are critical to their business.

I believe that within two to three months, we will see more rigorous guidance from the European Data Protection Board (EDPB). Until we reach that point, the best thing companies can do is build awareness of where potential data transfer risk exists, where the processing takes place, and decide if it’s possible to change something about the processing. By doing the work now, you can at least know that you have made a head start on meeting the transfer requirements.

Back in January, BH Consulting held a virtual briefing hosting a panel of data protection and cyber security speakers to provide an overview of the latest developments and recommended practical steps to deal with the CJEU decision. You can watch it back on our YouTube channel here. 

Tom Knierim, data protection consultant with BH Consulting