Schrems II: How will impact international data flows in practice

Of all the privacy developments that have hit the headlines this year, arguably none – not even the coming into effect of the CCPA, developments related to the LGPD in Brazil, or the ongoing Brexit adequacy saga – have been as impactful as the Court of Justice of the European Union’s ruling in Schrems II on 16 July.

This ruling declared invalid reliance on the EU-US Privacy Shield as a lawful mechanism for exporting data to the US, due to concerns about surveillance by US state and law enforcement agencies (and with the subsequent effect that the Swiss-US Privacy Shield has also suffered a similar fate in the past day). It upheld the EU Standard Contractual Clauses (“SCCs”) as a lawful mechanism for data exports, but subject to an assessment of the recipient territory’s laws and the potential need to put in place “supplementary measures” to ensure that exported EU data remains protected to a standard that is “essentially equivalent” with EU law. But enough of that: if you want to read about the background to the case or a legal analysis of the ruling, then see our earlier blog posts – Background on CJEU “Schrems II” Case and Schrems II Judgement Day.

Schrems II

Depending on the commentary you read, the ruling either spells the end of international data transfers to the US, is a bump in the road that will be fixed in time by new (and long overdue) EU Standard Contractual Clauses or a new “Privacy Shield 2.0”, or is all a big fuss about nothing that won’t have any meaningful impact at all. There’s a lot of theorising on all sides of the debate, but what will be the practical reality? How are organisations actually responding?

It was with a view to answering those questions that Fieldfisher decided to launch a survey on the practical impacts of Schrems II. Plenty of you replied (and thank you to everyone who did), and details of the survey responses – together with our analysis about what this means – are set out below.

How was the survey run?

But first, the boring bit: explaining our survey methodology. The survey was created on SurveyMonkey and made publicly available online. It comprised 9 multiple choice questions in total, each of which you can see below. Participants were invited to respond to the survey through LinkedIn and through our blog.

We set the survey to run anonymously, in the sense that we did not ask any participants to identify themselves, so we do not know the identity of any participants who responded, but it is reasonable to assume (due to the wide reach of our blog and social media contacts) that respondents from organisations both within and without the EEA and UK will have participated across a variety of sectors. We did turn on a survey feature that prevented the same respondent from completing the survey twice.

In total, we received 138 responses – and, after the first 30 – 40 responses, clear trends had started to develop. Subsequent responses up to the point of closing the survey (today) tended to reinforce the trends we saw in the early responses. A full copy of the survey responses is available here: Schrems II Impacts Report

Question 1: What proportion (roughly) of the data processors used by your organisation are US-based or based in non-EEA/non-UK territories?

Of the responses received to this question, approximately 75% indicated that half or more of their data processors are based in the US or non-EEA/non-UK territories (around 50% saying the majority and a further 25% saying about half).

This illustrates why the Schrems II ruling is so impactful: if the survey results we have seen are illustrative of wider industry as a whole, there will be an awful lot of organisations who are now having to transition their data flows away from reliance on the Privacy Shield across to SCCs.

Even where organisations are already relying on the SCCs, the Schrems II ruling suggests they now need to consider undertaking transfer impact assessments to assess whether those transfers meet the “essential equivalence” test and, if not, to implement “supplementary measures”. That inevitably means a lot of legacy vendor relationships will be revisited – and new vendor relationships will be subject to much closer investigation and scrutiny going forward.

**Question 2: In light of the Schrems II ruling, does your organisation intend to reduce use of US-based or non-EEA/non-UK data processors (either now or over time)?**

Tellingly, only a small minority of respondents answers “yes” to this question – just 12%. The remaining 88% indicated they did not intend to reduce their data exports to the US or to non-EEA/non-UK jurisdictions (57%) or were undecided (30%). Clearly, the volume of undecided responses – totalling around 1/3 of the responses received – indicates that future regulatory guidance and enforcement will play a critical role to the actions that organisations take.

What else can you read from this? Arguably this: that no matter what the law says, data transfers are an inevitability of modern technologies and the Internet. Attempting to regulate in a way that restricts those transfers could simply result in widespread non-compliance across organisations who have little meaningful alternative. Regulatory guidance therefore needs to identify solutions, not barriers.