English

How can we assist you?

    Article

    Steps organisations need to take for international data transfers following the Schrems II ruling

  • EN
    • 10 August 2020

    The historic decision of the Court of Justice of the European Union (Court) in
    Schrems II of 16 July 2020 has profound consequences on international data transfers.

    With the decision, the Court declared the EU-US Privacy Shield invalid with immediate effect. Furthermore, it confirmed the validity of Standard Contractual Clauses (SCCs), but effectively limiting the situations where the SCCs still can be relied on and emphasising the (additional) obligations for using them. The decision affects data transfers to the US and (indirectly) to other countries outside the European Economic Area (EEA). It even indirectly affects all data transfer instruments other than the EU-US Privacy Shield and SCCs (controller/processor), like SCCs (controller/controller) and Binding Corporate Rules. As a result of this landmark decision, organisations will have to take quick pro-active actions. The relevance, key aspects of the decision, and necessary next steps are explained below.

    1. Why is this decision relevant for my organisation?

    • The decision's effective impact is broad: The decision sees to data transfers to the US based on the EU-US Privacy Shield or SCCs, specifically to providers falling under the US Foreign Intelligence Surveillance Act (FISA) 702 and/or Executive Order (EO) 12.333, which include cloud providers such as Amazon and Microsoft. However, the Court's views on the level of data protection provided under US law and requirements for data transfers under these conditions are of general nature, so the effect of the decision is much broader and it also has more impact than its predecessor Schrems I, which invalidated the Safe Harbor instrument in 2015. Schrems II provides that the destination third country should have a level of protection essentially equivalent under EU law (specifically also the General Data Protection Regulation; GDPR) and the requirements that need to be met for lawful transfers of personal data to third countries. Therefore, the decision impacts also other data transfers instruments and transfers to other third countries than not only the US, regardless of its focus on the validity of the EU-US Privacy Shield and the SCCs (controller/processor) for transfers to the US.
    • Almost all organisations transfer personal data to third countries: although you may not always be aware of it, your organisation likely transfers directly or indirectly (via a subprocessors) personal data to a third country that is not deemed to provide an adequate level of data protection. Please see here a list of adequacy decisions of the EU, except for the invalidated EU-US Privacy Shield. Such transfer can be based on one of the three currently available SCCs, the now invalidated EU-US Privacy Shield, or other data transfer instrument, such as Binding Corporate Rules (BCR), as many organisations do. Such international transfer of personal data to a third country may be the result of, for example:
      • Outsourcing to service providers in third countries, such as the US: organisations usually obtain IT-services from service providers. These services normally involve the processing of personal data. There will likely be a relevant transfer of personal data which needs to be validated upon a legitimate transfer instrument, if you obtain services directly from a service provider located in a third country (which has not obtained an adequacy decision).
      • Outsourcing to service providers in the EEA: often organisations contract with a service provider located in the EEA. However, these EEA-based service providers usually subcontract their services for cost reasons or to be able to provide 24/7 services, such as the provision of cloud infrastructure or support, to service providers located in third countries or are part of a group with (head) offices and servers located in third countries. It should also be noted that foreign surveillance programs can have extraterritorial effects, such as the US FISA 702, EO 12.333, and Cloud Act allowing US law enforcement to reach certain data located in other countries. Thus, even if the personal data are on a server in the EEA, there may be a relevant international data transfer.
      • Intra-group transfers: multinationals may have branch offices, subsidiaries, or even their head offices, located in third countries. Personal data of employees, customers, and other data subjects are usually shared and transferred between these establishments, resulting in transfers to third countries from an EEA perspective.

