LOGO

EU Data Transfers: Final Guidance on Third Countries

June 22, 2021
Topics:Andrea JelinekChinadata controllerdata protectiondata securityEDPBEdward SnowdenEU-US Privacy ShieldEuropeEuropeEuropean Data Protection Boardeuropean unionFacebookGeneral Data Protection RegulationGermanyIndialaw enforcementlaw firmsLinklatersMax SchremsPolicyPrivacyprivacySchrems IIsurveillance lawUnited KingdomUnited States
EU Data Transfers: Final Guidance on Third Countries

EU Data Transfers Face New Scrutiny Following Schrems II Ruling

The European Data Protection Board (EDPB) released its concluding recommendations yesterday, providing guidance on transferring personal data to countries outside the EU, ensuring compliance with EU data protection regulations in the wake of last summer’s significant CJEU ruling – commonly known as Schrems II.

Impact of the Recommendations

The core takeaway from these recommendations – which span 48 pages – is that certain data transfers to third countries may prove legally impossible to execute. This is despite the continued availability of legal mechanisms, such as Standard Contractual Clauses, which have recently been updated by the Commission.

However, the responsibility rests with the data controller to evaluate the feasibility of each transfer individually. This assessment determines whether data can legally be transferred in each specific instance.

Challenges for Businesses

Companies that routinely transfer EU users’ data outside the bloc for processing in countries without data adequacy arrangements with the EU – like the US – will encounter substantial costs and challenges in achieving compliance, even under the most favorable circumstances.

Organizations unable to implement effective ‘special measures’ to safeguard transferred data are obligated to halt data flows. Failure to do so could result in orders from data protection authorities and potential sanctions.

Alternative Solutions

One potential solution for affected firms is to store and process EU users’ data locally, within the EU. However, this may not be a viable option for all companies.

The increased complexity is expected to drive demand for legal counsel as businesses navigate structuring their data flows and adapting to the post-Schrems II landscape.

Increased Regulatory Oversight

Several EU jurisdictions, including Germany, are actively conducting compliance checks. Consequently, orders to suspend transfers are anticipated.

Furthermore, the European Data Protection Supervisor is currently examining the use of US cloud service providers by EU institutions, assessing whether arrangements with companies like AWS and Microsoft meet the required standards.

The Demise of Privacy Shield

Last summer, the CJEU invalidated the EU-US Privacy Shield, just a few years after its implementation. Its predecessor, ‘Safe Harbor,’ suffered a similar fate after fifteen years. The Commission has repeatedly stated that a swift replacement is unlikely, requiring substantial reform of US surveillance laws.

Negotiations between US and EU lawmakers are ongoing regarding a replacement data flows deal. However, a viable agreement capable of withstanding legal challenges, unlike the previous two, may take years to materialize.

UK and Other Third Countries

This prolonged uncertainty means EU-US data flows will face legal challenges for the foreseeable future.

The UK recently secured a data adequacy agreement with the Commission, despite prior plans for regulatory divergence post-Brexit. However, should the UK significantly alter its inherited EU legal framework, it risks losing adequacy status and facing similar barriers to EU data flows.

Data flows to other third countries lacking an EU adequacy agreement, such as China and India, also remain subject to ongoing legal uncertainty.

The Origins of the Issue

The root of these international data flow issues stems from a complaint filed over seven years ago, following Edward Snowden’s revelations about government mass surveillance programs. Max Schrems argued that EU-US data flows were unsafe.

The complaint specifically targeted Facebook and called upon the Irish Data Protection Commission (DPC) to suspend its EU-US data flows.

Legal Battles and Enforcement

Following a period of regulatory indecision, legal questions were referred to Europe’s top court, ultimately leading to the invalidation of the EU-US Privacy Shield. The CJEU ruling also clarified that Member States’ DPAs must intervene when they suspect data is at risk.

Last fall, the DPC issued a preliminary order to Facebook to suspend its EU-US data flows. Facebook challenged this order in Irish courts, but the challenge failed, and its EU-US data flows are now operating under precarious conditions.

Facebook’s Challenges

As a platform subject to Section 702 of the US’ FISA law, Facebook faces limitations in applying ‘special measures’ to supplement its EU data transfers.

For example, it cannot encrypt data in a way that ensures zero access, as that would compromise its advertising model. Schrems has suggested that Facebook may need to federate its service and store EU users’ data within the EU to resolve its data transfer issues.

Compliance Costs and Industry Response

The costs and complexity of compliance for businesses like Facebook are substantial.

Thousands of businesses will face compliance challenges following the CJEU ruling. Startup associations on both sides of the Atlantic have urged policymakers to align regulatory standards, warning that recent developments, such as the invalidation of Privacy Shield, “threaten to leave our ecosystems at a disadvantage in tough globally competitive markets”.

Benedikt Blomeyer, director of EU policy for Allied for Startups, emphasized the global nature of startups and the need to reduce trade barriers in the digital economy.

EDPB’s Perspective

Andrea Jelinek, chair of the EDPB, stated that the impact of Schrems II is significant, with supervisory authorities conducting investigations at the national level. The EDPB’s recommendations aim to guide exporters in lawfully transferring personal data while ensuring equivalent data protection within the European Economic Area.

The EDPB will continue to assess the effects of the Schrems II ruling and stakeholder feedback to refine its guidance.

Further Guidance and Legal Analysis

The EDPB previously issued guidance on Schrems II compliance last year.

Key modifications in the final recommendations include emphasizing the examination of third country public authority practices, considering importer experience, and clarifying that third country legislation allowing data access by authorities may impact transfer tool effectiveness.

Law firm Linklaters described the guidance as “strict,” warning of its impact on businesses. Peter Church, a Counsel at the firm, noted the lack of a pragmatic approach and the potential for businesses to conclude that data must remain within the EU.

He also raised concerns about the feasibility of compliance for SMEs, suggesting that the EDPB should consider the practical limitations of its power.

This report was updated with additional comment 

 

#EU data transfers#GDPR#data protection#third countries#international data transfers

Related Posts

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

Intellexa Spyware: Direct Access to Government Espionage Victims

Intellexa Spyware: Direct Access to Government Espionage Victims

India Drops Mandatory App Pre-Installation After Backlash

India Drops Mandatory App Pre-Installation After Backlash

Google's AI Advantage: Leveraging User Data

Google's AI Advantage: Leveraging User Data

Apple Cracks Down on AI Data Sharing in New App Store Guidelines

Apple Cracks Down on AI Data Sharing in New App Store Guidelines

States Sharing Driver Data with ICE: Lawmaker Warnings

States Sharing Driver Data with ICE: Lawmaker Warnings