Countless businesses export data from the European Union to the United States. Does your human resources office have information on European employees? The sales department information on European clients? That is personal data. The question is if data exports can continue in the wake of the Court of Justice of the European Union’s (CJEU) ruling in the “Schrems II” case.
In Schrems II, the CJEU held that standard contractual clauses (SCCs) were an acceptable data transfer mechanism – provided these came with “adequate safeguards.” As EU Data Protection Authorities (DPA) release their interpretations, it becomes clear that adequate safeguards, like beauty, are in the eyes of the beholder. Thus whether SCCs remain viable turns on the identity of the DPA. So much for a uniform EU-wide privacy regime.
DPAs have released widely divergent assessments in the wake of Schrems II. From an American perspective, these assessments can be classified into three broad categories. The good. The bad. And the ugly.
First, there is the good. These DPAs take the view that Schrems II has actually confirmed the legal validity of SCCs. Denmark’s Datatilsynet has stated that SCCs are “still valid,” generally. The European Data Protection Board (EDPB) cautiously noted that the CJEU judgment allowed SCC enabled data transfers to proceed. France, Lithuania, Poland, Romania, Slovenia, and Spain also took a similar view. The United Kingdom and Switzerland, non-EU members still affected by the ruling, were also optimistic.
Second, there is the bad. These are the DPAs that clearly disfavor EU data transfers to the United States, but stopped short of finding them categorically unlawful. These DPAs stress the SCCs must be used in combination with “adequate safeguards.” The assessment of the adequacy of these safeguards is the responsibility of the sending company. If the protection of personal data cannot be guaranteed, the transfer is unlawful.
For example, Germany’s Commissioner for Data Protection and Freedom of Information has observed that transferring data to the United States relying on SCCs is risky. Estonia takes a similar tack. Companies must undertake an assessment. If the protection of personal data cannot be guaranteed, the transfer is prohibited. The Rhineland-Palatinate DPA likewise emphasized the sending company’s due diligence obligations.
This view holds the SCC-based data transfers are problematic. Without alternative transfer instruments, such data transfers “are no longer possible.” So the Thuringia DPA considers it “unlikely” that SCCs can still be used to legally transfer data to the U.S. Perhaps the biggest surprise here is Ireland. The Irish Data Protection Commission stated that SCC transfer mechanisms are now “questionable.” The validity of each transfer must be determined “on a case by case basis.”
Third, there is the ugly. Some DPAs have suggested that data transfers to the United States are categorically unlawful if they hinge on SCCs. These include the Berlin and Netherlands DPAs. These DPAs have suggested that companies limit the data to the EU itself. Alternatively, the data should be sent to a third country with an adequacy determination. But transferring data to the United States stops just short of being verboten.
So what is the takeaway? The diverse array of responses suggests that not all DPAs are looking at Schrems II the same way. And the validity of SCC enabled data transfers remains in doubt. The pivotal question is what “additional measures” – if any – enable SCCs to provide personal data the same protection as EU law. The EDPB and multiple DPAs, including Ireland, Denmark, Switzerland, Lithuania, Liechtenstein, France, the Netherlands, and Norway have suggested that guidance will be forthcoming. The data processing world will be waiting.