What are the main trends in regulatory responses to Schrems II

European Data Protection Board (EDPB) position

Following the Schrems II decision, on 24 July 2020, the EDPB published a ‘Frequently Asked Questions’  document. The EDPB noted that Schrems II has particular impact on other transfer mechanisms, not only Privacy Shield and SCCs but also, for example, Binding Corporate Rules (BCR). The EDPB issued long-awaited guidance on 11 November 2020 further clarifying the steps required for data exporters to undertake prior to transferring data to a non-EEA jurisdiction – not only the US. The EDPB guidance document also makes it clear that there is no grace period and enforcement would commence right away.

Post-Schrems II: Regulatory grey area

While the Schrems II decision and the subsequent EDPB guidance provided some direction, further analysis and commentary left many organizations still grappling with whether or not they could legally and safely transfer data outside the EU (in particular, to the US) and, if so, what was the correct procedure to follow.

While the EDPB guidance may have been intended to clarify the steps for a permitted data transfer for implementing organizations, when these organizations turn to the SA in each Member State, they may face conflicting interpretations of Schrems II and the EDPB guidance. Multinational organizations face an increased compliance obligation in trying to understand and synthesize the positions of different regulators across the EU, as well as any non-EEA jurisdictions in which they have operations. Given the EDPB guidance stipulated that “the competent supervisory authority is required to suspend or prohibit such a transfer”, there is a significant risk that both data subjects and transferring organizations may experience a fragmented application of European law, where the same transfer could be deemed valid by one SA but not by another.

Following the Schrems II decision, some SAs declared any data transfer to the US to be illegal, and called for caution and minimization of transfers. The European Data Protection Supervisor (EDPS), tasked with safeguarding the EU’s own data protection policies and compliance (pdf), also called on the EU institutions to "to avoid processing activities” that involve transfers of personal data to the US and instructed the EU institutions to complete “a mapping exercise identifying which on-going contracts, procurement procedures and other types of cooperation involve transfers of data.” At the same time, other SAs noted that Schrems II validated the use of SCCs as a transfer mechanism, providing that additional measures were implemented.

An example of the uncertainty has been recently observed in France, with the jurisdiction’s highest administrative court (the Conseil d’État) issuing a summary judgment that rejected a request seeking suspension of operations of the country’s central health data platform, ‘Health Data Hub’, currently hosted on EU-based servers by a major US technology company. This was contrary to the position of the French SA, the Commission nationale de l'informatique et des libertés (CNIL), which had issued a statement post-Schrems II asking affected organizations to stop storing health data "as soon as possible" on the Health Data Hub, and to utilize companies not subject to US law for hosting such data. The Conseil d’État’s decision acknowledged that the current Health Data Hub operations are subject to the risk of US intelligence services requesting the data from the US technology company (even if the data physically remains in the EU, because of the extraterritorial scope of US surveillance laws) and called for additional guarantees to be overseen by the CNIL. The French Health Minister sought to clarify the matter by indicating that the health data would cease being stored under the current arrangement with the existing provider within two years.

Rise in ‘Eurocentric’ approach to data governance 

CNIL has made statements encouraging the use of European suppliers, especially in the context of projects involving sensitive data. In addition, the European Commission (EC) wants to facilitate data sharing within the EU through the establishment of a European data governance and strategy, as demonstrated in the proposal for a European data governance regulation published on 25 November 2020. This regulation aims to establish harmonized rules and means for data usage and to support the development of “common European data spaces” (operated by data intermediaries, presumably limited to European companies). Commentators await with interest further details about a proposed European Data Innovation Board, to be created with the aim of facilitating the sharing of good practices by SAs. Although the EC has stated that it does not intend to introduce data localization requirements, especially regarding any common European data spaces, it notes that the EU must ensure that any access to EU citizens' personal data, particularly sensitive data, is in line with its values and legislative framework.

The EDPB has also been active in policy development following the Schrems II decision. It issued an opinion on the creation of a common space in the area of health, the European Health Data Space (pdf) (EHDS), in order to develop the positive potential of health data (e.g., improved clinical outcomes and care, personalized medical treatment, medical innovation, monitoring public health trends etc.) in a climate of trust and efficiency. The EDPB says it supports the “objectives of promoting health data exchange and fostering medical research” while underlining the “necessity for data protection safeguards to be defined” due to the sensitivity of the data to be processed within the EHDS. The EDPB is supportive of what it calls “initiatives to achieve European digital sovereignty” in order to secure health data. 

Multinational organizations should also note that several stakeholders with an interest in data governance and data subjects’ rights have commenced action against data holders following the Schrems II decision. For example, the activist group Noyb has recently filed 101 complaints against several companies because, the group claims, the companies continue to use US solutions on their websites. Organizations should be aware that the reputational risk from their approach to data governance is increasing in severity. 

While most multinational organizations have become cognizant of the effect of changes in data protection legislation around the world on their operations, many are yet to grasp the increased burden imposed by the EDPB following the Schrems II decision.

Organizations should undertake the following steps without delay:

1. Map their current data transfers to assess whether any are covered by Schrems II/EDPB guidance
2. Establish a clear understanding of the mechanism(s) on which they rely to transfer EU data to non-EEA jurisdictions/suppliers
3. Should the transfer assessment identify gaps with the current mechanism, institute technical or other permitted remediation, in accordance with EDPB guidance (see EY flyer for more details)
4. Continue to monitor regulatory developments on data governance by EU bodies and Member State SAs, including obtaining professional guidance where necessary to clarify conflicting advice, to demonstrate commitment to European data protection principles

Summary

Given the regulatory uncertainty following the Schrems II decision and the subsequent regulatory activity, international organizations must proceed carefully to meet their data privacy obligations.