With the help of our members, this thought-leadership series explores the acceleration of “digitalization” due to COVID-19 on both sides of the Atlantic, and across various industries. Today, we present Angelo A. Stio III, Partner, and Robyn R. English-Mezzino, Associate, both at TROUTMAN PEPPER LLP in New York City and Princeton, NJ; along with Vincent Wellens, Partner, and Lindsay Korytko, Senior Associate, both at NAUTADUTILH in Luxembourg. They will address: “The Impact of Schrems II on EU and US Cloud-Based Services”.
Digital transformation has been on the agenda of most businesses for some time, and the COVID-19 pandemic has only caused it to move up. Cloud computing services, such as those provided by AWS and Microsoft, have been shown to be crucial to a successful digital transformation.
Cloud-based services very often entail international data transfers, in particular to countries outside the EU or EEA, for example, because they are hosted outside the EU/EEA or because the data are accessible to the technicians and staff of cloud providers based in jurisdictions outside the EU/EEA, in many cases the US, even if only for maintenance and support purposes.
In addition, many popular electronic signature solutions, which are crucial to the digital transformation of organisations, such as Docusign, entail the transfer of personal data outside the EU/EEA.
Schrems II: What did the Court of Justice of the European Union say?
To the extent these transfers involve personal data, i.e., data that allow the identification of a natural person, held by undertakings, organisations and public authorities in the EU/EEA, they are subject to Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation or “GDPR”). International data transfers are, in principle, prohibited unless the data are transferred to a jurisdiction considered by the European Commission to provide an adequate level of data protection. US companies that agreed to apply a self-certification procedure to comply with key data protection principles could benefit from the so-called EU-US Privacy Shield Framework, which formed the object of a European Commission adequacy decision. The most prominent cloud service providers, such as AWS, Microsoft and Salesforce, relied on this framework to legitimise the international transfers of personal data which inevitably took place in the context of their provision of services.
On 16 July 2020, however, the Court of Justice of the European Union (CJEU) handed down its seminal Schrems II judgment, invalidating the European Commission’s adequacy decision with respect to the EU-US Privacy Shield Framework, a little less than five years after doing the same with respect to the US Safe Harbour Privacy Principles (the predecessor to Privacy Shield). The CJEU basically held that the US does not ensure an adequate level of data protection due to the existence of certain legislation which allows US law enforcement agencies to engage in mass surveillance, such as the PRISM and UPSTREAM programmes based on the US Foreign Intelligence Surveillance Act, and the tapping of transatlantic cables, pursuant to Executive Order 12.333, and does not confer the necessary rights to object on the data subjects concerned.
If organisations cannot rely on an adequacy decision, they can choose to realise adequacy themselves, for example, by implementing so-called standard contractual clauses (SCCs), concluded between an EU-based organisation transferring data from the EU/EEA (also called the “data exporter”) and a recipient located outside the EEA, for example, a US-based cloud service provider (also called the “data importer”). SCCs are considered by the European Commission to confer an adequate level of protection.
The CJEU confirmed in Schrems II the validity of the controller-to-processor SCCs that had been adopted by the European Commission (the same reasoning may be applied by analogy to controller-to-controller SCCs). However, the CJEU made clear that if an organisation wishes to rely on SCCs, both the EU-based controller and the recipient need to verify whether the destination country’s laws allow compliance with the GDPR, the SCCs and the EU Charter on Fundamental Rights. If circumstances that prevent compliance arise:
- the recipient must notify the EU controller; and
- the EU controller must suspend the transfer and/or terminate the contract. If the controller decides not to do so, it must forward the recipient’s notification to the competent supervisory authority.
If the laws of the destination country are likely to prevent compliance with the SCCs or the other provisions mentioned above, the CJEU indicates that it may be necessary to supplement the guarantees contained in the SCCs with other clauses or additional safeguards (see below). It is useful here to work with a framework agreement, so that the content of the SCCs is left intact wherever possible (to facilitate the verification of compliance) and to ensure that any other contractual provisions provide for a higher level of protection than the SCCs.
Impact of Schrems II on digital transformation projects and cloud-based hosting
Since the Schrems II judgment, both the European Commission and the European Data Protection Board (EDPB) have released key documents intended to help organisations navigate international data transfer issues.
On 4 June 2021, the European Commission published its final implementing decision adopting new SCCs (a draft version of which was published for consultation last November). This much-needed revamp aligns the SCCs to the GDPR, as the previous SCCs were adopted under the since repealed Directive 95/46.
More importantly, the new SCCs resolve a number of structural and substantive issues, in particular the lack of coverage for certain types of transfers. Transfers from EU/EEA processors back to non-EU/EEA controllers and transfers from EU/EEA processors to non-EU/EEA (sub)processors were indeed not covered under the previous version of the SCCs. These types of transfers are nevertheless common in practice, especially in cloud computing where EU/EEA controllers often contract with EU/EEA establishments (acting as processors) of US-based providers, which transfer the data to the US head office, or other non-EU/EEA group entities (acting as sub-processors).
