This blog discusses the case known as Schrems II and provides practical advice to ADR Service Providers (ASPs) and ADR Neutrals about how to manage the fall-out.
Judgment was handed down by the Court of Justice of the European Union (CJEU) on 16 July 2020. We do not address the case in detail; that has been done to death by almost every law firm from here to eternity and a quick internet search for “Schrems II” will provide you with that. However, if you are not already Schremssed-Out this is one of the better appraisals:
Thank you to Alexander May of Hill Dickinson LLP.
Transferring personal data outside the EEA and Switzerland was always a challenge in terms of assessing whether the destination country had an Adequacy Decision (easy because not many!) or had an equivalent level of assurance as that available to citizens in the EEA and Switzerland. No jurisdiction is more challenging than the USA which has 50 States each with their own data privacy legislation and practices. The lack of any Federal legislation gave rise to the Safe Harbor device of data privacy assurance for Data Controllers in the EEA or Switzerland.
An earlier CJEU decision (Schrems I) declared the Safe Harbor unsafe and that was replaced on 1 August 2016 by the EU-US Privacy Shield (the Shield) after the European Commission found the Shield provided sufficient protection to allow personal data to be transferred to the United States. The Shield is a voluntary scheme of self-assessment said to meet the standards for data protection required by the GDPR.
Schrems II has declared the Shield insufficient for the purpose of meeting Data Controllers’ obligations under the GDPR and, thereby, the UK’s Data Protection Act, 2018.
Why does this matter to ASPs and ADR Neutrals? Because many ASPs and Neutrals rely on Microsoft, Google Cloud or Amazon Web Services to support their businesses. Those communication services providers (CSPs) each self-certified under the Shield. Schrems II is yet another reason to avoid USA based CSPs at all costs. We addressed the insecure nature of those providers in our blogs on the Microsoft licensing agreement and the CLOUD Act. Schrems II is the final straw in terms of whether the use of such CSPs is compliant.
Why is this? Because the CJEU made clear at paragraph 121 of its judgment that:
…unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
Not much wriggle room there.
Are the Standard Contractual Clauses (SCCs) dead? Not completely but no longer are they the reliable go to for international data transfers that they may have been in the past.
What have the Data Protection Authorities (DPAs) said about Schrems II?
Republic of Ireland Data Protection Commission (DPC)
The DPC instituted the proceedings leading to the CJEU’s judgment. In response it issued a statement that said this, amongst other things:
…the Court has endorsed the DPC’s position, it has also ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, although it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.
“Case by case” will be a very time consuming process and one which, under the GDPR, needs a policy to govern the assessment and a paper audit trail.
UK Information Commissioner:
“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.” [17 July]
Later the same day the ICO published a harder line, on its page dealing with international transfers:
If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period. [17 July]
The Berlin Commissioner for Data Protection and Freedom of Information
The Commissioner was forthright in her statement:
“The Berlin Commissioner […] therefore calls on all those responsible under her supervision to observe the CJEU’s decision. ….[those using] Cloud services that transfer personal data to the US, are now encouraged to immediately change service providers in the European Union or in a country with an adequate level of data protection.” [17 July]
The European Data Protection Board (EDPB)
Issued a set of FAQs on 24 July including this question:
4) I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do now?
Transfers on the basis of this legal framework are illegal. Should you wish to keep on transferring data to the U.S., you would need to check whether you can do so under the conditions laid down below.
What would we do if we were an Administered Scheme using, for example, Microsoft 365 to run my ADR business and/or for managing personal data and/or special category data? As you would expect we have a Post Schrems II Plan for Data Privacy:
- Migrate to a bespoke ADR Platform i.e. DEF (the only bespoke Platform for ASPs which has servers hosted at data centres located in England).
- Turn Schrems II into a positive for your business. Instead of relying on 20th century systems based on email and the telephone take this moment to fully integrate DEF by including our Neutral diary management function.
- Full integration of DEF enables the redeployment of Staff working on diary management to more useful tasks with greater productivity i.e. greater profitability.
- Abandon any reliance on the Standard Contractual Clauses (SCCs) especially if you are an ASP storing data held on the Microsoft servers hosted at data centres in Dublin.
- We recommend turning to the derogations from Article 44 which are already available within the GDPR. Whilst the DEF User Terms have incorporated the Shield and the SCCs we also rely on the derogations in Article 49 too. The use of the derogations based on consent, performance of a contract and public interest have all been the subject of concerns raised by the EDPB which are helpfully repeated in the FAQs. In DEF’s view the use of derogation (e) in Article 49 is the one upon which ASPs and Neutrals should place reliance: the transfer is necessary for the establishment, exercise or defence of legal claims. You can read how we use the derogations in our User Terms which are here: https://oneplatform.disputesefiling.com/downloads/one-platform-user-terms.pdf
- Switch to hosting data in England immediately – such as Pulsant Tier 3 data centres. Unlike many other Tier 3 data centres Pulsant data centres are, if you like, Tier 3+. DEF always has and always will host only at English data centres, see our data security statement here: https://www.disputesefiling.com/data-security.php
Other serious challenges remain, for example, the Mutual Legal Assistance Treaty (MLAT) the USA and the UK recently signed. DEF’s recommendations about the effect of the MLAT will be the subject of next week’s Cyber-Hygiene Update.
For further information or to request support to make the switch to DEF please contact: firstname.lastname@example.org