​Impact of Schrems II On Anti-Corruption Compliance Programs

September 15, 2020 - On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its long-awaited judgment in Case C-311/18 (“Schrems II”), finding that the EU-U.S. Privacy Shield is invalid effective immediately and that standard contractual clauses (“SCCs”) could be valid under certain conditions.  We previously published an Alert on Schrems II (link). 

The Current Situation

The national data protection authorities (“DPAs”) have had various reactions to Schrems II.  The Irish Data Protection Commissioner noted that “The application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.  This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis.”  In the UK, the DPA indicated that “Further work is underway by the European Commission and EDPB [European Data Protection Board] to provide more comprehensive guidance on extra measures you may need to take.  In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available.”  In Germany, the Federal DPA announced that it will "urge rapid implementation [of Schrems II] in particularly relevant cases" and that transfers to the U.S. are still possible with additional safeguards.  The Berlin DPA stated that transfers to the United States are currently not possible and encouraged controllers to use service providers within the EU, and the Hamburg DPA noted that the CJEU’s reasons for invalidating the EU-U.S. Privacy Shield also apply to the SCCs.  In Norway, the DPA noted that it remains up to the EU data exporter and non-EU data importer to assess whether the level of protection in the SCCs will also be respected in the importing country.  In Serbia, the DPA highlighted that the national law still refers to the U.S. being an adequate third country when data is transferred using the Privacy Shield and that it has sent a letter to the Government of Serbia to harmonize the national law with Schrems II. 

Following its annual assessment of the Swiss-US Privacy Shield regime and Schrems II, the Swiss Federal DPA concluded that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for personal data transferred from Switzerland to the U.S. pursuant to the Federal Act on Data Protection and that the use of SCCs or binding corporate rules (“BCRs”) requires companies to conduct a risk assessment and possibly implement additional safeguards.

The U.S. Department of Commerce has stated that it will continue to administer the EU-U.S. Privacy Shield program, presumably for data that has already been transferred to the U.S.  The EU Commission has initiated discussions with the U.S. Department of Commerce to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework that would be Schrems II compliant.  EU Commissioner for Justice Didier Reynders separately predicted that EU officials would complete their post-Schrems II upgrade of the SCCs by the end of 2020.  Meanwhile, Schrems and his non-profit organization have already filed 101 complaints with a number of national DPAs in the EU.

Compliance with anti-corruption laws can require international transfers of sensitive or criminal personal data. Businesses that carry out such transfers have to ensure that EU residents’ personal data transferred to a non-EU country benefit from a level of protection essentially equivalent to that guaranteed by EU law, taking into account the risks involved in the transfer.  On July 29, 2020, the UK DPA thus indicated that “The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-U.S. Privacy Shield.”

Taking a wait and see approach with respect to data transfers in the context of anti-corruption compliance following Schrems II may present risk in the light of (i) the nature of the personal data; and (ii) an EDPB statement on July 17, 2020 indicating that, following Schrems II, the assessment of whether the countries to which personal data is sent offer adequate protection is primarily the responsibility of the personal data exporter and importer (and not of DPAs).

How Schrems II affects Anti-Corruption Compliance Programs

Following Schrems II, businesses conducting anti-corruption compliance programs have limited options.  If possible, they may decide to stop transferring personal data outside the EU.  Alternatively, they could use or continue to use one of the mechanisms that permit the transfers of personal data outside the EU and adapt their anti-corruption compliance programs in light of Schrems II.

In doing so, businesses should assess their data protection compliance safeguards that have relevance to their anti-corruption compliance program, and should in particular:

• review the list of sub-contractors involved in the anti-corruption program, including those based in non-EU countries, and the legal basis for the transfer of personal data and provisions of data protection clauses with sub-contractors;
• conduct a data flow mapping and, if necessary, adapt internal processes between subsidiaries and/or the parent company to limit personal data transfers to non-EU data importers without compromising the effectiveness of the anti-corruption program;
• assess the levels of guarantees offered by non-EU based data importers involved in anti-corruption programs offer in terms of protection of personal data transferred to them under the laws of the country where they are based and their professional rules of conduct; and
• perform transfers of personal data to non-EU data importers on the basis of SCCs and BCRs in light of Schrems II.

We have set out below some practical high-level recommendations intended to assist companies in meeting these objectives. 

Six High Level Recommendations on How to Deal with the Impact(s) of Schrems II Requirements

1.  Continue to follow EU-U.S. Privacy Shield Principles.  The EU-U.S. Privacy Shield is no longer a legal basis to transfer personal data to the U.S.  However, U.S. data importers participating in the EU-U.S. Privacy Shield should (i) continue to follow the EU-U.S. Privacy Shield principles, and (ii) seek another legal basis to transfer personal data to the U.S.

2.  Review of the Registry of processing activities.  The GDPR Article 49 Derogations cover transfers made with explicit consent or transfers that are necessary for the performance of contracts or for the establishment, exercise or defense of legal claims.  These derogations are not affected by Schrems II, and businesses may therefore continue rely on them as they did before Schrems II.  

