Cross-border data flows after Schrems II: An Australian perspective

A landmark decision of the Court of Justice of the European Union ('CJEU’) regarding cross-border data flows and privacy and data protection sent shockwaves through the international business community in July, particularly for those who rely on cross-border data flows between the European Union (‘EU’) and the USA.
In a judgment handed down on 16 July 2020, the CJEU held that the EU-US Privacy Shield was invalid,1 immediately throwing the privacy and data protection arrangements of countless entities into disarray.
The EU-US Privacy Shield was an adequacy decision (‘the Privacy Shield Decision’)2 made under Article 45(3) of the General Data Protection Regulation (‘GDPR’).3 Adequacy decisions made under Article 45(3) of the GDPR provide a mechanism for data controllers and processors to make data transfers to third countries or territories without any specific authorisation otherwise required under the GDPR,4 such as standard contractual clauses ('SCCs') or binding corporate rules ('BCRs') under Article 465 and 47,6 respectively.
In short, the effect of Schrems II is that every entity dealing with the data of persons located within the European Economic Area (‘EEA’) can no longer rely on the EU-US Privacy Shield to transfer data to the USA. The result is that these entities must immediately adopt SCCs or BCRs under Article 467 and 47,8 respectively to ensure that they can continue their operations without falling afoul of the provisions of the GDPR.
By way of background, Schrems II follows the similarly groundbreaking judgment in Schrems I.9 Schrems I and Schrems II stem from a 25 June 2013 complaint filed by Maximillian Schrems with the Irish Data Protection Commission.10 The 2013 complaint challenged the legal basis for cross-border data flows between Facebook Ireland Ltd (‘FB Ireland’) and Facebook Inc. (‘FB USA’) on the basis that the EU-US Safe Harbour Decision11 was invalid in light of the revelations brought to light by Edward Snowden surrounding the US National Security Agency’s PRISM mass surveillance program.
While Schrems I ultimately invalidated the EU-US Safe Harbour Decision, regulators quickly replaced it with the EU-US Privacy Shield. In any event, FB Ireland and FB USA claimed to be relying on SCCs to skirt the necessity of an adequacy decision such as the EU-US Safe Harbour Decision or EU-US Privacy Shield. As a result, Maximillian Schrems filed a subsequent amended complaint on the basis that all modes of cross-border data flow between the EU and the USA, including SCCs, were invalid.12
The 1 December 2015 complaint was the catalyst for the 16 July 2020 CJEU judgment in Schrems II, which provided that:
As there is now no adequacy decision providing for seamless cross-border data flows between the EEA and the USA, entities around the world have quickly scrambled to change their existing agreements, processes, and procedures to rely on SCCs or BCRs to avoid the significant financial and reputational liabilities that come with breaching the GDPR.
Australian entities which offer goods and services to data subjects located in the EEA or monitor the behaviour of data subjects located in the EEA are likely subject to the provisions of the GDPR.
In the context of the CJEU’s judgment in Schrems II, this means that Australian entities subject to the provisions of the GDPR can only rely on SCCs or BCRs to export the personal data of data subjects located in the EEA to an entity subject to the laws of the USA.
As there is no adequacy decision concerning Australia, this recent coverage of and focus on SCCs will undoubtedly affect Australian entities as various data controllers and processes around the world update their agreements to rely on SCCs instead of the EU-US Privacy Shield. The result will likely mean third-party data processors will require Australian entities to agree to new agreements or data processing addendums which rely on SCCs if such agreements are not already in place, which is surprisingly common despite it being more than two years since the GDPR came into force.
Australian entities subject to the provisions of the GDPR which import the personal data of data subjects located in the EEA or use a third-party processor located in the EEA should consider taking steps to ensure compliance with the GDPR, such as by:
This content is for reference purposes only and is intended to be current as at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this content.