A Practical Approach to Post-Schrems II Remediation of Cross-Border Data Transfers to the U.S. and Other “High Risk” Third Countries

Richard T. Horton
Associate Editor
Loyola University Chicago School of Law, LLM 2021

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its deafening decision that summarily and immediately invalidated the EU-US Privacy Shield. The regulatory program established between the European Council and the U.S. Dept. of Commerce allowed for the transfer of personal data of EU residents to be sent from the EU to the US without violating the data transfer restrictions of the General Data Protection Regulation (“GDPR”). The decision went on to cast serious doubt on the sufficiency of standard contractual clauses to adequately protect data transferred to any third country, not just the US. Several months later, data exporters in the EU are still sorting through the wreckage of their privacy programs and waiting for practical advice on the way forward.

Schrems II

The data privacy blogosphere is already chock full of practitioners dissecting the CJEU’s decision. In Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) the CJEU heard the case of an Austrian citizen that complained to the Ireland Data Protection Commission alleging that Facebook’s transfer of his personal data from Facebook Ireland Ltd. to Facebook headquarters in Silicon Valley, USA was unlawful because, notwithstanding the data protection measures agreed to in the standard contractual clauses that were in place between the two legal entities, it was still not “essentially equivalent” to the data protections provided in the EU.

While considering the complainant’s argument in light of the bombshell revelations of whistleblower Edward Snowden about the US intelligence community’s unchecked use of PRISM, the National Security Agency’s mass data collection and surreptitious surveillance system, the CJEU held that the US failed to offer enough protections to EU data subjects. Specifically, the court found issue with the lack of restraints in either the Foreign Intelligence Surveillance Act or the FISA Court’s supervision of the surveillance program. Further, the CJEU determined that the fatal error in the design of the EU-US Privacy Shield was that the appointed Ombudsman had neither sufficient independence, nor sufficient authority, to vindicate the rights of EU data subjects.

Once the CJEU dismantled the EU-US Privacy Shield with the stroke of a pen, it focused its attention on the standard contractual clauses utilized by Facebook. GDPR Article 46(2)(c) had presumably been intended to allow standard contractual clauses to stand on their own as a suitable mechanism for exporting personal data to third countries without an adequacy decision. However, the CJEU determined that in some circumstances, particularly those presented by US national security laws, the standard contractual clauses may not be enough on its own. The Court held that data transfers must be suspended or terminated where the standard contractual clauses are not, or cannot be, complied with due to the actions taken by the third country’s government which is not a party to the agreement. It required that supplementary measures must be implemented to strengthen the data protections to that of EU law.

Post-Schrems II remediation

Before data exporters can begin to remediate their cross-border data transfer controls, they first must know what personal data is being collected, where it is being processed, and where it is being stored. The most efficient means of gathering this data is to leverage your data flow mappings and data inventory. If you don’t already have these controls in place, you will have to develop them from scratch. Larger data exporters should consider automating this process, at least in part. Data discovery tools can speed up the process of identifying and analyzing a large number of data stores across the organization’s assets, and it may allow for a leaner team, but it won’t be cheap.

Start by identifying all of your business processes, systems, tech products, applications, and tools that process personal data. It’s also important to understand where the data is going once its collected from the data subject. Developing data flow maps that visually depict the movement of the data is the best practice. Leverage any existing documentation that provides information about the data processing activity. This may include technical specifications created by the development team, privacy or security reviews, etc. These documents will supplement stakeholder interviews with the developers, product managers, business unit SMEs, business analysts, etc.

Depending on the volume of data processing activities, it may be necessary to break the work down into manageable pieces, starting with the highest risk activities. Develop a risk rating process and prioritize the activities appropriately. For example, you will want to address the activities with the largest number of data subjects, the most sensitive personal data, the greatest number of transfers, etc. And for this remediation, you only want to target cross-border data transfers to third countries that lack an adequacy determination.

Data exporters must make the determination for themselves, with the assistance of the data importer, whether the domestic laws of the third country and the actions of its government prevent it from being, when utilizing Article 46 appropriate safeguards, “essentially equivalent” to the data protection offered under EU law. Schrems II is a very clear indication that the US, at least when it comes to communications data held by telecommunications companies, may not meet this standard.

If it can be determined that a particular data transfer to a high risk third country may not meet the standard of “essentially equivalent,” then it then must be determined whether supplementary measures can save it. If it is clear from the essentially equivalent analysis that under no circumstances can the data transfer be protected to the level of EU law, then data exporters must suspend or terminate the data transfer. Otherwise, the risk and compliance team should conduct the following risk assessment.

The next step is for your risk managers to determine whether the data transfer, as it is currently configured, is sufficiently mitigating the inherent privacy risks. Conduct a gap analysis using your chosen data transfer risk and control framework. This assessment will include verifying that the organization has an approval process in place to review data transfers before they are transmitted, that the data transfers have an appropriate safeguard in place in compliance with Article 46(2), that the data transfer has undergone a privacy impact assessment, etc. These existing controls may be sufficient to adequately protect the personal data. However, if the risk analysis indicates that there is residual risk from the nature of the data or arising from the circumstances of the data transfer in general, then it is necessary to consider the usefulness of supplementary measures.

Your risk practitioners should then evaluate whether some combination of contractual, technical, and organizational measures could save the high-risk data transfer, otherwise it must be suspended or terminated. The goal here is to mitigate any residual risk that persist despite the existing safeguards. The focus of this risk analysis is likely on addressing the threat originating under the domestic laws or arising from the actions of the third country government that were identified in the essentially equivalent legal analysis. Thus, this evaluation may likely require input from your risk and legal team, before the data transfer is approved.