Schrems considerations for data centre operators

What is the background to this case?

European data protection law prohibits the transfer of personal data to outside of the European Economic Area and UK unless that personal data can be protected to a level essentially equivalent to that of European data protection law.

Some countries have been “whitelisted”, meaning that the European Commission has determined that their laws do offer adequate protection to personal data.  This means that transfers from the EU to those countries are not restricted.

However, for all other third countries, companies have had to rely on other mechanisms.   One of these mechanisms is “Standard Contractual Clauses”.  These are template agreements that have been approved by the European Commission.  They impose obligations on the party sending the data and the party receiving the data.  The party receiving the data is obliged under the clauses to handle the personal data they receive to a standard that is “equivalent” to that of European data protection law.

Another mechanism was the EU-US Privacy Shield where US companies could self-certify that they comply with a set of EU style data privacy principles.  This would then allow them to receive data from the EU.

However, in Autumn 2015, a privacy activist called Max Schrems lodged a complaint with the Irish Data Protection Commissioner (DPC) against Facebook arguing that the transfer of his personal data by Facebook Ireland to Facebook in the US did not protect his fundamental privacy rights because the US public authorities have the power to carry out mass surveillance on personal data transferred to Facebook in the US.

He therefore argued that the Irish DPC should order Facebook to suspend the transfer of EU data to the US.

The Irish DPC brought proceedings in the High Court in relation to this complaint and asked the High Court to refer various questions on this issue to the Court of Justice of the European Union, including the question of whether the Standard Contractual Clauses (which is what Facebook were relying on to legalise the transfer) continued to be a valid mechanism for transferred personal data outside the EEA.

What did the CJEU say?

The court said that the Standard Contractual Clauses are valid, but there were lots of buts.

The court recognised that whilst Standard Contractual Clauses bind those who have entered into them, they don’t bind anyone else, such as public authorities. This means that the Standard Contractual Clauses may not always be sufficient to protect the personal data transferred.

Therefore, the court said that parties using the Standard Contractual Clauses need to make a “case-by-case assessment” of the laws and practices of the party receiving the personal data to make sure that the Standard Contractual Clauses offer adequate protection for personal data in light of those laws.

If they do not, then the parties need to “supplement the guarantees” in the Standard Contractual Clauses using other additional safeguards.

The court also opined on the validity of Privacy Shield and said it was no longer valid because: 1) US surveillance laws are disproportionate; 2) there is a lack of proper oversight; and 3) there isn’t proper redress for EU citizens.

The judgment talked of “supplemental guarantees” - what might these be?

The European Data Protection Board (EDPB) which comprises representatives from all EU data protection authorities recently produced guidance on what these safeguards might be:

• Technical measures such as encryption, pseudonymisation and split processing.
• Contractual measures such as requiring the importer to use specific technical safeguarding measures, providing transparency reports, enhanced audit rights or commitments to notify the exporter continually that it has not received a government access request until and unless it has (i.e. a “warrant canary”).
• Oganisational measures such as internal policies for governance of transfers with clearly defined responsibilities.

Some commentators have been critical of the practicalities around these recommendations.

Why are these rulings significant for data centre operators?

Data centres that operate outside of the UK/EU or a “whitelisted” country will undoubtedly be facing a raft of enquiries from customers about how they comply with the Schrems II judgment.

Data centre operators will need to assist their customers in making the “case-by-case assessments”.  And, in many circumstances, they will need to convince customers that the extra technical, contractual and organisational measures they have implemented make up for any short-comings identified in the country assessment.  This will of course incur time, expense and an in-depth knowledge, not only data protection law, but also of local laws and customs in the field of national security and surveillance.