More than half of enterprises have no intention of ceasing or reducing their reliance on US-based or non-European Economic Area (EEA) data processors despite the Schrems II ruling, a survey conducted by legal experts at Fieldfisher has found.
Of the 138 anonymous responses received from enterprises, about 75% indicated that half or more of their data processors were based in the US or non-EEA territories.
However, just 12% said they would reduce their reliance on US-based or non-EEA processors (30% were undecided), and only 5% said they intended to halt their data exports completely (just under 20% were undecided).
By contrast, about three-quarters said they would not cease their data exports to the US or non-EEA jurisdictions, while 57% said they had no intention of reducing their reliance on these processors, indicating that many firms could be open to non-compliance with the Schrems II decision.
On 16 July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield data-sharing agreement, which the court said failed to ensure European citizens adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the ECJ, also cast doubt on the legality of using standard contractual clauses (SCCs) as the basis for international data transfers, finding that although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.
Phil Lee, a partner in Fieldfisher’s privacy, security and information group who was responsible for conducting and analysing the survey, said the findings reveal a huge disparity in how courts and regulators think the law should work, and the way that companies operate in practice.
“I think the issue we have at the moment is that we have very limited means to transfer data boldly outside of the EEA – the Schrems ruling entirely removed one of those means with Privacy Shield and put the other means, standard contractual clauses, on life support,” he said.
“Without providing a new way of saying to companies this is how you can, in a realistic way, transfer this data internationally, you actually risk pushing a lot of very well-meaning organisations into non-compliance through absolutely no fault of their own.”
Lee added the number of undecided enterprises also indicated that future regulatory guidance and enforcement will play a critical role in deciding what actions organisations end up taking.
A key aspect of the ECJ ruling is that organisations must carry out case-by-case risk assessments for each non-EEA data transfer they make to ensure the recipient ensures levels of data protection equivalent to the EU.
Known as transfer impact assessments, the Fieldfisher survey asked whether these would be conducted for each transfer, but only about 15% said yes, with 40% indicating they would only do so for “larger or more sensitive transfers”.
Asked what they would do if the impact assessment did determine there was a risk in the transfer, just 4% of respondents said they would prohibit it completely.
However, 57% did indicate that they would attempt to make the transfer legal by putting in place “supplementary measures” or additional safeguards – such as encryption, contractual or policy commitments, or localised data hosting – although no European court or regulating body has yet decided what would be a suitable alternative.
Lee believes most companies will…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…