CJEU notifies what applies when transferring personal data to the USA - Initial Comments

On 16 July, the Court of Justice of the European Union (”CJEU”) issued its judgment in the so-called Schrems II-case (C-311/18). Summary of the Judgment:

• ”Privacy Shield” (a mechanism that many data controllers use as a safeguard when transferring personal data to the USA) has been invalidated.
• The EU Commission’s Standard Contractual Clauses (“SCC”) are still valid as an appropriate safeguard for transferring personal data to a third country.
• EU’s privacy and data protection requirements cannot be fulfilled under US law.
• Indirectly, the judgment confirms that US cloud service providers’ processing of personal data may mean that such providers are not able to provide sufficient guarantees for compliance with the GDPR.

Consequences:

• Transfers of personal data based on Privacy Shield needs to be based on a different safeguard or cease.
• Transfers of personal data to the USA based on SCC needs to be carefully analysed to ensure that they in practice provide adequate protection for data subjects; alternatively, such transfers should be based on a different safeguard.
• The use of cloud services provided by US providers will also continue to require thorough analysis and risk assessment as well as correctly drafted contracts. For some types of processing of personal data, these cloud services will not be able to be used in accordance with the GDPR.
• The CJEU’s clarification that US law means that US companies (and their subsidiaries) cannot process personal data in a sufficiently secure way by allowing unauthorized (US authorities) access to the data ought be taken into account in information security assessments even regarding other data such as government data and data that is subject to bank or insurance secrecy.

What happens now?

• The first thing a company, organisation or public authority ought to do is to make an inventory of the transfers of personal data (or other confidential information) to the USA that occur and the legal basis for such transfer.
• In cases where the basis for the transfer is Privacy Shield, another safeguard must be applied or the transfer needs to cease. If SCC is the applied safeguard, these transfers need to be analysed, e.g. there must be a possibility to be able to immediately terminate the processing if the protection of the data subjects is not maintained. It is good to be aware that transfers to the USA can take place via cloud service providers or subcontractors as well as when processing data that is otherwise stored within the EU.
• If possible, data should to be stored within the EU and any processing outside of the EU should be limited to when absolutely necessary. A common misunderstanding is that the risks in relation to US cloud service providers are completely eliminated through the use of data centres within the EU. In practice, the location of data centers is not crucial as US cloud service providers are in some circumstances required to disclose customer data (and personal data) regardless of the data’s geographical location, consequently transferring the data to the USA.
• A thorough analysis of alternative safeguards for transfers to the USA needs to be carried out. Contracts with US cloud service providers and other recipients of personal data also ought to be reviewed and assessed in the light of the CJEU’s current ruling. The requirement for sufficient guarantees in data processing agreements is a relative requirement and certain processing may be legal under certain contractual terms, whereas other processing under the same conditions may constitute a violation of the GDPR.