RegSol Blog

Schrems vs Facebook: Data Transfers outside the EEA

January 2020

To kick off a new year in Data Protection, we assess Austrian Privacy activist Max Schrems’ epic seven- year crusade against Facebook on whether methods used by companies to transfer data are above board. The importance of this decision has a massive impact on banks, carmakers and other international corporations who transfer data to the US and other non-EEA states.

Data controllers who transfer data to the US from the EU have been eagerly following the proceedings in Ireland & Schrems, the key test on the validity of key controls contained within the Standard Contractual Clauses (SCCs) and the EU-US Privacy Shield, for transferring personal data to non-EEA territories in a GDPR compliant manner. Many organisations and service providers require such transfers for procuring cloud services, using online storage systems or carrying out intra group transfers for HR reasons, for instance. The GDPR restricts international transfers of personal data on the basis that non-EEA states have weaker controls increasing the risk that individuals’ data will be compromised and their rights and freedoms damaged.

So, on what basis can companies transfer data to a third country under GDPR?

  1. The European Commission decides that the third country has an adequate level of protection or safeguards in place
  2. The controller or processor has appropriate safeguards so that individual rights can be enforced with recourse to effective legal remedies
  3. A specific derogation applies to the transfer
  4. The Privacy Shield, a self-certification regime for US-based organisations receiving personal data from an EEA entity, is managed by the US Department of Commerce and US public authorities are subject to monitoring and enforcement requirements, as well as agreeing to cooperate with European data protection supervisory authorities.
By Judy de Castro - Regulatory Consultant
What’s the fuss about?

Facebook maintains that SCCs are sufficient and that there is no conflict between US surveillance laws and the EU right to privacy. Schrems argues that the DPC must limit transfers to the US by Facebook, as the rights of EU citizens are not adequately protected in relation to US surveillance laws.

On 19 December 2019 the Attorney General issued an opinion on the 11 questions raised in the Schrems case, in advance of the Court of Justice of the European Union’s (CJEU’s) ruling due in early this year. The CJEU usually follows this opinion which has stated that SCCs are validated and an appropriate method to protect personal data so long as the non- EEA state has a right of action against the data controller and that the data controller or supervisory authority can suspend such transfers where the laws of the non-EEA country conflicts with the SCCs. Less so for the US privacy shield as the Attorney General has cast doubt on its validity.

Potential Business Solutions?

  • Check your data flows and understand the impact to your business
  • Check if Binding corporate rules for intra-group transfers is an alternative
  • Carry out risk assessments to ensure that local laws and practices do not undermine SCCs in place

If you’d like assistance in understanding your obligations under GDPR, contact RegSol today for training or GDPR review of your controls and procedures.

By Judy de Castro - Regulatory Consultant