The new SCCs take a modular approach in that parties can adapt the clauses to fit four different transfer situations (C2C, C2P, P2P and P2C, where “C” refers to controller and “P” to processor). Also, with the help of an optional “docking clause”, it will be easier to organise group data transfer agreements. New entities will be able to accede to the SCCs by completing and signing two annexes, provided of course that all current parties consent to the accession. This will facilitate the signing of SCCs and their lifecycle and reduce reliance on cumbersome power-of-attorney mechanisms that have arisen in practice to address the rigidity of the current SCCs.
Furthermore, the new SCCs address the consequences of Schrems II. Section III of the SCCs, entitled “Local Laws and Obligations in Case of Access by Public Authorities”, requires the parties to warrant that they have no reason to believe that the laws of the destination country will prevent compliance with the SCCs. Before providing such a warranty, the data importer and the data exporter are first asked under the new SCCs to conduct a documented assessment, often referred to as a data transfer impact assessment (DTIA), into the specific circumstances of the transfer and the laws and practices of the destination country that are relevant in light of the specific circumstances of the transfer.
This is where other key documents relating to international data transfers come into play. In the wake of Schrems II, the EDPB released its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. When conducting a DTIA, the SCCs must be read together with these recommendations.
The final version of the new SCCs and the EDPB Recommendations 01/2020 provide more flexibility than earlier drafts with respect to a DTIA. Practical experience with requests for disclosure by public authorities received by the parties (and other undertakings in the same sector) may be taken into account, subject to certain conditions. Objective factors, such as the application of the law in the form of case law or reports by independent oversight bodies, remain essential to the assessment.
The EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures and the European Essential Guarantees website, an academic initiative, represent a helpful starting point when performing a DTIA. Unfortunately, some law firms in the destination country, which are in principle well positioned to help with the assessment, may be reluctant for professional liability reasons to take a firm stance on the likelihood of access to data by public authorities, especially where cloud services are involved. This can make it difficult to finalise a DTIA in practice, not to mention unnecessarily costly in the first place.
If the DTIA reveals a risk of non-compliance with the SCCs, the parties can put in place supplementary contractual, technical or organisational measures to overcome this risk. The EDPB Recommendations 01/2020 provide guidance on which types of measures can be implemented.
Purely contractual measures are generally not binding on the authorities of a third country. As a result, it will be necessary to combine contractual measures with technical and organisational measures to ensure the requisite level of data protection. The EPDB considers encryption at rest and in transit as well as pseudonymisation to be potentially effective technical measures.
The final version of the EDPB Recommendations 01/2020 is almost as strict as the draft version when it comes to the supplementary measures to be applied in the case of cloud computing services. The fact that the EDPB does not seem to accept any access to data in the clear (meaning unencrypted or not pseudonymised) by cloud service providers in the country of destination is problematic, as access by technicians or staff members in this country is often envisaged or required for maintenance and support purposes.
A few major cloud providers announced supplementary measures prior to publication of the final version of the EDPB Recommendations 01/2020 and the new SCCs. It is possible that these providers will continue to develop their service offering in line with the EDPB Recommendations, although given that these are only recommendations (as opposed to guidelines which have more authoritative force), the question arises as to whether strict adherence is required in order to meet the challenges posed by Schrems II.
If no supplementary measures can ensure the required level of protection, organisations must avoid, suspend or terminate the transfer. This makes working with certain cloud service providers headquartered in the US or China a particularly sensitive issue and explains why calls for a Privacy Shield 2.0 have not stopped growing since July of last year. In the meantime, certain developments in Europe could help achieve such an agreement. Indeed, in late May 2021, the European Court of Human Rights, which sets privacy standards in Europe, took a slightly more permissive stance, admitting that European countries have broad discretion given “the increased sophistication of communications technology” and provided certain end-to-end guarantees are implemented (ex post review of the mass surveillance mechanism).
Schrems II – The US point of view and the perspective for Privacy Shield 2.0
The Schrems II decision invalidating the EU-U.S. Privacy Shield has brought great uncertainty and anxiety to thousands of U.S. businesses that are engaged in the transatlantic transfer of personal data. The decision has not only impacted digital and high tech businesses, but it has impacted businesses in virtually every sector, including financial services, agriculture, automotive and health care, who rely on the free flow of data for their existence. Indeed, it is an understatement to say that the invalidation of the EU-U.S. Privacy Shield impacted businesses. In this digital age, the absence of a framework to enable the cross-border transfer of data between Europe and the United States has repercussions on all members of society, including businesses, employees, and consumers as well as the efforts being made globally to economically recover from the pandemic.
