The Schrems II dangers : action and options

In July 2020 the Court of Justice of the European Union struck down the validity of the EU-US Privacy Shield scheme as a mechanism for enabling the transfer of personal data from the UK (or anywhere else in the EEA) to the US. So, where are we now?

The European Data Protection Board and the US Dept of Commerce have started talks on a possible replacement scheme but, unless the reasons for the judgment (i.e. the breadth of the rights afforded to the US intelligence authorities to access personal data and the lack of enforceable rights for data subjects) are addressed by changes in US law (in mid-transition chaos?!), it is difficult to see this happening quickly. Unhelpfully, the Schrems II judgment had immediate effect and there is still no definitive statement from the Information Commissioner on the best approach to handling the matter.

The upshot, therefore, is that any UK business which has historically relied upon the EU-US Privacy Shield must either put in place an alternative safeguard or cease transferring personal data to the US. So, what are the potential options to avoid incurring liability (or at least minimise exposure)?

(a) Use an EEA-based processor

The safest option is to switch the processing away from the US to an EEA location. If this can be done (either under the contract or by agreement with the US processor or perhaps because the existing contract is about to expire anyway) then there should be no issue at all – it is simply a question of taking the practical steps to make that happen.

(b) Switch elsewhere

If you can’t easily switch to an EEA location but could switch elsewhere outside of the EEA, then you could take the necessary practical steps to do that and use a set of long-standing, pre-existing “model” clauses, known as the standard contractual clauses (“SCCs”). The Schrems II judgment confirmed that use of the SCCs remains a valid mechanism for transferring personal data to be processed overseas. However, it also made clear that their validity and suitability needs to be assessed on a case-by-case basis, taking into account the particular data processing in question and whether any supplementary terms need to be added.

The SCCs cannot currently be used without (i) the agreement of the processor (but, as there is a clear commercial driver to use them, this ought not to be an issue) and (ii) the agreement of the customer. However, most business customers are very familiar with the use of the SCCs. As long as it can be established that the personal data would be adequately protected (and the same factors that caused the EU-US Privacy Shield scheme to fail are not a problem in the proposed non-EEA country in question), customer consent ought not to cause too much concern. For example, you could use a replacement processor based in a familiar and long-standing jurisdiction commonly used for offshore processing, such as South Africa (recognising that there are still a few months left of the transition period for implementing the Protection of Personal Information Act there, so that gap may need to be addressed).

(c) Stick it out

If neither (a) nor (b) is a feasible option, it may still be possible to continue processing the personal data in the US (as with other non-EEA countries) by using the SCCs. However, given the CJEU’s reasons for striking down the validity of the EU-US Privacy Shield, it will be much harder to  justify their validity and suitability for use in the US without having conducted a really thorough assessment, on a case-by-case basis, taking into account the particular type of personal data being transferred and data processing in question, the risk factors attaching to the data, and the supplementary terms that will need to be added.

Factors to be taken into account could include:

  • whether the personal data is being processed only very transiently, e.g. read-only via VPN, or where processed only intermittently and held very temporarily and then permanently deleted very quickly from the host US system;
  • whether the data can be strongly encrypted (not just in transit but also at rest in the US hosting destination);
  • whether the data can be pseudonymised in such a way that only the transferring business can re-identify the data.

Doing nothing is not an option

What should your next steps be?

  1. Conduct an immediate review of your contracts with your providers in order to establish under which, if any of them, personal data is (or might be) transferred to the US for processing.
  1. Having identified those which are, conduct a detailed assessment of the situation with regard to the type of personal data, the nature of the data processing and the current steps being taken by the data processor to protect that personal data, with the aim of determining which of the various options above is most suitable, in the particular circumstances.

It might seem tempting to sit back and see how the situation develops but, given the potential ramifications (material breach of data protection law, exposure to damages claims from the individuals concerned, a suspension order from the ICO and significant fines), doing nothing isn’t really an option.