8 September 2020
The European Court of Justice’s Schrems II judgment on 16 July 2020 has both invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield and strengthened obligations on anyone transferring data out of the European Economic Area (EEA). This brief focuses on the latter issue.
Increased difficulty in relying on standard contractual clauses
The decision establishes that standard contractual clauses (SCCs) must provide for an “essentially equivalent” level of data protection as that of the GDPR (which, per the GDPR itself, is a requirement for transfers pursuant to an adequacy decision). To make this determination, both data exporters and importers using SCCs must examine aspects beyond the metaphorical four corners of the contract, such as how government security services may access data or whether effective remedies exist for data subjects in the data importer’s jurisdiction. (Indeed, some call these exercises “mini adequacy decisions”.)
Furthermore, whether personal data is transferable using SCCs depends on the data exporter’s assessment, accounting for transfer circumstances and potential supplementary measures. Obviously, the difficulty of assessing third-country data protection levels and defining supplementary measures on a transfer-by-transfer basis is extreme. The European Data Protection Board is currently investigating which measures could be provided alongside SCCs. Data protection by design and default presents an attractive solution, including verifiable data encryption. However, where the level of protection in the third country is inadequate, the recipient could be unable to access or use the data, excluding most collaborative research but potentially enabling cooperation with cloud storage providers.
If the requisite level of data protection cannot be assured, the transfer must be suspended outright. Similarly, competent supervisory authorities (SAs) must, absent an adequacy decision, suspend or prohibit the transfer of personal data to a third country where they believe the SCCs are not or cannot be complied with, or where the required level of data protection cannot be otherwise ensured. These obligations place a burden on SAs, who may need financial or other support to realize these tasks (It may nevertheless become easier after an initial assessment is done to stay abreast of relevant changes for future assessments.)
Implications for other transfer mechanisms
The decision further means that the conditions for the application of other safeguards will also depend on the level of data protection in the third country. This does not obviate the as-yet unused measures under Article 46 GDPR, e.g., Codes of Conduct (CoC), as they may contribute to standardized data sharing in genomic research. It does, however, require that CoC drafters take into account relevant characteristics of third countries’ legal orders.
Should none of these transfer mechanisms be applicable, certain derogations for transfer may be available (e.g., explicit consent to the transfer itself) though only on a case-by-case basis. Some standardization might be possible via consent forms, however the data subject must be informed of the specific risks of transfers to third countries without adequate protection.
Many SAs see the Court’s judgment as a motivation to find data processing solutions within the EEA, and even claim the decision dovetails with the Commission’s data strategy. Nevertheless, cloistered “data jurisdictions” are undesirable, especially in the case of research types that rely on data from participants in disparate geographies, as is the case with rare disease research. Because of this, the ruling’s impact on transfers to international organizations, comprising also research institutions, needs further clarification. Work is needed to promote the free flow of data, measured not only by theoretical legal compliance but also by options for factual compliance, upholding the spirit of the GDPR.
Relevant GDPR provisions:
Fruzsina Molnar-Gabor is research group leader at the Heidelberg Academy of Sciences and Humanities and lecturer at the Legal Faculty of Heidelberg University.
Michael Beauvais works at McGill University’s Centre of Genomics and Policy.
For a list of previous briefs, please consult here.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.