Cross-border data flows after Schrems II: An Australian perspective

Mitchell Willocks 17 August 2020

A landmark decision of the Court of Justice of the European Union ('CJEU’) regarding cross-border data flows and privacy and data protection sent shockwaves through the international business community in July, particularly for those who rely on cross-border data flows between the European Union (‘EU’) and the USA.

What happened?

In a judgment handed down on 16 July 2020, the CJEU held that the EU-US Privacy Shield was invalid,¹ immediately throwing the privacy and data protection arrangements of countless entities into disarray.

The EU-US Privacy Shield was an adequacy decision (‘the Privacy Shield Decision’)² made under Article 45(3) of the General Data Protection Regulation (‘GDPR’).³ Adequacy decisions made under Article 45(3) of the GDPR provide a mechanism for data controllers and processors to make data transfers to third countries or territories without any specific authorisation otherwise required under the GDPR,⁴ such as standard contractual clauses ('SCCs') or binding corporate rules ('BCRs') under Article 46⁵ and 47,⁶ respectively.

In short, the effect of Schrems II is that every entity dealing with the data of persons located within the European Economic Area (‘EEA’) can no longer rely on the EU-US Privacy Shield to transfer data to the USA. The result is that these entities must immediately adopt SCCs or BCRs under Article 46⁷ and 47,⁸ respectively to ensure that they can continue their operations without falling afoul of the provisions of the GDPR.

Why did it happen?

By way of background, Schrems II follows the similarly groundbreaking judgment in Schrems I.⁹ Schrems I and Schrems II stem from a 25 June 2013 complaint filed by Maximillian Schrems with the Irish Data Protection Commission.¹⁰ The 2013 complaint challenged the legal basis for cross-border data flows between Facebook Ireland Ltd (‘FB Ireland’) and Facebook Inc. (‘FB USA’) on the basis that the EU-US Safe Harbour Decision¹¹ was invalid in light of the revelations brought to light by Edward Snowden surrounding the US National Security Agency’s PRISM mass surveillance program.

While Schrems I ultimately invalidated the EU-US Safe Harbour Decision, regulators quickly replaced it with the EU-US Privacy Shield. In any event, FB Ireland and FB USA claimed to be relying on SCCs to skirt the necessity of an adequacy decision such as the EU-US Safe Harbour Decision or EU-US Privacy Shield. As a result, Maximillian Schrems filed a subsequent amended complaint on the basis that all modes of cross-border data flow between the EU and the USA, including SCCs, were invalid.¹²

The 1 December 2015 complaint was the catalyst for the 16 July 2020 CJEU judgment in Schrems II, which provided that:

the EU-US Privacy Shield is invalid, chiefly because US national security laws (e.g., the Foreign Intelligence Surveillance Act (USA) (‘FISA’)) take precedence over privacy protections, and data subjects do not have actionable rights against US authorities;
SCCs are valid, but the level of protection provided must be viewed in the context of the national laws of the recipient country, particularly regarding government access to data and data subject rights;
the GDPR continues to apply to the controllers and processors of cross-border data flows for commercial purposes from the EEA to a third country, including if a national government processes personal data in the recipient country for administrative purposes such as national security; and
supervisory authorities under the GDPR must suspend or prohibit transfers to third countries where the protection for the data does not provide equivalent protection to that in the EEA.

As there is now no adequacy decision providing for seamless cross-border data flows between the EEA and the USA, entities around the world have quickly scrambled to change their existing agreements, processes, and procedures to rely on SCCs or BCRs to avoid the significant financial and reputational liabilities that come with breaching the GDPR.

What it means for Australian entities and cross-border data flows

Australian entities which offer goods and services to data subjects located in the EEA or monitor the behaviour of data subjects located in the EEA are likely subject to the provisions of the GDPR.

In the context of the CJEU’s judgment in Schrems II, this means that Australian entities subject to the provisions of the GDPR can only rely on SCCs or BCRs to export the personal data of data subjects located in the EEA to an entity subject to the laws of the USA.

As there is no adequacy decision concerning Australia, this recent coverage of and focus on SCCs will undoubtedly affect Australian entities as various data controllers and processes around the world update their agreements to rely on SCCs instead of the EU-US Privacy Shield. The result will likely mean third-party data processors will require Australian entities to agree to new agreements or data processing addendums which rely on SCCs if such agreements are not already in place, which is surprisingly common despite it being more than two years since the GDPR came into force.

Australian entities subject to the provisions of the GDPR which import the personal data of data subjects located in the EEA or use a third-party processor located in the EEA should consider taking steps to ensure compliance with the GDPR, such as by:

reviewing all data transfer agreements with entities based in the EEA, and identifying the circumstances in which and the processes for data transfers from the EEA;
preparing for third-party processors to make contact to request an assessment of Australian laws and their compatibility with adequately protecting the personal data of data subjects located in the EEA;
proactively taking steps to implement an internal privacy compliance program to increase organisational resilience to rapid changes in legal interpretation, because we can likely count on there being a Schrems III.