3.  Conduct an in-depth review of SCCs using a step-by-step method:

- Update the privacy impact assessment (“PIA”).  In its FAQs published on July 23, 2020, the EDPB recommended that businesses conduct a PIA as to whether SCCs provide enough protection within the local legal framework of the data exporter.  In certain circumstances, complying with anti-corruption laws requires international transfers of sensitive and criminal data that must be included in the PIA to be carried out before commencing the processing and international transfers of personal data.  Following Schrems II, businesses should update their PIA with the help of the non-EU data importers they use to assess whether the legal basis for the transfer of personal data outside the EU provides enough protection within the data exporter’s national law system.    

- Follow the Advocate General’s opinion.  The Advocate General’s opinion in the Schrems II case indicated that the supplementary protection aims to establish effective remedies against the data importer and should take into consideration all of the circumstances characterizing the personal data transfers, including transfers of any sensitive personal data, security measures employed and the nature and purpose of the processing.  The Advocate General added that minimum safeguards could take the form of “a clear indication of the nature of the offences which may give rise to an interception order; a definition of the categories of people whose communications are likely to be intercepted; a limit on the duration of the implementation of the measure; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or the tapes destroyed.”

- Add contractual clauses to SCCs.  The CJEU found that the SCCs are valid in principle but may require “additional safeguards” to ensure a level of protection that is “essentially equivalent” but not identical to that in the EU.  There may be little, if anything, a non-EU data importer can do to protect the transferred data from government surveillance programs, but any contractual protections that can be added may help the data exporter and importer document their efforts to comply in an uncertain legal environment, in the event that a supervisory authority in the EU questions a particular transfer and/or in litigation.  The CJEU expressly indicated that, in appropriate cases, a U.S. data importer might be able to:  

• declare that it has no reason to believe that any EU data subjects affected by the transfer are subject to U.S. government surveillance programs;
• declare that it has no reason to believe its national law would prevent it from fulfilling its obligations under the SCCs as amended;
• undertake to implement additional technical and organizational measures to ensure the security of the data (such as the use of encryption or token transmission);
• undertake to verify and inform the EU data exporter of the existence of local laws that may compromise the security of the data;
• undertake to immediately inform the EU data exporter if it becomes aware of any changes in legislation or regulations that may have negative consequences for the guarantees and obligations offered by the SCCs as amended; and/or
• if it is compelled to disclose personal data to governmental authorities, undertake to inform the EU data exporter of its inability to comply with the SCCs as amended. 

4.  Anticipate reviewing BCRs. The validity of BCRs was not discussed in Schrems II but the EDPB, in its FAQs, indicated that “the threshold set by the Court also applies to all appropriate safeguards (…) used to transfer data from the EEA to any third country.”  Accordingly, it would be prudent to conduct a risk assessment as to whether BCRs already in place provide enough protection within the national legal framework.

5.  Document Compliance Efforts.  Document all analysis, actions, and efforts to ensure that SCCs and/or BCRs are providing EU data subjects with protections that are essentially equivalent to those guaranteed by EU law.  This should be done for international personal data transfers and for other GDPR obligations and principles.  Following Schrems II, we are heading into a period of increased regulatory scrutiny and NGO activism, and well-documented compliance efforts may be invaluable in the event of legal action by DPAs in the EU and/or by interested parties such as NGOs or individuals.

6.  Monitor guidance from the EDPB and relevant DPA.  The EDPB and DPAs are expected to publish further guidance regarding the impact of Schrems II.  EU data exporters and non-EU data importers need to monitor further developments and adjust their compliance programs accordingly. Guidance from the lead supervisory authority that would have primary responsibility for disputes involving cross border transfers is particularly relevant.

                                                          *        *        *

This client advisory is not intended as legal advice.  Our recommendations reflect what we believe to be best practices, based on current guidance from EU authorities, and may help to defend data transfers outside the EU or mitigate potential penalties in the event of legal action by DPAs in the EU and/or NGOs.  Businesses carrying out international personal data transfers for the purpose of anti-corruption compliance should therefore review their situation in the light of their specific circumstances and guidance from the relevant DPA(s).  

For advice and assistance with your data transfers outside the EU, please contact any of the Hughes Hubbard attorneys listed below. 

Stefan Naumann | Partner 
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +33 (0) 1 44 05 80 60 | Cell +33 (0) 6 64 10 33 06
[email protected] | bio

Seth D. Rothman | Partner 
Hughes Hubbard & Reed LLP
One Battery Park Plaza | New York, NY 10004-1482
Office +1 (212) 837-6872 | Cell +1 (917) 697-8093
[email protected] | bio

Kevin Abikoff | Partner 
Hughes Hubbard & Reed LLP
1775 I Street, N.W., Suite 600 | Washington, DC 20006-2401
Office +1 (202) 721-4770 | Cell +1 (917) 513-6029
[email protected] | bio

Bryan Sillaman | Partner 
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +33 (0) 1 44 05 80 03 | Cell + 1 (202) 412-6868
[email protected] | bio

Nicolas Tollet | Partner 
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +33 (0) 1 44 05 76 06 | Cell +1 (347) 268-0872
[email protected] | bio

Michael H. Huneke | Partner 
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +1 (202) 721-4714 | Cell +1 (571) 271-2738
[email protected] | bio

Anne Gaustad | Partner 
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +33 (0) 1 44 05 80 57 | Cell + 1 (202) 734-8605
[email protected] | bio

Elsa Malaty | Associate
Hughes Hubbard & Reed LLP
4 rue Cambacérès | 75008 Paris, France
Office +33 (0) 1 44 05 80 18 | Cell +1 (929) 253-5120
[email protected] | bio