A look at SCCs in the Irish High Court, Privacy Shield confidence, and what it means for those searching for a comprehensive compliance program.
The cross-border data transfer, a key component of data processing for so many international businesses and global organizations, just can’t seem to catch a break. New challenges to the validity of Standard Corporate Contracts (SCCs), and continued questions around the adequacy of the Privacy Shield, continue to dog organizations that lean heavily on cross-border data transfers in their operations.
Given the differing cultural, governmental, and commercial perspectives on the handling of personal data and data protection rights of individuals, it should be no surprise that cross-border challenges carry some seriously contentious baggage. The convoluted data protection regulatory landscape across European Member States was one major contributing factor not only behind the conception and development of the General Data Protection Regulation (GDPR) itself, but also the fair amount of digital ink spilled in creating Articles 46 – 49 (and their myriad recitals and comments), which deal specifically with cross-border transfers, and their means, mechanisms, and derogations (exceptions) for compliance. While there is much clarity to be found there, the transfer of data across international borders has been increasingly shadowed at times by doubt and uncertainty, even as its importance with respect to rapidly expanding technology and the global economy continues to grow.
This year, one of the more interesting court challenges to cross-border transfers has been what many are calling “Schrems II”: a case before the Irish High Court concerning the validity of Standard Corporate Contracts (SCCs) as an EU-US data transfer mechanism, with a request by the Irish Data Protection Commissioner (DPC) that the matter be referred to the European Court of Justice (ECJ) for review.
The case was initially brought to the Irish DPC in 2016 by the very same Austrian rabblerousing lawyer Maximillian Schrems, who was behind the invalidation of Safe Harbour by the European Court of Justice in 2015. As in “Schrems I”, the issue concerned data transfers to the US by Facebook, Inc. and whether US law provides an effective remedy, within Article 47 of the EU Charter of Fundamental Freedoms, for breach of data privacy rights of EU citizens. For clarification, in this case the Irish DPC seeks review of SCCs, which Facebook relies heavily on for data transfers. However, Schrems is challenging the validity of ANY MECHANISM for transfer to the US.
After 21 days of hearings in February, Ms. Justice Caroline Costello (personal note: great name) reserved her judgement in the matter, which means that a final judgement is forthcoming.
The decision to give some extensive consideration to this matter seems a sensible one by Justice Costello, as the implications for business, economic interests and trade if SCCs are found to be an invalid mechanism for transfer are enormous. Large scale organizations, including Facebook, Google, Microsoft, and others, rely on SCCs for cross-border transfers from the EU, many of which have received approval from the Article 29 Working Group (the Data Protection oversight body under the former EU Data Protection Directive). The SCCs are a key component for these business’ cloud-based applications and services. In addition, many international Discovery teams and corporate litigation groups transfer data through similar, approved SCC mechanisms. And while the GDPR seeks to streamline SCC compliance procedures, doing away with oversight approval requirements, that is likely to change in a hurry should SCCs be invalidated as a cross-border transfer mechanism to the US (and the consequences of that finding would have repercussions for other jurisdictions, as well). Cloud-based services, large scale data collections, and cross-borderdiscovery procedures would all be severely crippled by SCCs being invalidated.
There are other means for data transfer available, however. Over 2,000 organizations, including Facebook, Google and Microsoft, have also been certified under the Privacy Shield, which continues to stand as a valid and accepted cross-border transfer mechanism for EU to US transactions. The Privacy Shield offers certain specific assurances with respect to US government surveillance, rights of redress for EU citizens, and a streamlined, self-certification process for compliance, affording an additional layer of compliance and legal protection in conjunction with SCCs. While SCCs are data-transfer destination neutral, the Privacy Shield deals specifically with data transfers to the US.
That being said, the Privacy Shield has been beset with criticism from its inception, has been challenged by digital rights groups, and has been viewed with consternation by the Article 29 Working Group. In the latest news, members of the European Parliament’s civil liberties, justice and home affairs committee (LIBE) voted (narrowly) in late March to support a resolution declaring the Privacy Shield to be inadequate, a finding which then goes to the European Commission for further review. Until the inaugural review of the Privacy Shield by the European Commission in September, and perhaps even after, the fate of the Privacy Shield will continue to be plagued by uncertainty.
However, there is one method of cross-border transfer that remains unscathed: Binding Corporate Rules, or BCRs. BCRs are specifically cited by the GDPR as an appropriate safeguard for cross-border transfers. The GDPR goes on to detail the conditions for transfer and minimum requirements for BCRs, as well as rules for transfer processes and application of data protection principles, complaint procedures, and overall compliance. BCRs under the GDPR also allow a set of corporate affiliates or groups to use the same BCR compliance structure for all international data transfer. In short, BCRs require a holistic, thorough and robust set of compliance structures, which allow them to continually stand as a solid compliance mechanism. No hand-wringing over the latest court challenges is necessary with BCRs.
So given the importance of cross-border transfers to international businesses, discovery groups and law firms, and the uncertainty around the varying mechanisms in place, you’d think a comprehensive approach to data protection compliance, whether through BCRs or some other means, would quickly be gaining popularity. There has been no rush to that yet, but as GDPR implementation nears, that may be changing. Stay tuned.