Menu
Get In Touch

Cross-Border Data Transfers After Schrems II: Navigating the New Landscape Under GDPR

The digital economy thrives on the seamless flow of data across borders. Whether it’s an international tech giant transferring customer data between regions or a small business leveraging global cloud services, cross-border data transfers are integral to modern commerce. However, these transfers have become increasingly complex since the European Court of Justice’s (CJEU) landmark Schrems II decision in July 2020, which invalidated the EU-US Privacy Shield and reshaped the legal landscape for cross-border data transfers under the General Data Protection Regulation (GDPR).

This article delves into the implications of Schrems II, how businesses are now navigating the new requirements for international data transfers, and what steps need to be taken to ensure compliance in this post-Schrems II world.

The Legal Framework for Cross-Border Data Transfers Under the GDPR

The GDPR, which came into effect in 2018, is the cornerstone of data protection law in the European Union (EU). One of its most significant provisions relates to cross-border data transfers, which refers to the transmission of personal data from within the EU/European Economic Area (EEA) to outside these regions.

Under the GDPR, cross-border transfers can only take place under specific conditions, primarily if:

  • Adequacy decisions: The European Commission determines that the third country offers an adequate level of data protection.
  • Appropriate safeguards: Businesses can use mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
  • Derogations: In the absence of adequacy decisions or appropriate safeguards, limited derogations may apply, but these are generally seen as exceptions.

The Rise and Fall of the EU-US Privacy Shield

In 2016, the EU-US Privacy Shield was adopted as a framework that allowed US companies to self-certify compliance with GDPR-equivalent standards. It followed the Schrems I decision, which invalidated the earlier Safe Harbour Agreement. The Privacy Shield provided legal cover for thousands of companies transferring data from the EU to the US, but it also came under heavy scrutiny.

Austrian privacy activist Max Schrems challenged the Privacy Shield framework, primarily arguing that it did not sufficiently protect EU citizens’ personal data from US government surveillance. His complaint was rooted in the US’s intelligence practices, which lacked the same levels of data protection and redress mechanisms as provided under EU law.

The Schrems II Decision and Its Immediate Impact

On 16th July 2020, the CJEU delivered its judgment in Schrems II (Case C-311/18). The court invalidated the Privacy Shield framework, ruling that it did not provide adequate protection for EU citizens’ data, particularly in light of US surveillance laws such as the Foreign Intelligence Surveillance Act (FISA).

At the same time, the court upheld the validity of Standard Contractual Clauses (SCCs), which remain one of the most commonly used mechanisms for cross-border data transfers. However, the ruling stressed that SCCs alone were not sufficient. Data controllers need to evaluate, on a case-by-case basis, whether the third country’s legal system provides adequate protection for personal data and whether additional safeguards are required.

Key Points from Schrems II:

  • Privacy Shield invalidation: The Privacy Shield was found to be non-compliant with EU law, leaving businesses that relied on it in legal limbo.
  • SCCs remain valid, but with conditions: While SCCs can still be used, organisations must assess whether the destination country’s laws, particularly in relation to surveillance, affect data protection standards.
  • Responsibility on data exporters: The burden is now on data exporters in the EU to ensure that SCCs are effective in practice, often necessitating supplementary measures.
  • Increased scrutiny on BCRs: Binding Corporate Rules, though unaffected directly by Schrems II, are under closer examination, with similar expectations of thorough assessments.

The New Reality: Challenges and Compliance Post-Schrems II

In the wake of the Schrems II decision, businesses face a more complicated regulatory landscape for transferring personal data internationally, particularly to jurisdictions like the US. The ruling has caused significant disruption for businesses that previously relied on the Privacy Shield, leaving many scrambling to implement alternative solutions.

Key Challenges

  1. Increased Compliance Burden
    The onus is now on data exporters to evaluate the adequacy of protection provided by the destination country, even when using SCCs. This goes beyond simply relying on pre-drafted clauses, requiring businesses to perform detailed assessments of the legal environment in the receiving country and adopt additional safeguards if necessary.
  2. Supplementary Measures
    In many cases, using SCCs or BCRs may not be enough. The European Data Protection Board (EDPB) has provided guidance on potential supplementary measures, which may include technical solutions (e.g., encryption and anonymisation), contractual obligations, and operational measures. Implementing these measures can be costly and complex, especially for smaller businesses.
  3. Uncertainty Around US Data Transfers
    Given that the Schrems II ruling was heavily focused on US surveillance laws, transfers to the US are particularly fraught with difficulty. Many businesses are left questioning whether SCCs can ever be sufficient for US transfers, given the inherent conflict between US surveillance practices and the GDPR’s high standards of data protection.
  4. Regulatory Uncertainty
    Data Protection Authorities (DPAs) across the EU have taken varied approaches to the Schrems II ruling, with some providing clear guidance and others being more ambiguous. This creates uncertainty for businesses operating across multiple jurisdictions, as they may face different enforcement practices depending on where they are based.

