Further (unhappy) thoughts on Schrems II

In yesterday’s post outlining the Schrems II judgment, I said international data transfers were now in a fine mess. As I re-read the CJEU’s judgment, it occurs to me that my assessment was wrong. It is not a fine mess. It is an awful, almighty mess, it seems to me.

Here’s the nub of the problem: the European Commission’s SCC decision (which includes the SCCs themselves) survive, but it is not enough to rely on SCCs alone.

SCCs are meant to be a safeguard mechanism by which you ensure that GDPR standards continue to apply once the data leaves the EU. But they only have contractual force – they cannot bind those who are not party to the SCCs. To take a key example, they don’t restrict what the NSA, FBI, CIA and others can do with data under US law. SCCs are not capable of protecting data subjects against such activities.

It is important to remember the objective set done in Article 44 GDPR: “All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined”. And safeguards like SCCs can be relied upon “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” (Article 46(1) GDPR).

So if, by virtue of local laws in the destination country, those standards can’t be guaranteed, then SCCs don’t make the transfer safe. You need to supplement them. See para 133 of the CJEU’s judgment: “In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.”

Hang on, I hear you say, why then did the CJEU appear to give SCCs a clean bill of health? Well what the CJEU was really doing was saying that the European Commission’s SCC decision is not invalid. Why not? Because the SCC mechanism itself builds in safety valves: if the recipient can’t guarantee that it will be able to comply with the SCC terms or achieve GDPR compliance (e.g. because of local laws in its country), then the exporter must stop the transfer. The CJEU concluded that SCCs hold good as far as they go – but they don’t always go the full distance. For the reasons I’ve tried to explain above, SCCs are not a complete fix.

There is this bigger practical question: how on earth are transfers to the US meant to work? SCCs can’t insulate data from the problems that saw the court kill off Privacy Shield. So what now? What sort of “supplementary measures” can be used to shore up SCCs, and can any such measures be effective in the US?

I don’t know the answer just now (sorry). But I take comfort from the fact that (understandably) the ICO doesn’t seem to know the answer just yet either. Its press release yesterday said this about the Schrems II judgment:

“The ICO is considering the judgment from the European Court of Justice in the Schrems II case and its impact on international data transfers, which are vital for the global economy.

We stand ready to support UK organisations and will be working with UK Government and international agencies to ensure that global data flows may continue and that people’s personal data is protected.”

So for now, not a fine mess: an awful, almighty one. Happy school holidays everyone!

Robin Hopkins