Schrems II and International Data Transfers — What Happens Next?
25 May 2021
Today, 25 May, is the third anniversary of the GDPR. One of the major events in the field of data protection over the past three years is of course the CJEU’s ruling in the C- 311/18 case (Schrems II) last summer. Several of our clients are currently working with the outcome of the ruling and how to assess their services that involve data transfers outside of the EEA. Although almost a year has passed, the details on how to act due to the new legal landscape is not as clear as one could hope for, but some guidance is available through the draft recommendations and case law. In this blog post, we celebrate the GDPR anniversary and sum up the most important events after the Schrems II ruling as well as the current status.
Background of the Case
The Schrems II ruling concerned personal data transfers to the United States. Under the GDPR, all transfers to a third country (i.e. outside the EU/EEA area) must be made in accordance with Chapter V of the GDPR. For EU-US transfers, the so-called Privacy Shield Decision was a commonly used too for transfers. On 16 July 2020, the CJEU issued its judgment on the Schrems II case, announcing the more or less ground-breaking news that the Privacy Shield Decision was invalidated. In the decision, the court concluded that U.S. authorities’ surveillance capacities are in conflict with the EU fundamental rights and that the Privacy Shield Decision was therefore invalid in its entirety. However, this invalidation of course resulted in several practical issues, but more importantly the court also made several important statements in respect of the possibility to use another common transfer tool, the standard contractual clauses, i.e. the SCCs. In respect of the SCCs, the CJEU held that the use of SCCs was valid as such. However (and we cannot emphasise the importance of this “however”) the CJEU clarified that personal data transferred to a third country on the basis of the SCCs must be afforded a level of protection which is, in essence, equivalent to the protection provided under the GDPR and the EU’s Charter of Fundamental Rights. Considering the contractual nature of the SCCs, it is primarily for the data exporter (entity transferring personal data outside of the EEA), in collaboration with the data importer (the entity receiving the personal data in a third country), to verify on a case-by-case basis whether the third country ensures an adequate level of protection that is essentially the same what as that set out under the GDPR. In this respect, the statement made in the decision created a more or less new process and analysis required for data exporter prior to any third-country transfer, and it further emphasised the importance that all parties involved ensure that such transfers are only made in compliance with Chapter V of the GDPR. It also created a new concept, i.e. the Transfer Impact Assessment (usually referred to as the “TIA”). If you would like to learn more about the background and the outcome of the case, please see our previous blog post on this topic.
The EDPB Draft Recommendation
Following the judgment, the European Data Protection Board (the “EDPB”) issued recommendations on measures that supplement the transfer tools to ensure compliance with the EU level of protection of personal data in the course of fall 2020.The recommendations include six steps to follow when assessing a data transfer and examples of supplementary measures that are sufficient and those that are not. In addition to the recommendation on how data exporter should perform and document their TIAs, the recommendation also includes several examples on what supplementary measures there are that may be used to make a transfer to a country (such as the US) when there is no equivalent level of protection of personal data. The recommendation also provides an example of a situation where such sufficient measures have not been found, such as in the case of the data processed in a cloud service and where the data are available “in the clear” in the country (which specifically targets many of the commonly used US SaaS services). Due to the impact on the whole industry, the draft recommendation has received several comments from suppliers, customers, and the public. We are still waiting for the final version, which is expected to be published in June 2021. However, it is too early to say if and when the final version will actually be available as the deadline has been postponed several times this year.