Practical Steps for Businesses to Ensure Compliance

In this new landscape, organisations transferring data across borders must take proactive steps to ensure compliance with the GDPR. Below are some of the key strategies to consider:

1. Conduct a Data Transfer Impact Assessment (DTIA)

A Data Transfer Impact Assessment (DTIA) is now a critical tool for businesses to assess the risks associated with transferring personal data to third countries. The DTIA should consider:

  • The nature of the data being transferred.
  • The laws and practices of the destination country, particularly concerning surveillance and data access by government agencies.
  • The effectiveness of the SCCs or other safeguards being used.

The DTIA is an essential step in determining whether the data transfer can proceed and whether supplementary measures are needed.

2. Implement Supplementary Measures

Where the DTIA reveals that SCCs or BCRs alone are not enough, businesses must implement supplementary measures. These can be divided into three categories:

  • Technical measures: Encryption of data in transit and at rest, anonymisation, and pseudonymisation. The key challenge is ensuring that encryption remains effective even against the surveillance capabilities of the destination country.
  • Contractual measures: Adding specific clauses to the SCCs, such as requiring notification if the recipient receives government requests for data access.
  • Organisational measures: Strengthening internal data security policies, improving data access controls, and providing staff training on data protection best practices.

3. Monitor Third-Country Legal Developments

The Schrems II ruling has made it clear that businesses cannot rely on a static assessment of the third country’s legal system. Continuous monitoring of legal developments is crucial, especially in countries like the US, where surveillance laws and practices may evolve.

It’s advisable to stay updated on the latest guidance from the EDPB and relevant DPAs, as well as to work with local legal experts in third countries to understand any changes in their data protection landscape.

4. Engage with Local Regulators and Seek Guidance

With varying interpretations of the Schrems II decision across the EU, engaging with local DPAs is crucial for businesses. Seeking clarification and guidance on how local authorities interpret the ruling can provide greater legal certainty and reduce the risk of non-compliance.

For example, some DPAs may offer specific guidance on the supplementary measures that are acceptable in their jurisdiction. Involving regulators early in the process may also help mitigate enforcement risks.

Looking Ahead: The Future of Cross-Border Data Transfers

The invalidation of the Privacy Shield has prompted the EU and the US to return to the negotiating table. Both sides are keen to develop a new transatlantic data-sharing framework, but negotiations have been slow, with key sticking points remaining around US surveillance practices and the level of judicial redress available to EU citizens.

A New Transatlantic Framework?

There are growing calls for a successor to the Privacy Shield, with the Biden administration indicating a willingness to engage with the EU on this issue. However, any new framework will need to address the deficiencies identified in Schrems II to stand up to legal scrutiny. This likely means that the US will have to introduce reforms to its surveillance laws and offer greater protections for EU citizens.

Standard Contractual Clauses: The New SCCs

In June 2021, the European Commission adopted new SCCs to better align with the GDPR and address some of the concerns raised in Schrems II. These updated clauses offer more flexibility, covering multiple transfer scenarios (including between processors and sub-processors) and requiring businesses to conduct transfer impact assessments.

The new SCCs are now mandatory for new agreements, and businesses must transition existing agreements to the new clauses by December 2022. While these clauses offer greater clarity and legal certainty, they still place a heavy compliance burden on businesses, particularly when transferring data to countries with inadequate data protection regimes.

The Role of Emerging Technologies

As businesses grapple with the challenges of cross-border data transfers, emerging technologies such as artificial intelligence (AI) and blockchain may offer new solutions. For example, decentralised data storage systems could reduce the need for cross-border transfers, while advanced encryption techniques could enhance data security. However, these technologies are still in their infancy, and their legal and regulatory implications remain uncertain.

Conclusion: Navigating the Post-Schrems II Landscape

The Schrems II decision has fundamentally reshaped the legal framework for cross-border data transfers under the GDPR. While SCCs and BCRs remain valid, they are no longer the “quick fix” they once were. Businesses must now undertake detailed assessments of the risks associated with international data transfers and implement supplementary measures where necessary.

With the future of transatlantic data flows still uncertain, businesses must stay vigilant, continuously monitor legal developments, and adopt a proactive approach to compliance. Those that fail to do so risk severe penalties under the GDPR, as well as potential damage to their reputation.

In this new, more challenging environment, businesses should view compliance not as a mere legal obligation, but as a key part of building trust with their customers and safeguarding their data. Navigating the post-Schrems II world may be complex, but by taking the right steps now, businesses can ensure they remain on the right side of the law and continue to operate smoothly in the global digital economy.

Related Posts

Leave a Comment

Contact Us: Click HERE
X