Relax, After GDPR’s Schrems II, Some Companies Transferring Personal Data from the EU to the US May Actually Have Less Challenges Than You Thought

Richard Horton
Associate Editor
Loyola University Chicago School of Law, LLM 2021

On December 12, 2020, the European Commission (the “EC”) issued a highly anticipated draft of newly revised standard contractual clauses (“new SCCs”) that may be used by European Union-based companies to safeguard data transfers of personal data to third countries, such as the US, in compliance with GDPR Art. 46(1). The release comes at a decidedly inopportune time as it follows on the heels of the Court of Justice of the European Union’s (CJEU) Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) decision which casts serious doubt on the adequacy of SCCs alone to safeguard against the “high-risks” involved in EU to US data transfers. And for many data protection experts, the language of the revised SCCs only adds to the confusion, raising even more questions. But one question in particular seems to be prominent among others—for transfers to importers, directly subject to GDPR, are SCCs really necessary?

The prevailing question on the scope of Art. 46(1)

Upon its release, the draft of the new SCCs has been subject to public comment from the privacy and data protection world, allowing corporations, advocates, attorneys, practitioners, academics, policy experts, and regulators to officially have their say. The step is required under EU law before a final version of the new SCCs can be finalized and adopted by the EC.

At its closing, the EC received nearly 150 comments to its website during the less than 30-day comment period. The comments reflect a wide variety of concerns ranging from the trivial—”we strongly suggest that they should be [re-]named ‘[s]tandard data protection clauses’,” to the more thoughtful and substantive—”there is an effort to fill the gaps in the GDPR and to comply with the Schrems II judgement, but the new SCCs overshoot the mark and disproportionately complicate the transfer…”

Also weighing in on the new SCCs are, the influential data protection authorities, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) with their joint opinion published on January 15, 2021 (“Joint Opinion”). The Joint Opinion outlined a number of critiques of the new SCCs and the accompanying Implementing Decision and provided recommendations for revisions, pursuant to their responsibility to provide feedback under EUDPR.

Although framed differently, ICANN, Noyb, EDPB/EDPS, and several other commenters seem to all raise a single common question. Essentially, they ask whether GDPR’s Art. 46 appropriate safeguards are even necessary for data transfers to importers in third countries that are already subject to GDPR. Commenters point to the language of Art. 1(1) of the EC’s Implementing Decision, which formally adopts the new SCCs. The provision seems to imply this position by stating “[t]he standard contractual clauses set out in the Annex are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679 (data importer).”

The widely accepted interpretation of GDPR Art. 46 has been that all data transfers to an importer, established in a third country without an adequacy decision, are subject to the mandatory safeguards. For example, when Company A, a controller-exporter based in the EU, transfers data to Company B, a processor-importer based in the US, Company A must implement appropriate safeguards such as SCCs, binding corporate rules, a code of conduct, or an approved certification program. However, if the EC’s legislative intent was to exclude Company B from these burdensome requirements when Company B is directly subject to GDPR, then a large number of data transfers may now be completed with far less compliance challenges. Thus, entities that are subject to GDPR may be considered as “exempt” regardless of their third country location, for purposes of Art. 46 requirements.

How might Company B be directly subject to GDPR? Art. 3(2) provides that GDPR has extraterritorial application only to controllers and processors, that are established outside of the EU, where the particular data processing activity “targets” individuals in the EU. Because a large percentage of data processing activities that involve EU residents’ personal data are in some way directed towards EU residents, this exception could affect a substantial percentage of the total number of third country data transfers.

The EDPB and EDPS, as proponents of greater privacy protections, called out the shocking implication, but also gratuitously provided the EC with a safe route for walking it back. The Joint Opinion asks the EC if it merely intended the provision to define the scope of the SCCs themselves, or whether it was, in fact, intended more broadly to define the scope of “the notion of transfers” in general. The implications of the latter would undoubtedly be tremendous.

The case for excluding importers, directly subject to GDPR, from Art. 46(1)

Until the EC decides to address this particular question and provide a definitive answer, the privacy and data protection world must attempt to answer this question for itself. Clearly, it’s easy to avoid the risks and assume that the statement did not mean what it seems to mean. The safest route forward is to continue to implement Art. 46 safeguards for all third country data transfers. But for those transfers where the safeguards present a hurdle that is far too great to overcome, companies must at least consider whether this interpretation is reasonable and if it can be substantiated.

Recital 108 of GDPR provides that measures to compensate for the lack of data protection in a third country should be determined with the goal of compliance with the data protection requirements, and rights of data subjects, in the EU. Further, the CJEU requires that third country data protection standards be “essentially equivalent” to that of EU law to support a finding that an EC adequacy decision is valid. Thus, the safeguards enumerated in Art. 46 and the adequacy decisions of Art. 45 essentially function as means to subject third country-based importers to the same data protection requirements imposed on controllers and processors under GDPR. Therefore, it may be reasonably argued that data transfers to US importers directly subject to GDPR can justifiably be excluded from the additional safeguards required under Art. 46(1).