European Parliament’s decisions on 20/21 May 2021
Last week 20-21 May 2021, the European Parliament adopted a resolution and made several decisions in which it makes clear that privacy matters should be taken seriously and are addressed on a high decision-level. In short, the European Parliament (i) requested further guidance from the Commission on how to make data transfers compliant with data protection legislation; (ii) decided to express disappointment with the Irish DPA for handling the Schrems II ruling and therefore calls for the Commission to initiate an infringement procedure against Ireland for failure to enforce the GDPR in a sufficient manner (it also expressed criticism in respect to other national authorities) and (iii) urged the Commission to amend the draft adequacy decision in respect of UK to ensure that the privacy protection for EU citizens is upheld also after transfer to the UK. The road to a UK Adequacy decision is thus yet to be continued…
Decisions and fines
To date (mid-May 2021), only a few decisions by the data protection authorities have been issued related to unlawful third-country transfers post-Schrems II. The CJEU clearly stated in the Schrems II ruling that there is a duty for the authorities to act in relation to unlawful transfers, which of course has resulted in increased attention by the authorities, and several investigations and complaints are currently being handled throughout the EU. Therefore, we expect more decisions in the near future. Below, we summarise the most important decisions issued so far:
- Bavarian DPA, Mailchimp
This case concerned a German company and was announced by the Bavarian data protection authority (the “DPA”). In this case, the controller used the service Mailchimp (a service for email newsletters). The service is provided by a company based in the US, and the use of the service involves transfers of personal data to the US. The transfer was made based on the SCCs but without the user having performed a TIA or ensured that supplementary measures were in place prior to the transfer. Although the company argued that the EDPB’s recommendation is still not finalised, the DPA found that and informed the company that the transfer was not lawful under the GDPR as the company had not assessed whether additional measures were needed. Please note that no administrative fine was issued in this case (at least partly due to the fact that the company has ceased the use of the service prior to the decision, the use was limited to two situations, and the recommendation on how to perform a TIA has not yet been finalised).
- The Portuguese DPA, decision to suspend transfers to the USA
Following several complaints relating to use by the Portuguese National Institute for Statistics of a US service, the Portuguese DPA declared that the transfer of personal data to the US was not made in accordance with the GDPR and ordered the institute to suspend all transfers within a 12-hour period from the issuance of the decision. The decision that the transfer was unlawful was mainly based on the fact that the importer of the personal data (the cloud service provider) was subject to US surveillance laws, which obligated the provider to allow the US authorities access to the personal data upon request. Taken into account the amount of data subjects involved in this case and also the fact that sensitive data was included in the transferred personal data, the DPA decided that the transfer should be suspended on a very short notice.
- The Norwegian DPA, fine issued for transfers to China
Following a news report regarding transfers of personal data to China relating to Norwegian car tolls, the Norwegian DPA decided to investigate the toll company transferring the personal data in question. The investigation concerned routines and measures to ensure an adequate level of protection for the personal data. The DPA has, on a preliminary basis, concluded that the company has breached several fundamental principles of the GDPR, including lack of valid legal ground for the transfer. The DPA has found that these deviations are material and has indicated a fine of NOK 5 million (approximately EUR 500,000) for the breach.
- Spanish DPA, fine due to transfers to Peru without any transfer mechanism
In the spring of 2021, the Spanish DPA announced a fine of in the amount of EUR 8,125,000. The fine related to several breaches of the GDPR. EUR 2,000,000 related to unlawful transfer of personal data. In short, the telecom operator Vodafone was transferring personal data to a processor in Peru, and the agreement with this processor did not include reference to any transfer mechanism under the GDPR. As such, the transfer did not ensure an adequate level of protection for the personal data, and a fine was imposed on the telecom operator.
- Two decisions from the French authorities and courts
Also, two cases from the French courts have received some attention. The first case concerned personal data relating to covid-19 on a “health data hub”. The personal data was hosted within the EU region, but the case concerned a claim that the US based corporation Microsoft could be regarded as having access to the personal data through its Irish subsidiary. In the relevant case, the contract with Microsoft clearly specified that personal data would not be transferred outside the EU. However, in light of the Schrems II ruling, the court also considered that Microsoft, as a US based company, may be subject to governmental requests for information under the legislation assessed in the Schrems II ruling. The court highlighted that the Schrems II ruling did not concern situations in which the personal data could only be accessed from the US as a consequence of its surveillance laws in situations where the personal data is hosted in the EU region. The court also noted that the risks only occur if any data requests would be made by the US authorities. The outcome of the case was that the court did not order any suspension of the service, wherefore the risk in respect of personal data was not extensive enough for the court to order such decision.
The second case also related to the battle against covid-19 and in particular the vaccination campaign. For this purpose, an online service for vaccine appointments was used. The service used was hosted on AWS, and AWS was acting as a processor of the personal data concerned. The court was requested to immediately suspend the use of AWS for this purpose. The main arguments brought were that the use of the service violated the outcome in the Schrems II ruling, and that sensitive data (related to health) was processed by AWS. The court noted that no transfers had occurred, but it acknowledged that there is a risk that the US authorities may request access. Nevertheless, following the court’s assessment in this particular case and under certain local French procedural law limitations, of the legal and technical safeguards available (mainly (i) an obligation to challenge any general request from a public authority to access the data and (ii) encryption with encryption keys held by an entrusted third party in France, resulting in no actual access for AWS), the court found that the use of the service was not clearly in violation of the GDPR to the extent required for the issuance of an immediate suspension. On a side note, it may also be noted that the court did not consider any health-related personal data had been processed in the service, as it in this case was found that the personal data processed did not constitute special category personal data (“sensitive personal data”).
