Privacy lawyer gives insight on the disruption expected after Schrems II ruling

On 16 July 2020, a court case started by Austrian privacy activist Max Schrems against Facebook Ireland received a long-anticipated verdict from the Court of Justice of the European Union (CJEU).

The ruling invalidated the US-EU Privacy Shield and limited the legality of SCCs in international data transfers. As lawyer Abigail Dubiniecki explains, it was only a matter of time before the Privacy Shield was demolished and is an overall win for privacy. That being said, new concerns have arisen on how organisations are expected to mitigate these major changes.

“There are some important lessons for any country concerned about or seeking an Adequacy ruling – the UK for example, is seeking Adequacy status post-Brexit transition, and Canada’s Adequacy is under review.

They are both Five-Eyes countries and should take note that sweeping, unchecked government surveillance for national security purposes is antithetical to the fundamental human rights protection under the European Charter of Fundamental Rights and could undermine any Adequacy finding as well as the effectiveness of SCCs.”

Abigail Dubiniecki, freelance lawyer and privacy professional

Providing further clarification of the technicalities involved in these changes, she said: “The findings on Standard Contractual Clauses certainly throw a wrench into data flows, not just to the US but to any Third Country. In principle, the CJEU found SCCs to be valid as an adequate safeguard for international transfers, but they must deliver in practice. So, we are now left with a factual determination to make in terms of the data importers and the legal regimes that apply to them.”

“If they cannot in practice provide adequate data protection because there is a law that could compel them to communicate EU personal data to a public authority, the SCCs simply will not work. They have a contractual obligation under the SCCs to notify their EU data exporter, and the data exporter can suspend the data flows or even terminate the contract. Individual data subjects can complain or take legal action, including class actions. These are serious repercussions.”

In Schrems II the legal authority in question was Section 702 of FISA, so any entity that is subject to it, for example ‘electronic communications service providers’ like AWS and Google could not effectively use SCCs to provide adequate protection.

But, as Abigail explains, “many companies that would fall outside that definition rely on ‘electronic communication service providers’ based in the US as sub-processors. For example, MailChimp, Google Docs, Facebook Business, etc. Therefore, there is the potential for FISA 702 to impact any business that operates a website on the sub-processor or joint controller level. That’s where it gets really tricky.”

The CJEU has made clear that extensive assessments of the risks associated with these transfers must be undertaken. “We cannot simply paper over our obligations to protect data. We need to consider actual risk and actual mitigations, and even if the SCCs are okay from a formal standpoint, they have to deliver in practical, operational terms.”

“That means we need to assess risk, mitigate it, and re-consider what we actually send across if we’re not confident in the protections the data will receive on the other side. The findings mean we really need to understand – or get assurances from our Data Importers – that there are no legal impediments on their end to delivering on their contractual commitments to protect the data.”

Disruption is likely to be on a continuum and its impact on businesses will depend on the flexibility of their existing privacy programs. “Organisations with mature privacy programs that have been taking GDPR seriously in spirit and in the letter of the law and implemented safeguards will be much further ahead and better protected, because this is their BAU. But those that fixate on tick-box exercises of papering over their obligations or blindly clicking to accept terms without really considering what safeguards are in place, this will be a much more serious task.”

The importance of having taken prior to steps to implementing an efficient data governance strategy in an organisation is evident. Abigail says: “I predict that on the enforcement side it will be those business that were sloppy in practice with their data flows, rather than those who had the SCCs in place but also implemented appropriate technical and organisational measures to protect the data even on the “other side of the pond”, that suffer the wrath of DPAs.”