More than half of enterprises have no intention of ceasing or reducing their reliance on US-based or non-European Economic Area (EEA) data processors despite the Schrems II ruling, a survey conducted by legal experts at Fieldfisher has found.
Of the 138 anonymous responses received from enterprises, about 75% indicated that half or more of their data processors were based in the US or non-EEA territories.
However, just 12% said they would reduce their reliance on US-based or non-EEA processors (30% were undecided), and only 5% said they intended to halt their data exports completely (just under 20% were undecided).
By contrast, about three-quarters said they would not cease their data exports to the US or non-EEA jurisdictions, while 57% said they had no intention of reducing their reliance on these processors, indicating that many firms could be open to non-compliance with the Schrems II decision.
On 16 July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield data-sharing agreement, which the court said failed to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the ECJ, also cast doubt on the legality of using standard contractual clauses (SCCs) as the basis for international data transfers, finding that although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
Phil Lee, a partner in Fieldfisher’s privacy, security and information group who was responsible for conducting and analysing the survey, said the findings reveal a huge disparity in how courts and regulators think the law should work, and the way that companies operate in practice.
“I think the issue we have at the moment is that we have very limited means to transfer data boldly outside of the EEA – the Schrems ruling entirely removed one of those means with Privacy Shield and put the other means, standard contractual clauses, on life support,” he said.
“Without providing a new way of saying to companies this is how you can, in a realistic way, transfer this data internationally, you actually risk pushing a lot of very well-meaning organisations into non-compliance through absolutely no fault of their own.”
Lee added the number of undecided enterprises also indicated that future regulatory guidance and enforcement will play a critical role in deciding what actions organisations end up taking.
A key aspect of the ECJ ruling is that organisations must carry out case-by-case risk assessments for each non-EEA data transfer they make to ensure the recipient ensures levels of data protection equivalent to the EU.
Known as transfer impact assessments, the Fieldfisher survey asked whether these would be conducted for each transfer, but only about 15% said yes, with 40% indicating they would only do so for “larger or more sensitive transfers”.
Asked what they would do if the impact assessment did determine there was a risk in the transfer, just 4% of respondents said they would prohibit it completely.
However, 57% did indicate that they would attempt to make the transfer legal by putting in place “supplementary measures” or additional safeguards – such as encryption, contractual or policy commitments, or localised data hosting – although no European court or regulating body has yet decided what would be a suitable alternative.
Lee believes most companies will end up skipping the transfer impact assessment stage, and instead assume that wherever they plan to send the data will simply not provide equivalent protections to the EU because of the level of due diligence that making such an assessment would require of the business.
“What you’re really doing here is saying to any business – no matter how big or how small you are – that if you are exporting your data internationally, or using any kind of cloud service, we are expecting you to assess the laws of the country where your data may be processed,” he said, adding that this would include an examination of whether a country has a data protection authority, and its human rights laws.
“Even legal experts would struggle to do this outside of their own territory, so it’s a wildly unrealistic expectation,” said Lee.
He said no data protection authority will view another jurisdiction as essentially equivalent unless it has already been declared to have adequate data protections, which would be done by the European Commission, something that is likely to shape how businesses approach the situation.
“If you are transferring to a non-adequate country, you’d have to be pretty brave to say ‘well, it’s not adequate, but I think it’s safe enough to receive EU data’,” said Lee. “There’s no way you could defend that before a regulator – so you’re always going to have to come down on the other side of concluding that any non-adequate country is, surprise surprise, not adequate.
“I would say the only long-term solution to this is a political one. None of the additional safeguards we can think of at the moment [to provide equivalent protection] are going to be absolutely foolproof. What we actually need is an intra-governmental political solution between the EU and the US, where there is some kind of movement on the national surveillance regimes, and protection for EU data.”
The UK’s Government Digital Service (GDS) announced on 22 September that it is conducting a review of cross-government cloud policy and guidance, including the future of the Cloud First policy, in the light of Schrems II.
“The assessment will identify relevant data flows and make sure appropriate mitigation is implemented if necessary, following updates and guidance from the Information Commissioner’s Officeand the European Data Protection Board,” said Lord Agnew in response to questions from fellow peers at the time. “GDS has engaged with other government departments via data advisory groups and data protection networks to ensure consistent mitigation.
“Ultimately, however, it is a decision for individual government organisations where and how to store their data, provided it is done in a secure way and offers good value for money.”