    2. Wat are the key elements of the decision?

    • SCC still valid, but require checks and additional measures (prior due diligence and constant monitoring is required): SCCs remain valid for transferring personal data from the EEA to third countries, but only in accordance with prior verification, and constant monitoring which may lead to (emergency) suspension and termination obligations under the SCC if the third country does not provide a level of data protection (anymore) essentially equivalent to that guaranteed under the GDPR. Using SCCs will, therefore, require additional measures and upkeep, as the Court specifically emphasised that:
      • Organisations' duty to verify level of data protection: the organisation transferring personal data to a third country is required to verify – prior to any transfer – that the level of data protection required under EU law is respected in the third country concerned. This level of protection should also be monitored once the SCC have been concluded.
      • Supervisory authorities must act (stop or suspend transfers): supervisory authorities have a duty to act on a case-by-case basis and take appropriate actions, including suspending or prohibiting the data transfer, if it concludes that there is no adequate level of protection in the third country where the personal data are transferred to and the data exporter and importer have not implemented sufficient additional safeguards.
    • EU-US Privacy Shield declared invalid: the EU-US Privacy Shield has been declared invalid and can no longer be used for transferring personal data to the US. This is based on the view of the Court that US surveillance programs do not contain clear limitations and safeguards essentially equivalent to those required under EU law. The Court specifically found that the US surveillance programs do not indicate any limitations on the surveillance powers or the existence of guarantees for potentially targeted non-US persons. Moreover, US law does not grant data subjects actionable rights before the courts against the US authorities. The Ombudsperson created under the EU-US Privacy Shield does not qualify as such judicial protection, in view of its lack of independence and power to take binding decisions.

    3. Will supervisory authorities immediately take actions based on this decision of the Court?

    • Immediate effect/no grace period: the Court‘s decision has immediate effect, thus there is no grace period. See also the FAQ of the EDPB.
    • More detailed guidance by EDPB and local supervisory authorities expected: there have been initial statements by the European Data Protection Board, national supervisory authorities (see for an overview here and see for example the Berlin supervisory authority and the FAQ of German regional supervisory authority of Rhineland-Palatinate, as well as from other organisations, such as the European Commission (indicating, amongst other things, the swift finalisation of modernised SCCs) and US Department of Commerce (indicating that the decision of the Court does not relieve participants from their obligation under the EU-US Privacy Shield). The FAQ of the US Department of Commerce have emphasized this as well (see here). The European Data Protection Board has emphasised the importance of ensuring consistency and will provide clarifications and guidance of the use of data transfer instruments.
    • Duty to act: after the invalidation of Safe Harbor (the predecessor of the EU-US Privacy Shield) by the Court in its Schrems I decision in 2015, national supervisory authorities provided a transition period for organisations to transition their data transfers to a valid data transfer instrument. It remains to be seen whether there will be such transition period again, as the Court emphasised in its decision that supervisory authorities have a duty to act. Especially if there are complaints by data subjects, organisations should assume that the competent supervisory authority will investigate and take action, such as ordering the data transfer to be suspended or stopped and imposing substantial sanctions.

    4. What steps should my organisation take now?

    As the steps below will likely require substantial resources and time, it may be recommendable to take a risk-based approach, and assess and start with the most business critical, important or otherwise risky transfers of personal data from the EEA to third countries. In any case, we recommend taking the steps below. In this respect, it is good to keep in mind that it should not be a "paper exercise" only. All steps should be performed with due care and assessing all the obligations and risks involved, bearing in mind the accountability obligation of your organisation.

    1.         Identify international data transfers: map all (onward) transfers of personal data from the EEA to third countries, including access from such third countries to personal data in the EEA. You should also check transfers to subcontractors and other onward transfers. Your organisation’s internal register of processing activities, as required under article 30 GDPR, is a good starting point for this.

    2.         Check upon which data transfer instrument these data transfers rely: check on the basis of the relevant contracts and other documentation which data transfer instrument is being relied on to transfer personal data from the EEA to the destination third countries. This can be (a combination of), for example, the now invalidated EU-US Privacy Shield (for the US), SCCs (controller-processor or controller-controller version), BCR, adequacy decision of the European Commission (other than the Privacy Shield), or one of the derogations under article 49 GDPR (such as explicit consent of the data subject or transfers necessary for the performance of a contract with or in the interest of the data subject).

