Schrems II: What Does it mean for EU Data Processors?
The Schrems 2 case has been long running and much discussed and its ultimate findings, while still being digested, will have a significant impact on some data processors.
The case was originally taken by Austrian privacy activist Max Schrems, who objected to the transfer of his personal data to the US by Facebook. Why did he bring the case and what does the final ruling mean for EU data processors?
Background
EU law requires that transfers of personal data outside of the EU have a proper legal basis. There are a number of permitted bases for transfers, the most powerful one being a designation of adequacy for a third country by the European Commission. Adequacy essentially means that data subjects will have similar protections and rights with regard to their personal information in the receiving country as they do in the EU.
The US does not have Federal data protection laws that provide such rights and so has not been deemed adequate. However a US-EU approved scheme called 'Privacy Shield' established in 2016 allowed individual companies to sign up to a commitment to provide those rights and under this arrangement data could be transferred.
Schrems was sceptical of the Privacy Shield arrangement as it lacked regulation and independent oversight on the US side and because other US laws allowed access to the data by third parties (e.g. National Security Agencies) regardless of it. Schrems presumably chose Facebook as the prima facia target of his case due its high public profile but he could as easily have chosen any number of similar large US tech service providers.
Standard Contractual Clauses
During through the case Facebook, perhaps seeing the writing on the wall, changed the legal basis under which it transferred data to be the use of 'Standard Contractual Clauses' (SCCs). These are standard clauses approved by the EU that can be added to legal contracts. Essentially where the necessary rights and priviliges for data subjects are not enforced in the national laws of a third country, they are established in the governing contract instead. As long as contractual law is respected and upheld in the third country, then the service provider is bound to provide the approriate protections etc.
Schrems modified his case in response, challenging the legitimacy of both the Privacy Shield arrangement and the use of SCCs. He argued that because US national security laws allowed government agencies to access data secretly at any time, that neither arrangement provided the appropriate level of protections.
The Ruling
The ruling by the CJEU was widely expected but still significant. Privacy Shield was invalidated with immediate effect and is no longer an accepted legal basis for data transfers to the US. The court upheld the validity of SCCs - with a big caveat. SCCs are only valid if the laws of the country they are used with are 'not in contradiction with the standard contractual clauses'. In some non-EU countries, like the US and the UK, national laws enable data processors to disclose personal data to public authorities, who will not themselves be bound by the SCCs. Indeed it was pointed out during the case that US law allows the NSA to intercept data from transatlantic data cables before it even arrives at the designated recipient.
The CJEU ruling didn't invalidate SCCs wholesale, but they did remind Supervisory Authorities, including Ireland's Data Protection Commissioner, that they have the power to suspend SCCs where they believe them to be insufficient to safeguard data subjects rights. We can now expect another round of legal action in Irish courts seeking the suspension of SCCs used to legitimise transfers of personal data to the US and elsewhere.
What about US providers processing data within the EU?
Many US tech service providers have thusfar avoided involvement in this on-going debate by simply leaving the data in Europe. Microsoft, AWS, Sungard and many other US owned operators of large commercial data processing operations have established data centres across the EU, allowing them to service EU customers without ever needing to transfer data to the US.
At least 3 separate data centres are typically required for such operations. Most installations will be linked to a replicated 'failover' data centre. If the main data centre goes down for any reason, the operator can switch to the failover centre, maintaining services while the main centre is restored. At the same time, it will typically begin replicating data from the failover centre to a third centre, in case the failover centre also goes down. Some operators only have one or two data centres in the EU, with the failover or secondary failover located in the US.
The FAQ published by the EU Data Protection Board following the ruling states that controllers need to be sure that processors will not transfer data to America. "Data should not only be stored but also administered elsewhere than in the U.S." Operators not intending to transfer data out of the EU will need to ensure that data is not replicated to the US under any circumstances and contracts with these service providers will need to include clauses stating that data cannot be transferred. Max Schrems himself says the same and made available an additional questionnaire he recommends controllers ask to be filled out by US linked service providers.
Can the US government access data in the EU?
The default legal position is that foreign governments have no jurisdiction over data stored in the EU and cannot simply sieze it or demand access. Where there is a legal case or other established justification for access to the data, authorities should use a Mutual Legal Assistance Treaty (MLAT). Instead of making an order to a service provider to provide data held abroad, the court should make a request to its counterpart in the relevant country, who would issue a local court order to get the data and then pass it over.
Frustrated by the limitations of the MLAT system, in March 2018 the US introduced the 'Clarifying Lawful Overseas Use of Data Act' (CLOUD) Act, which allowed it to order firms to hand over data held overseas without use of MLATs.
Technically this means that tech firms like Microsoft etc. are required to hand over whatever data the US government asks for, no matter who owns it, where it has originated from or where it is stored.
The US CLOUD Act has limitations. It is relevant only to the data of individual named customers or subscribers, not wholesale access to all data. It also includes mechanisms by which companies in receipt of a data seizure order can challenge it if they believe the order violates the privacy rights of the foreign country the data is stored in. This would certainly be the case if data was requested from the EU. I can't find any instance of the CLOUD act being used to access EU data since March 2018, before the GDPR came into effect but that doesn't mean it hasn't been.
Regardless of motive, any processor transferring data out of the EU without the proper legal basis and protections would be in breach of data protection laws such as the GDPR. This applies to companies compelled to provide data by foreign authorities just the same as it would apply to those who might transfer data for profit. No doubt companies in receipt of such orders would be between a rock and a hard place. If they don't comply with the order they can be sanctioned by their local authorities, but if they do they can be sanctioned by EU authorities.
Schrems2 has not changed this in any way. It remains possible that US authorities can compel US owned service providers to give them access to EU data, but the consequences of this are potentially severe for the operators, meaning that this should remain a last resort limited to specific and serious purposes.
Those using EU based services provided by US owned companies for hosting should continue to take all of the normal precautions they would take to avoid a data breach by hackers, rogue staff, accident etc., i.e. organisational and technical measures including security, encryption, access control, monitoring, maintenance of systems, training of staff, establishment of sound policies and procedures and so on. Even if the US authorities are granted access to systems or copies of data, good encryption and other controls can limit the risk of breach.
Conclusion
Schrems 2 is a big deal. It invalidated PrivacyShield, meaning that the only remaining legal basis for wholesale data transfers to the US is SCCs. It also set the clock running on the blanket validity of SCCs as a basis for transfers to the US. Other legal bases, such as consent or legitimate interest would only apply in very limited circumstances.
Many popular global services, like SurveyMonkey, are US based and don't have established data centres in the EU that can keep the data of EU residents separate. Many more specialist commercial vendors of Cloud based SaaS services are in a similar situation, but would struggle to resource the establishment of EU centres. For these service providers Schrems 2 has cast a shadow over their ability to provide services to EU customers in future.
The GDPR and EU data protection regulation is risk based and there is potentially some leeway where data being transferred is at very low risk of being requested by the NSA. This concept might mean individual challenges will be required to specific SCC uses rather than to a whole country. At the moment things are unclear, but if you are using US based service providers there is no doubt that you should be actively preparing for what may come.
Questions on Data Warehousing, Data Integration, Data Quality, Business Intelligence, Data Management or Data Governance? Click Here to begin a conversation.
John Thompson is a Managing Partner with Client Solutions Business Intelligence and Analytics Division. His primary focus for the past 16 years has been the effective design, management and optimal utilisation of large analytic data systems.