In the now infamous Schrems II decision of July 2020, the Court of Justice of the EU (CJEU) confirmed, in principle, that standard contractual clauses (SCCs) can continue to be used to facilitate the transfer of personal data out of the EEA but at the same time imposed due diligence obligations on entities seeking to make such a transfer to assess whether SCCs alone offer sufficient protection in the recipient jurisdiction to comply with General Data Protection Regulation (GDPR) requirements.  Where they do not, appropriate supplementary measures are required.

How have courts and regulators across the EU member states been applying the decision?

We have previously commentated on various government and regulator reactions and in the last few months, we are seeing an increase in proactive action being taken – all, notably, in the absence of any further update or guidance from the European authorities.

In applying the Schrems II analysis, the Conseil d’Etat (France’s highest administrative court) determined on 12 March 2021 that contractual commitments by a U.S. cloud service provider to challenge access requests by public authorities, together with technical measures such as encryption where the encryption key was kept by a third party in France amounted to “sufficient safeguards in place to protect the GDPR rights of EU data subjects in relation to the hosting of the personal data”. While much of the court’s final decision in this particular case turned on the particular facts, notably that no personal data was being transferred outside of the EEA, the decision reinforced the point that the scope and concerns raised in Schrems II extends to EEA based subsidiaries of U.S. entities.

A further decision issued on 15 March 2021 by the Bavarian Data Protection Authority was the first German enforcement action in connection with last year’s Schrems II decision. In this case, the publishing company in question had failed, following Schrems II, to assess if supplementary measures were in fact needed to ensure that the transferred data was protected from U.S. surveillance and, if required, to implement any such supplementary measures. Importantly, although this was confirmed as a violation, it was considered minor with regard to its nature and gravity, and merely involved “a slight degree of negligence at most”. The judgment of the case indicates that the regulatory authority’s assessment was due, largely, to the fact that the EDPB Recommendations are still undergoing public consultation and therefore not yet available in final form.

Just this week, on 27 April 2021, the Portuguese Data Protection Authority (Comissão Nacional de Protecção de Dados (CNDP)) delivered the most severe decision to date, ordering the Portuguese National Institution of Statistics (INS) to cease all transfers of personal data to third countries which do not offer protection equivalent to GDPR. The INS gathered census data and transferred it to a U.S. service provider assisting with security and content delivery. The contract between INS and the U.S. provider stated that personal data may transit among any of the company’s 200 servers, including those located in the US, South Africa and Russia.  SCCs were relied upon but, in applying Schrems II, CNDP concluded that INS had not undertaken sufficient due diligence to ensure that the SCCs offered sufficient protection in the various recipient jurisdictions, hence the harsh decision.

Where does that leave the Schrems II debate?

The recent decisions highlight the need for businesses to proactively review all their international data flows and conduct transfer impact assessments where appropriate.  The authorities are applying Schrems II and considering the steps taken by data controllers to ensure the protection of personal data whether it be by way of impact assessments, consultation with the supervisory authority or additional technical and contractual safeguards. 

While the updated European Data Protection Board recommendations on measures that supplement transfer tools and new SCCs are eagerly anticipated during the course of 2021, the clear expectation is that businesses should be taking such steps now as a matter of course and cannot wait.