    3.         If it concerns a transfer to the US under the EU-US Privacy Shield:

    a.         Verify whether the transfer falls within the scope of the EU-US Privacy Shield registration of the US recipient and that only the EU-US Privacy Shield is used as data transfer instrument. The current registrations are still available here. It is important to note that the FAQ of the US Department of Commerce have clarified that the requirements for re-certification and applicable costs remain valid if an organisation continues to be registered under Privacy Shield.

    b.         Check whether the transfer is still necessary or can (cost effectively) be switched to an EEA-based provider.

    c.         If not, check whether the data transfer can be based on one of the derogations under article 49 GDPR. Please note that the European Data Protection Board has indicated in its guidance that these derogations may only be used in limited necessary cases for occasional and not repetitive transfers. Any (intra-group) outsourcing of processings do not qualify as such necessary transfers. This means that it will mostly not be possible to rely on these derogations. If your organisation still relies or intends to rely on one of these derogations, it should carefully document the legitimacy thereof.

    d.         If not, check whether the recipient qualifies either as controller or processor, and whether it is possible to transition to another data transfer instrument, such as the relevant SCCs. If so, amend the relevant contracts and documentation, including the internal register of processing activities. See also further below on the (verification and additional measures) actions in relation to SCCs.

    e.         If that is (also) not possible, the transfer/processing operation should be suspended/stopped and the agreement with the recipient terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). Check in such case whether you can recover costs from the other party.

    4.         Transfers to the US based on SCCs (also relevant for BCRs):

    a.         If the transfer is to the US, including if the processing in the EEA is linked to or uses a US recipient:

    i.          Check whether the transfer is still necessary or whether the processing can be switched to the EEA (cost effectively).

    ii.         If not, verify whether the US recipient falls under FISA 702/EO 12.333. It applies to electronic communication service providers, such as Amazon and Microsoft. It may be recommendable to check verify this with the US recipient.

    iii.         If yes, check whether in the individual case sufficient additional measures have been taken or can be taken to prevent mass surveillance by US authorities, together with the US recipient. These measures can be of contractual and technical nature, such as encryption in transit and rest, and obligations imposed on the EU subsidiary of the US recipient ensuring that there is no access possible by such US recipient to the personal data.

    iv.        If not, verify whether the US recipient has taken sufficient technical measures to prevent mass surveillance in transit, or have the US recipient implement such measures.

    v.         If all of the above is not possible, the transfer should be suspended/stopped, and the agreement, including SCC, terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). In any case, it is recommendable to check whether the costs thereof can be recovered.

    b.         If the transfer is to a third country other than the US:

    i.          Verify whether the level of protection in the destination country is essentially equivalent to that provided under EU law, together with the recipient if needed. Relevant elements for this assessment are factors such as whether the (mass) surveillance in the third country is limited to what is necessary and proportional based on clear and precise rules, there is an independent (judicial) oversight mechanism to the use of such powers, and all data subjects have effective (judicial) remedies available to them. If yes, these are equivalent safeguard, this assessment should be properly documented.

    ii.         If not, check whether additional measures should be taken in addition to the SCCs and, if so, implement such measures. These additional measures can range from additional contractual measures to technical measures, such as encryption in transit and rest, or moving the processing to the EEA. The additional measures should be properly documented, also in view of your accountability obligation. The FAQ of the European Data Protection Board have clarified that the measures to be taken should be assessed on a case-by-case basis.

    iii.         If additional measures are still insufficient, the transfer should be suspended/stopped, and the SCCs terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). In any case, it is recommendable to check whether the costs can be recovered from the other party.

    5.         Transfers based on adequacy decisions of the European Commission: keep monitoring the periodic evaluation and updates to these decisions by the European Commission. These instruments are still valid, and transfers based thereon are not unlawful, until the adequacy decision for a certain third country is retracted by the European Commission or invalidated by the Court.

    Keep in touch

    Do you have any questions about the transfer of personal data to third countries? Please contact Elisabeth Thole or Özer Zivali.

    Please note that this document is an updated version of our news alert of 22 July 2020, and may be updated based on expected guidance from the European Data Protection Board (EDPB) and other on-going developments.

    More about

    Elisabeth Thole

    Partner, Lawyer

    Elisabeth leads the Van Doorne Privacy Team. She is also a member of the Van Doorne Cyber Security Team.

