Schrems II - transferring employee data outside of the EU

GDPR and cross border data transfers

GDPR prohibits the transfer of personal data outside of the EU unless certain conditions are met. In summary, such transfers are allowed if one of the following applies:

the European Commission (EC) has made an adequacy decision in respect of that country;

where there are appropriate safeguards in place, such as standard contractual clauses or binding corporate rules; or

a specific derogation applies, for example the data subject has given explicit consent.

This article just considers point 1 above, which until the Schrems II case was usually the most straightforward legal basis for EU to US data transfers.

In 2016, the EC adopted an adequacy decision approving a framework for EU to US personal data flows, known as the privacy shield. This allowed EU organisations to transfer EU personal data to organisations in the US, where the recipient was registered and approved with the privacy shield.

The Austrian lawyer concerned is a Maximillian Schrems who is also a data privacy campaigner. This is his second successful case, having in October 2015 successfully challenged the predecessor to the privacy shield, the EU-US safe harbour arrangements.

His complaint concerned the transfer of personal data from Facebook Ireland to servers belonging to Facebook Inc. located in the US. He complained to the Irish Data Protection Commissioner that the US approach to the personal data protection undermined the EU’s high data protection standards, and so the adequacy decision undermining privacy shield should be void.

As an example of his concerns, under US law internet service providers such as Facebook can be required to provide personal data to the NSA, CIA, the FBI and other regulatory authorities.

The decision

The ECJ agreed with him and ruled that the privacy shield is no longer a valid mechanism for transferring personal data between the EU and the US.

This decision will have to be tackled by not only Facebook, but any organisation that transfers personal data from the EU to the US.

The CJEU held that because the US authorities referred to above have sweeping powers to demand that US companies hand over data, this meant that the US did not provide adequate protection to EU data subjects. It also found that there was no effective right of redress for EU data subjects who wanted to complain about the way their personal data was dealt with in the US.

What next?

Organisations that transfer personal data to the US, for example by making UK employee data available to a US parent company, will need to review the legal basis for doing so.

There is often a culture clash here between a US parent company, which considers that they should have access to all data relating to the employees of the UK subsidiary, and EU data protection rules.

As well as reviewing the legal basis for transferring data outside of the EU, we recommend also considering another key principle of GDPR and the UK Data Protection Act 2018, data minimisation, which applies to all data processing, at home and transfers abroad. This requires that the processing of data is limited to what is necessary for the purpose for which it is obtained or maintained.

This is a chance to sit back and really consider what data non-EU parent companies need to have access to. This will require revisiting any data privacy impact assessments to consider the question of what information needs to be shared and with whom in the context of cross-border transfers.

Schrems II – transferring employee data outside of the EU

GDPR and cross border data transfers

The decision

What next?

Related articles

Changes to who can claim indirect discrimination

The anatomy of a Special Educational Needs & Disability (SEND) tribunal case – part 3

The anatomy of a Special Educational Needs & Disability (SEND) tribunal case – part 2