- Although the above decisions can be used as some guidance on argumentation in these matters, we strongly recommend that these ruling not be used as a clear precedent on how the data protection authority in other counties would assess the same transfer (the cases include several aspects of French procedural laws, etc), wherefore it is not certain whether a court or authority would reach the same conclusion in different circumstances.
- NYOB 101 complaints
Following the decision in the Schrems II ruling, NOYB (“None of Your Business”, a non-profit organisation focusing on privacy and originally founded by the Max Schrems), launched 101 complaints throughout the EU to entities using Google Analytics. In Sweden and Finland, the following entities were included in the 101 complaints:
- MTV Internet
- Danske Bank A/S
- Qliro Group AB
- Sinovum Media AB
- Modern Women Media Sweden AB
- Coop Sverige AB
- Dagens industri
- Tele2 Sverige AB
The investigations are currently ongoing, and the parties have submitted statements during the beginning of 2021. In respect of the Swedish review of Coop and Tele2, the review documentation has been submitted to the Austrian DPA which is expected to announce its input within the upcoming months. The Swedish DPA has also consulted the Irish DPA on the Google Analytics technique and how the roles in respect of the control of the personal data are divided (controller processor, joint controllership, etc.) when the service is used. According to our contracts with the Swedish DPA, the final decisions on these matters are postponed due to the postponement of the final version of EDPB’s recommendations. It is therefore not possible to foresee when we can expect a decision on these complaints, but we are hoping that we will know more after the summer, as we know many organisations are currently assessing how and if it is possible to use analytics tools in compliance with Chapter V of the GDPR.
Some Topics Relevant in Sweden
- Public authorities’ use of cloud services
The use of cloud-based services for public authorities has been a topic discussed in Sweden for several years but the Schrems ruling has shed even further light on this topic or at least added an additional layer to the discussion. At the beginning of 2021, the Swedish Government published an official report (SOU 2021:1) on the topic of secure and cost-efficient IT – legal opportunities for outsourcing. The report includes, among other things, a section on the legal landscape of third-country transfers following the Schrems II ruling, which are well worth a read. However, please note that this report is still under consultation, and the report concluded that no local Swedish law changes were possible due to third-country transfers under the GDPR as this is to be governed by EU law and the GDPR.
What is also notable is that the Swedish Tax Agency and the Swedish Enforcement Authority recently concluded, following a detailed assessment of Microsoft Teams (and in practice the Microsoft 365 suite), that the agencies are prevented from moving from Skype on-prem solution to a cloud-based Teams solution. The main reason for this conclusion is the amount of data (and not only personal data) that would be disclosed to Microsoft and the lack of additional measures to prevent such disclosure, which, according to the agencies’ assessment, would be in violation of the Swedish secrecy legislation as well as privacy legislation. Please note that this statement was made only days before Microsoft issued its roadmap for changes to their services due to customer requests of a more EU/EEA-based delivery to be made by the end of 2022 at the latest.
- Swedish Ekot’s (part of Sveriges Radio) review of the of the Google Analytics by public authorities
In light of the legal development, Ekot (part of the Swedish Radio “Sveriges Radio”) investigated almost 500 websites owned by municipalities, authorities, and regions (formerly called country councils) and the use of the Google Analytics on said websites. Ekot concluded that more than 150 websites transferred personal data (in the form of IP addresses) to Google without informing the website visitor of the transfer. The review resulted in several data breach notifications to the Swedish DPA. To our knowledge, none of these has resulted in any further investigation yet.
The recent development in this field shows that privacy in the EU is a matter of a fundamental right, which deserves to be taken seriously. The legal playing field will continue to evolve in the coming years, and it is the key for organisations to ensure that GPDR compliance matters are reviewed and addressed on a continuous basis. The development also indicates that companies taking privacy matters seriously will be rewarded in the long run by earning goodwill and trust among its customers. We are eager to follow the development and provide our clients with advice along the way.
With these final words, we wish you a happy GDPR Day!