1. Schrems II requires parties relying on the SCCs to implement additional measures ensuring that transferred personal data is adequately protected.
The Schrems II decision did not affirmatively invalidate the SCCs, but also made clear that the SCCs alone, without additional measures, often do not sufficiently protect transferred personal data. The Court of Justice of the European Union (“CJEU”) noted that “depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller” may be necessary “in order to ensure compliance with” the level of protection required under the laws of the European Union (“E.U.”). The decision notes that the GDPR “states that ‘the possibility for the controller… to use standard data-protection clauses adopted by the Commission… should [not] prevent [it]… from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards… that supplement’” the SCCs.
2. European Regulatory Guidance
Many European Data Protection Authorities (“DPAs”), such as those in France and Spain, have acknowledged the Schrems II decision, but offered little substantive guidance regarding what parties should do to protect transferred personal data. Other DPAs, such as Norway’s DPA, have suggested that organizations should stop transferring personal data until DPAs can identify adequate safeguards. The Berlin DPA has taken an even more extreme view in that it has interpreted the Schrems II ruling to mean that no data may be transferred to the U.S., even using SCCs that include additional safeguards. Similarly, proceedings in Ireland could lead to a prohibition on data transfers from Ireland to the U.S.
In September 2020, the Baden-Württemberg, Germany DPA proposed edits to the SCCs that increase data exporter obligations with respect to law enforcement requests for personal data. The draft included revised SCCs that require the data importer to inform both the data exporter and the data subject (if feasible) of a request. Moreover, the draft rules would require data importers to take legal action against responding to surveillance requests, but the draft SCCs would allow data importers to disclose personal data pursuant to a legally binding order. Therefore, although those draft rules set forth some of the most restrictive of proposed safeguards following Schrems II, the proposal does not create an affirmative requirement to obtain data exporter consent for personal data disclosures to law enforcement.
3. The U.S. Department of Commerce
On September 28, the Department of Commerce released a white paper outlining privacy safeguards regulating and establishing oversight of U.S. intelligence agencies’ use of personal data. The white paper does not bear directly on whether law enforcement agencies will treat personal data differently if the personal data has been transferred from the E.U. to the U.S. However, the white paper emphasizes that US intelligence agencies share personal information with E.U. Member States, including information relating to foreign operatives, suggesting that the agencies remain committed to collecting the personal data of E.U. citizens, even after the Schrems II decision.
The white paper also states that companies transferring personal data to the E.U. under the SCCs may argue that US law, at least in 2020, satisfies many of the CJEU’s concerns. The Schrems II court evaluated an E.U. Commission decision from 2016 that described U.S. law as in force at that time, instead of evaluating current U.S. law. The white paper therefore points out that the Schrems II court did not consider several safeguards privacy safeguards currently in place with respect to FISA 702 requests and US government access to personal data under 12333.
As such, the white paper suggests that companies may argue that transferring personal data from the E.U. to the U.S. under the SCCs may be permissible following Schrems II. Since that decision did not consider many US privacy safeguards, data transfer to the US under the SCCs should not require as many additional safeguards to ensure adequate protections as the CJEU may suggest.
Although the white paper may not be a sea change for E.U. regulators’ understanding of data transfer, the white paper cuts against regulators’ potential argument that transfers under the SCCs are impermissible without significant additional protective measures.
We note, in conclusion, that the law of personal data transfer after Schrems II remains fluid and many European regulators have not issued substantive or final guidance (including the European Data Protection Board (“EDPB”). Given that lack of guidance requiring any specific compliance solutions, companies should be cautious about implementing any specific additional protection safeguards that create significant legal or operational burdens.