In the wake of Schrems II, many U.S. businesses that previously relied on the EU-U.S. Privacy Shield had to quickly transition to other mechanisms to transfer data including, SCCs or Binding Corporate Rules and derogations. While this transition may have been seamless for some large public social media and technology companies, other small and mid-cap businesses, which lacked the resources and infrastructure to quickly transition, simply ceased transferring data altogether.
Given the 6.2 trillion dollars in commercial sales that occur annually between businesses in United States and Europe and the 16 million jobs that this transatlantic relationship creates, businesses, government officials and citizens have been clamouring for a new framework to provide for adequate protections personal information while still enhancing the cross-border transfer of data between Europe and the United States. And, although efforts to develop a Privacy Shield 2.0 stalled in the third and fourth quarters of 2020 while the United States was focused on the pandemic and a Presidential election, 2021 has brought hope that diligent efforts are being made between the United States Government and the European Commission to develop a new framework. In fact, on March 25, 2021 the U.S. Secretary of Commerce, Gina Raimondo and the European Commissioner for Justice Didier Reynders issued a joint statement indicating:
The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case. These negotiations underscore our shared commitment to privacy, data protection, and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies. See here.
Two major impediments to the establishment of Privacy Shield 2.0, however, are (i) the absence of a national privacy law in the United States with protections and safeguards that are essentially equivalent to Europe’s General Data Protection Regulation (GDPR), and (ii) the United States Government’s ability to engage in warrantless searches of data subjects under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (EO 12333), which the Schrems II decision found did not meet the GDPR’s standard for proportionality and necessity under Article 52 and failed to provide EU citizens with adequate judicial redress to challenge the collection and processing of their personal information. Fortunately, the clamouring for a new transatlantic data transfer framework has led Congress to try to take steps to eliminate some of the stumbling blocks to an agreement on Privacy Shield 2.0.
First, on July 28, 2021, U.S. Senators Roger Wicker (R-Miss.) and Marsha Blackburn (R-Tenn.) introduced legislation for the creation of a nationwide privacy law, entitled Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. Under the SAFE DATA Act, U.S. citizens would be to enhanced privacy protections of their personal information including (i) more choices and rights with respect to the collection and processing of their data, (ii) more transparency and accountability from businesses that collect and process data, and (iii) enhanced enforcement mechanisms for the Federal Trade Commission to hold businesses accountable for misusing data. A copy of the proposed legislation is available here – GAR21180 (senate.gov). Similar legislation has previously stalled in the past, but the need to foster business and support an economic recovery from COVID-19 may be sufficient motivation for a new federal privacy law to be enacted. If this occurs, it would presumably bring U.S. law closer to the privacy protections that the GDPR provides to EU residents. A uniform privacy law also would be a welcomed development for businesses that are presently required to comply with a patchwork of different federal and state privacy laws that set forth numerous different standards.
Second, also on July 28, 2021, the U.S. House of Representatives, House Rules Committee, approved a bipartisan proposal to limit the U.S. Government’s use of FISA Section 702 to engage in warrantless searches of personal information. The proposal, introduced as an amendment to the Justice Department’s 2022 appropriations bill, would preclude the government from using federal funds to conduct searches of U.S. citizens’ digital communications without judicial approval. A copy of the House proposal is available here (house.gov). This proposal would presumably help address some of the concerns outline in the Schrems II decision.
While it is too early to tell whether a nationwide privacy law will be enacted or whether FISA Section 702 will be modified, U.S. businesses and citizens are optimistic that Congress will eliminate the two impediments to an agreement on Privacy Shield 2.0. The Biden Administration is poised to push nationwide privacy law in order to replace the patchwork of U.S. laws that currently exist, while Republican senators and representatives appear to be more receptive to limiting the scope of warrantless searches under FISA 702 – something many Republican legislators were reluctant to consider while the Trump Administration was in office.
Only time will tell if a nationwide privacy law will be enacted to put U.S privacy law on the same plain as the GDPR. Such an enactment would foster the cross-border transfer of data, and certainly help in the negotiations between the U.S. Government and the European Commission on Privacy Shield 2.0. For now, however, U.S businesses are looking to the recommendations from the EDPB and will continue to rely on SCCs (Article 37 of the GDPR), Binding Corporate Rules (Article 47 of the GDPR) and, where appropriate, derogations (Article 49 of the GDPR) to effectuate cross-border data transfers. Hopefully, help is on the way.
- Angelo A. Stio III, Partner, TROUTMAN PEPPER LLP | email@example.com
- Robyn R. English-Mezzino, Associate, TROUTMAN PEPPER LLP | firstname.lastname@example.org
- Vincent Wellens, Partner, NAUTADUTILH | Vincent.Wellens@nautadutilh.com
- Lindsay Korytko, Senior Associate, NAUTADUTILH | Lindsay.Korytko@nautadutilh.com
Stay tuned for more on this series! We hope you enjoy these Thought-Leadership pieces written by our members: NautaDutilh Avocats Luxembourg & Troutman Pepper LLP.