This blog discusses the case known as Schrems II and provides practical advice to ADR Service Providers (ASPs) and ADR Neutrals about how to manage the fall-out.
Judgment was handed down by the Court of Justice of the European Union (CJEU) on 16 July 2020. We do not address the case in detail; that has been done to death by almost every law firm from here to eternity and a quick internet search for “Schrems II” will provide you with that. However, if you are not already Schremssed-Out this is one of the better appraisals:
Thanks to Ryan Blaney, Laura E Goldsmith and Jonathan Mollod from Proskauer’s Privacy and Cybersecurity Group.
Transferring personal data outside the European Economic Area (i.e. the Member States of the EU together with Iceland, Liechtenstein and Norway) (the EEA) was always a challenge in terms of assessing whether the destination country had an Adequacy Decision (easy because - not many!) or had an equivalent level of assurance as that available to citizens in the EEA and Switzerland. No jurisdiction is more challenging than the USA with 50 States, each with their own data privacy legislation and practices. The lack of any Federal legislation gave rise to the Safe Harbor device of data privacy assurance for Data Controllers in the EEA or Switzerland.
An earlier CJEU decision (Schrems I) declared the Safe Harbor unsafe and that was replaced on 1 August 2016 by the EU-US Privacy Shield (the Shield) after the European Commission found the Shield provided sufficient protection to allow personal data to be transferred to the United States. The Shield is a voluntary scheme of self-assessment said to meet the standards for data protection required by the GDPR.
Schrems II has declared the Shield insufficient for the purpose of meeting Data Controllers’ obligations under the GDPR and, thereby, the UK’s Data Protection Act, 2018.
Why does this matter to ASPs and ADR Neutrals? Because many ASPs and Neutrals rely on Microsoft, Google Cloud or Amazon Web Services to support their businesses. Those communication services providers (CSPs) each self-certified under the Shield.
Why is this? Because the CJEU made clear at paragraph 121 of its judgment that:
…unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses [Standard Contractual Clauses – SCCs] adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
Not much wriggle room there.
Are the SCCs dead? Not completely but no longer are they the reliable go to for international data transfers that they may have been in the past.
What have the Data Protection Authorities (DPAs) said about Schrems II?
U.S. Secretary of Commerce Wilbur Ross
Mr Ross was amongst the first to comment; issuing a statement the same day that the Schrems II judgment was released:
While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts. We have been and will remain in close contact with the European Commission and European Data Protection Board on this matter and hope to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments. Data flows are essential not just to tech companies—but to businesses of all sizes in every sector. As our economies continue their post-COVID-19 recovery, it is critical that companies—including the 5,300+ current Privacy Shield participants—be able to transfer data without interruption, consistent with the strong protections offered by Privacy Shield.
The USA was represented during the Schrems II hearings to explain US data protection laws. The Shield continues to be in force and nothing in Schrems II relieves certificated ASPs, their Neutrals or their Data Processors of their obligations under the Shield.
Republic of Ireland Data Protection Commission (DPC)
The DPC instituted the proceedings leading to the CJEU’s judgment. In response the DPC issued a statement that said this, amongst other things:
…the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.
“Case by case” will be a very time consuming process and one which, under the GDPR, needs a policy to govern the assessment and a paper audit trail.
UK Information Commissioner:
“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.” [17 July]
Later the same day the ICO published a harder line, on its page dealing with international transfers:
If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period. [17 July]
The Berlin Commissioner for Data Protection and Freedom of Information
The Commissioner was forthright in her statement:
“The Berlin Commissioner […] therefore calls on all those responsible under her supervision to observe the CJEU's decision. ….[those using] Cloud services that transfer personal data to the US, are now encouraged to immediately change service providers in the European Union or in a country with an adequate level of data protection.” [17 July]
The European Data Protection Board (EDPB) Issued a set of FAQs on 24 July including this question:
4) I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now?
Transfers on the basis of this legal framework are illegal. Should you wish to keep on transferring data to the U.S., you would need to check whether you can do so under the conditions laid down below.
What should Administered Schemes using, for example, Microsoft 365 to manage confidential personal data and/or special category data such as medical records? We suggest a possible Post Schrems II Plan for Data Privacy looks like this:
- Review your data privacy and cyber-security policies and practices together with your contracts with your Data Processors. Where possible migrate to a bespoke ADR Platform which has servers hosted at data centres located in the EEA. This would seem to be the only Safe Harbor for the moment.
- Turn Schrems II into a positive for your business. Instead of arranging mediations relying on 20th century systems based on email and the telephone take this moment to fully integrate your case management system by choosing a provider that can arrange mediations via a Cloud based diary management system. Full integration of an ADR management in this way enables the redeployment of Staff working on diary management to more useful tasks with greater productivity i.e. greater profitability.
- Abandon any reliance on the Standard Contractual Clauses (SCCs) especially if you are an ASP storing data on the Microsoft servers hosted at data centres in Dublin.
- Instead consider using the derogations from Article 44 of the GDPR which are already available within the GDPR. However, the use of the derogations based on consent, performance of a contract and public interest have all been the subject of concerns raised by the EDPB which are helpfully repeated in their recent FAQs, see above. In DEF’s view the use of derogation (e) in Article 49 is the one upon which ASPs and Neutrals may wish to rely: the transfer is necessary for the establishment, exercise or defence of legal claims. One approach is set out in the DEF User Terms which are here: https://oneplatform.disputesefiling.com/downloads/one-platform-user-terms.pdf
Schrems II presents a challenge to all ADR Neutrals and ASPs but with quick action it need not interrupt business for long.