    Özer Zivali

    Counsel, Lawyer

    Özer is a member of the Privacy Team and is specialized in privacy, data protection, data technologies and (cyber) security. He has extensive experience in effectively assisting multinationals in complex, high risk, and cross-border data related matters. This includes high impact data breaches, the development and implementation of innovative data technologies, enforcement by authorities and complex data sharing structures, and strategic advice on translating the requirements of the General Data Protection Regulation (GDPR) to the business needs of clients. Özer has also extensive experience in advising companies on other data protection related matters, such as negotiating data processing or other data protection related agreements, loyalty programs, profiling, compliance projects for customer and employee data, apps, web shops, and international transfers of personal data, including Binding Corporate Rules. Özer also has experience in IT contracting and outsourcing.

    Related articles

    All articles
  • Article

    Digital Markets Act needs to be stricter on Bigtech

    25 June 2021
    The proposed Digital Markets Act has elicited various reactions. "Friends of an effective Digital Markets Act" ask for stricter supervision of Bigtech. The European Competition Network (ECN) suggests that national competition authorities should play a role.
    Read more »
  • Article

    Risks for non-notifiable transactions: the European Commission extends its role

    23 June 2021
    Anyone who thinks that M&A transactions below the European and national merger control  thresholds fall outside the control of the competition authority could be in for an unpleasant surprise. Upon referral by the European Member States, even these transactions might be investigated by the European Commission. This particularly concerns transactions involving small, innovative companies with high competitive potential.
    Read more »
  • News

    New Standard Clauses for international data transfers: what you need to do

    16 June 2021
    Last update: 16 June 2021 Following the GDPR becoming applicable in May 2018 and the Court of Justice of the EU's ruling in Schrems II in July 2020, the long awaited new Standard Contractual Clauses (New SCCs) have finally been published. These New SCCs will come into effect on 27 June 2021. The prior SCCs were designed before the GDPR saw the light and, although they were upheld in the Schrems II case, the prior SCCs lacked in reliability and practicability. The New SCCs allow for more types of transfers of personal data using a modular approach, instead of the more rigid and limited scope of the prior SCCs.
    Read more »
  • Article

    Epic Games accuses Apple of abuse of dominance

    16 March 2021
    Epic Games (developer and owner of the online game 'Fortnite') has filed a complaint with the European Commission, concerning alleged abuse of dominance by Apple. This despite the fact that Epic Games has lost two drawn out procedures against Apple in the United States.
    Read more »
  • News

    Privacy in corona time

    25 March 2020
    Update 25 March This is an update of our article on the privacy aspects of the approach to the corona virus in connection with the publication of an update of the guidance issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the European Data Protection Board (EDPB), and the more stringent measures in the fight against the corona virus announced by the Dutch government on 23 March 2020.
    Read more »
  • Article

    Privacy & Brexit: What privacy actions are needed?

    21 January 2020
    With its departure from the EU, the United Kingdom (England, Scotland, Wales and Northern Ireland) has become a 'third country' from a European privacy perspective. On 24 December 2020, the Brexit deal was concluded which has implications for the transfer and processing of personal data in the UK. Organisations that wish to (continue to) transfer or process personal data in the UK will need to conclude various privacy actions before 1 May 2021 (or 1 July 2021).
    Read more »
  • Article

    No convention: Recognition and enforcement of non-EU courts' judgements in the Netherlands

    20 June 2019
    Under Dutch law, enforcement of foreign judgements is only possible where a convention between the Netherlands and the foreign country provides for it or if the judgement was rendered by a court in a Member State of the EU. There are many countries which have no convention with the Netherlands on the enforcement and recognition of judgements, e.g. Japan, United States and Russia. 
    Read more »
  • Article

    Recognition and enforcement of non-EU courts' judgements in the Netherlands when there is a governing convention

    07 June 2019
    Under Dutch law, enforcement of foreign judgements is only possible where a convention between the Netherlands and the foreign country provides for it or if the judgement was rendered by a court in a Member State of the EU.  Otherwise, the claimant must relitigate his case in the Netherlands in order to obtain a binding and enforceable judgement. The present article creates an overview of the legal procedure of the recognition and enforcement of a judgement rendered outside the EU in case where there is a governing convention.
    Read more »