Starting with a good note: The “Schrems II” judgment does not lead to significant negative implications for companies that rely on the derogations the EU General Data Protection Regulation provides for international data transfers through Article 49.
The Court of Justice of the European Union’s judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country to the personal data transferred and the relevant aspects of the legal system of such third country.
However, the judgment does not indicate that this evaluation of public authorities’ access to personal data is required to rely on the derogations, in part because, unlike other transfer mechanisms, the derogations acknowledge and accept that the legal system of a third country does not provide adequate data protection. More importantly, the derogations do not demand companies implement countermeasures to “raise” the data protection level of the data recipient in the third country (with the exception of the “compelling legitimate interest” derogation in Article 49 (1)(2) of the GDPR).
Put another way: the receiving country’s legal system and adequacy of its data protection level do not generally play a role in determining the applicability of the derogations. Thus, companies that can currently rely on the derogations should be able to continue to do so (although this may be different for the “compelling legitimate interest” derogation, see below).
There are, however, some key data privacy considerations that companies must consider before relying on the derogations as an alternative to the EU-U.S. Privacy Shield or SCCs, given their limited applicability, and the operational challenges of minimizing the scope of personal data transferred.
The title of Article 49 alone, “Derogations in specific situations,” suggests derogations have a limited scope of applicability. Further, the European Data Protection Board made it clear in its 2018 guidance that derogations only apply where there are no other transfer mechanisms available, and companies have considered other solutions. Therefore, the derogations only serve as an exception to the requirements for cross-border transfers and should not be a standard, everyday solution to cover such transfers. This becomes more clear when we consider key privacy considerations for the most relevant derogations.
- Consent. Relying on consent requires highlighting, specifically, in the consent language presented to data subjects that their personal data will be transferred internationally, and the risk associated with such transfers. While companies should mostly be able to address these requirements, consent presents some challenges as a reliable basis for data processing. The right of withdrawal leaves it to the data subject to decide at any time whether an international data transfer must be stopped. This can be an issue in cases in which a data subject withdraws consent and the actual data processing can no longer be performed by the company without significant adjustments to the technical data flows to avoid an international data transfer. Moreover, consent may not be a valid solution in many human resources scenarios due to questions about the validity of employee consent given the perceived imbalance in the employer-employee relationship.
- Necessity. These derogations allow companies to transfer data internationally for the performance of a contract or to enforce or defend itself against legal claims and are subject to the “necessity” and “occasional” test. A company can only rely on these derogations when a data transfer is “strictly required” for these purposes (this requires a narrow interpretation under the EDPB’s Guidelines, 01/2019, Article 6 (1)(b)) and only when the transfers occur occasionally. Given the technical challenges that companies may face minimizing the personal data transferred to what is truly necessary, relying on these derogations may be a challenge for everyday international data transfers.
- Compelling legitimate interests. Lastly, the key requirements for relying on the “compelling legitimate interest” derogation (Article 49(1) subparagraph 2 of the GDPR) does not make it an easy catchall solution for international transfers of personal data not covered by the derogations above. In particular, this derogation can only be used as a last resort and, if relied upon, calls for companies to implement “suitable safeguards with regard to the protection of personal data.” Considering the rationale of the “Schrems II” judgment included companies taking steps to ensure adequate safeguards are in place for transfers under the SCCs (see above), there will be more attention and pressure on companies to ensure they implement similar safeguards under this derogation to ensure adequate protection of such transfers. Further, the requirement that companies exporting personal data notify the competent supervisory authority of such transfers and document its underlying assessment of the safeguards in place are key considerations to keep in mind prior to relying on this derogation as a transfer mechanism.
Speaking of documentation, generally, all the derogations call for clear cut documentation of the assessment that led to their use, ensuring compliance with the accountability principle of Article 5(2) of the GDPR and to be able to explain and demonstrate why no other transfer option was available.
To sum it up, the “Schrems II” judgment will likely not fuel the rapid use of the derogations, given the limitations on the derogation’s applicability and key privacy compliance steps, and should be reviewed closely before being relied upon as an alternative mechanism for international data transfers. Despite the statement in the CJEU’s judgment (see Paragraph 202 in the judgment), it is unlikely derogations will be able to entirely fill the gap that comes from the judgment.