July 19th, 2021 | Mark Sward, Vice President and Global Head of Privacy

What’s Next for Transatlantic Data Transfers?

It was déjà vu. In July of 2020, the European Court of Justice (ECJ) issued a decision popularly known as “Schrems II”, which struck down the EU-US Privacy Shield framework as a mechanism for transfers of data from the European Union to the United States, and with it threw into question the legality of countless data transfers happening every minute. All this due to concerns about US government interference into Europeans’ private lives. This decision came just shy of five years after the same court killed the 15-year-old Safe Harbor program, which had helped safeguard transfers of data from Europe to the US since 2000.

But what does this really mean? Is it the end of the free flow of data between Europe and organizations in the United States? Or will this decision usher in a new era of better safeguards for personal privacy? Let’s start by backing up a bit and explaining what these transfer rules are all about.

What is a Transfer Mechanism?

The European Union’s General Data Protection Regulation (GDPR), and European privacy laws that preceded it, ban transfers of personal data (which is any information about an identifiable individual) outside of the European Union unless certain conditions are met. There are a few mechanisms (called “adequate safeguards”) that allow for recurring transfers (like transfers of data between a company in Europe and a cloud provider elsewhere), and a number of exceptions (or “derogations”) for one-off transfers (like transfers of data about a tourist’s health emergency from a hospital in Europe to the tourist’s primary care doctor in her home country). For the purposes of this post, we’ll focus on recurring transfers and the mechanisms that allow them.

The point of a transfer mechanism is to ensure that data will be protected to a European standard when it gets to its destination outside of Europe. This helps ensure that European companies cannot avoid their obligations under privacy laws simply by transferring data overseas, and that Europeans can exercise their privacy rights and remedies against foreign companies that process their personal data.

The most common mechanisms for recurring transfers of data are:

• Adequacy decisions by the European Commission (or EC, the EU’s central government), which declare a particular jurisdiction, or a sector within that jurisdiction, as providing an adequate level of protection for personal data. This essentially opens the doors to free flows of data between the EU and those countries. Unfortunately, the list is short. It currently includes Canada, New Zealand, Argentina, Israel, Japan and Uruguay, as well as a number of jurisdictions in Europe — like Switzerland, the Channel Islands, and Andorra — which are not EU members but which have nearly identical privacy laws to the EU. The United States does not benefit from an adequacy decision since the Privacy Shield was struck down by the Schrems II decision.
• Binding corporate rules (BCRs), which are governance documents put in place by a multinational corporate group to govern transfers of data between the members of the group. These are complex and expensive to obtain, so only a handful of organizations have them (Sterling’s application is pending at the time of publication).
• And standard contractual clauses (SCCs), which are fixed, non-negotiable contract clauses issued by the EC which can be signed between data exporters in Europe and data importers elsewhere to guarantee protections and individual rights when data leaves the EU. As essentially any two parties can sign the clauses with little difficulty, these tend to be the most popular mechanism for data transfers.

What Happened with the Schrems II Decision?

Schrems II — named for one of the litigants, Austrian lawyer and privacy advocate Max Schrems — was a decision of the ECJ which not only struck down the Privacy Shield adequacy decision due to the court’s perception that the Privacy Shield left too much room for the US government to snoop on European data, but also added new burdens to organizations relying on SCCs and BCRs.

Following this decision, all organizations which were self-certified to the Privacy Shield framework (including Sterling and many of our clients) had to either stop transferring data from Europe to the United States (an all but impossible task for most companies), or replace the Privacy Shield with the SCCs. While it is simple enough to sign some intercompany contracts and update client data processing agreements, the ECJ added a twist: while it did not rule that the SCCs were invalid, it ruled that any organization relying on the SCCs for data transfers would need to conduct an assessment to determine whether the SCCs could provide adequate protection, and potentially put in place additional safeguards to that end.

Since the decision was released, European privacy regulators have produced some guidance documents to help organizations comply with these new requirements, but the guidance is limited and inconsistent. It ranges from specific recommendations for how to protect data going abroad (for example, encrypt it so it is totally unreadable to anyone outside Europe, as suggested by the European Data Protection Board) to simply saying that transfers of data to the US are no longer permitted (as mandated by some German state-level regulators).

What are Companies Doing Now?

The practical impact of the Schrems II decision is that companies need to do a lot more paperwork when transferring data to the United States and must bear additional risk that a regulator could deem those transfers to be unlawful. Organizations that transfer European data outside Europe — especially to the United States — must review their intra-group and third-party data flows, establish which mechanisms apply to transfers of data outside Europe, and then assess those mechanisms to decide whether additional safeguards are needed. Then, organizations must implement those additional safeguards, which may include beefing up encryption protocols, moving control of encryption keys to Europe, setting up transparency reports to show whether and how frequently government bodies ask for data, and promising compensation in case a European resident’s privacy is ever compromised by an inappropriate intrusion by a foreign government. So far, these efforts have not been tested or evaluated by regulators, so it’s anyone’s guess which activities will pass muster and which will be criticized or rejected outright.

What Does the Future Hold?

As organizations undertake the necessary updates to their compliance programs to ensure cross-border data transfers meet the new standards, they must also think strategically. Does it make sense to transfer data abroad if it creates such burdens and risks? Should we just give up on data transfers altogether and set up all our infrastructure in Europe? How can an integrated global enterprise function if data must be segmented, especially as more countries put in place data localization rules? Will the US finally put in place strong, comprehensive privacy laws to ensure personal data coming from Europe (and, for that matter, personal data of Americans) is protected from undue government snooping? It’s very difficult to say with any amount of certainty.

For an organization that operates both in Europe and abroad, it’s worth giving it some serious thought. A long-term data strategy to account for shifting requirements from Europe might include multi-country cloud architecture, which duplicates infrastructure in Europe and in other countries to ensure data transfers can be switched on and off with (relative) ease, careful selection of recipient countries (both for storage and for remote access) based on the legal framework and government track record of (not) snooping on foreign data, strong public promises to resist excessive government requests for data and compensate individuals when data is disclosed, and supporting efforts to beef up privacy laws in countries like the US which have lagged behind the standard set by Europe.

With some coordinated effort and good luck, we may just see a more stable framework for transfers of data from Europe to major technology hubs around the world, including the United States. In the meantime, business and information cannot stop moving, so organizations must work together and do the best we can to stay on top of rapidly shifting requirements.

This blog post is part of a Compliance blog series, diving into compliance trends, best practices, and updates.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.