International Data Flows
Under the GDPR, as well as under the previous European data protection laws, the free flow of personal data inside the European Union knows hardly any obstacles, since all countries in the Union (including those of the European Economic Area (EEA) and, for now, the United Kingdom) work under the same law and thus offer the same safeguards. When data leaves the EEA however, that might be different. Some countries do not have any data protection legislation, and others may have data protection laws that do not offer the same high level of protection as we are accustomed to in Europe. And that is a problem, since we Europeans regard privacy and data protection as fundamental rights. Restricting them is possible, but only if it is strictly necessary, proportional and if sufficient other safeguards are in place, like a possibility to go to Court in case of complaints about how your data is used. EU data protection laws therefore include the need to assess the level of data protection offered in a third country, before data can be exported.

The easiest option is if the European Commission, together with the European data protection authorities, makes the third country assessment. If they are satisfied a third country indeed protects data originating in Europe in a good way, the Commission may declare a third country to be “adequate”. The list of countries with an adequacy decision is so far limited, which is an indication of how strict the assessment is. In fact, in an earlier case (Schrems-I), the CJEU determined a third country needs a level of protection that is “essentially equivalent” to that of the EU.

In absence of an adequacy decision, companies that want to export personal data can also make the assessment themselves. In that scenario, they also need a data transfer contract to be concluded, which should include specific provisions on data protection. Those provisions can be negotiated ad hoc (which requires the approval of the contract by a data protection authority), or the company could use the SCCs, which are pre-approved by the European Commission. That is the road most commonly taken, since it takes less time. However, the signing of SCCs, has largely become just another box to tick, without the companies completing the linked assessment of the level of data protection in the third country.

Privacy Shield
In 2016, the U.S. and the EU created the Privacy Shield, a self-certification mechanism that companies could use if they would export data from the EU to the U.S., for example when they were using American cloud services or social networks. The Privacy Shield contains a whole series of conditions and safeguards that the company would need to respect, as well as various promises from the U.S. government related to national security and access to personal data transferred to America by the U.S. intelligence and security services. This was needed following the Snowden revelations in 2013, unveiling surveillance programs like PRISM and UPSTREAM, with extensive access to data from European citizens. The European Commission in 2016 was however satisfied the Privacy Shield would offer real protections to Europeans, and declared the Privacy Shield to be an adequate means of data protection. Data could flow freely from the EU to the U.S., as long as the company receiving the data adhered to the Privacy Shield.

In the Schrems-II judgment released last week, the Court has decided to invalidate the Privacy Shield, since it is in fact not “essentially equivalent” to the level of protection offered by the GDPR. The Court considers the U.S. surveillance programs too vague, and therefore the risk of bulk collection of data coming from Europe too high. This means the interference with our fundamental rights to privacy and data protection, is disproportional and thus not necessary, at least from the European perspective. Also the fact that Europeans cannot go to Court in the U.S. and that an alternative option for complaints-handling that was created (a so-called Ombudsperson), did not have real powers to right a wrong, was a major problem for the Court. The invalidation of the Privacy Shield, which has immediate effect, thus means that there is no longer a free flow of personal data from Europe to America. Companies that relied on the Privacy Shield thus far, will need to find an alternative quickly.

Standard Contractual Clauses
One of these alternatives could be the SCCs. The contractual safeguards could after all also provide a legal means for international data transfers. But according to the Court, in the same case, the SCCs are not always a good option for a safe data export. In his judgment, he has extended the requirement that a third country should have an “essentially equivalent” level of data protection to all data transfer mechanisms that exist, including the SCCs. This is because the GDPR requires that in case of cross-border data transfers “the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. Any safeguards that are agreed for the international transfer of personal data thus need to meet the same high standards.

A data exporter and data importer will need to assess whether they consider they can meet the requirements of the SCCs in their specific situation. Do they assume they will be able to guarantee the protections enshrined in the clauses, and thus avoid undermining the level of data protection offered by the GDPR? If not, it might be possible to agree on additional safeguards - this is allowed, as long as the provisions of the SCCs themselves are not changed (they can only be included in a contract on a “as they are” basis). The additional step implies that the data exporter and data importer will themselves need to undertake an assessment of the law of the country where the data are flowing to. Without such an assessment, agreeing on the adequate safeguards would not be possible after all.

The assessment of a third country’s level of data protection should take a broad look at the legal framework, but in the light of the Schrems-II decision it should in any case include an assessment of any national surveillance legislation: is the data importer subject to such legislation, are the data likely to be intercepted by intelligence and security services based on their nature, have there been requests from intelligence and security services to hand over personal data in the past, etc. If national security legislation applies, it is unlikely that contractual clauses in any form could result in the required “essentially equivalent” level of protection, meaning the data export from the EU can not (or no longer) take place.

What does this mean?
Everyone, including the European Commission, the U.S. Government and the data protection authorities, is still analysing the Schrems-II verdict in detail. It is clear however, that solutions will need to be found quickly, since international data flows have become much more difficult. For data exports from Europe to the United States, it seems that for the moment no legal options remain, at least not for data that could be of interest to the intelligence and security services. That would include in any case data stored in cloud services (think about Dropbox, Amazon Web Service, Google Cloud, etc.) and social media (Facebook, Twitter, Instragram, etc.). Further guidance on what to do, as well as announcements on new negotiations between the EU and the U.S. to find a political solution, are expected in the coming days.

But also international data transfers to other countries have become more difficult. As soon as countries have extensive national security programs (think for example about Russia, China, Israel, India or South-Africa), companies will need to take another look at their data contracts and the laws in the country where the data are exported to, in order to determine if sufficient safeguards have been put in place, if more safeguards are possible or if the only option is to bring the data back to Europe and stop the export all-together, at least for the time being.