Schrems II Decision: Impact on Cloud Migration & More

Data Protection When Transferring the Digital Business Operations Into the Cloud

More and more companies are transferring their digital business operations into the cloud, usually to run on the cloud-based infrastructure provided by a cloud service provider.

In the course of cloud migration, companies may transfer personal data to cloud providers established outside the European Union / European Economic Area and must therefore take into account the relevant applicable data protection rules related to the transfer of personal data.

According to the General Data Protection Regulation (GDPR) a transfer of personal data occurs when personal data is transferred to a country other than EU member states and the three additional EEA countries (Norway, Iceland and Lichtenstein).

Transfer to adequate third countries vs. transfer to non-adequate third countries

Any transfer of personal data to a third country must comply with the requirements laid down in the GDPR and the third country or the international organization must ensure, pursuant to Art. 45(1) of the GDPR, an adequate level of protection.

The General Data Protection Regulation (GDPR) distinguishes between third countries that provide an adequate level of protection and those that do not. The transfer of personal data to a third country, that has been recognized as providing an adequate level of protection, does not require the prior authorization of a supervisory authority and companies (data exporters) do not need to put in place any additional protection and do not have to rely on another data transfer tool such as the adoption of Standard Contractual Clauses (SCC) (SCC are contractual clauses that have been adopted by the European Commission and that ensure appropriate data protection safeguards).

According to Art. 45 (2) of the GDPR, the European Commission may adopt an adequacy decision by taking into account a range of elements such as the existence of one or more independent supervisory authorities in the third country, the international commitments the third country has entered into or the respect of human rights and fundamental freedoms. However, in the absence of such a decision, personal data may still be transferred to a third country only if the controller or the processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The adoption of appropriate safeguards aims at ensuring that the protection of natural persons ensured in the European Union by the GDPR is not undermined (recital 101 of the GDPR, Art. 44 of the GDPR). The adoption of Standard Data Protection Clauses (SCC) is considered as an appropriate safeguard.

Schrems II Decision & Privacy Shield

On 12 July 2016 , the European Commission adopted the adequacy decision on the EU-US Privacy Shield. The Privacy Shield was an EU-US data transfer mechanism based on self-certification by which US organizations committed to a set of privacy principles. More than 5000 US companies relied on the Privacy Shield to conduct trans-Atlantic trade in compliance with EU data protection rules . The transfer of personal data from a data exporter established in the European Union / European Economic Area to a data importer in the US was thus allowed, if the organization in question had self-certified their adherence to the privacy principles and committed to comply with them.

However, in its Judgment dated 16 July 2020 , the European Court of Justice invalidated the Privacy Shield Decision adopted by the European Commission, considering that it disregarded the requirements of Art. 45(1) of the GDPR, read in the light of Articles 7 (respect for private life and family), 8 (protection of personal data) and 47 (right to an effective remedy and a fair trial) of the Charter of fundamental rights of the European Union.

What are the impacts of the Schrems II decision on data transfers?

Since the Privacy Shield has been invalidated with immediate effect (recital 202 of the Schrems II Judgment), companies may no longer rely on the Privacy Shield to transfer personal data to an organization established in the United States. The European Court of Justice upheld however the Standard Contractual Clauses as a lawful data transfer tool but pointed out, that the sole adoption of SCC may in some cases not always be sufficient in order to guarantee the necessary protection of personal data. Pursuant to recital 133 of the Shrems II Judgement “SCC are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contractual obligation to ensure compliance with the level of protection required under EU law, they may require […] the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection”.

In practice, it means that controllers (data exporters) that rely on SCC for the transfer of personal data to a third country are required to assess whether the law of the destination country ensures adequate protection for the personal data being transferred. This assessment is referred in the literature as a Data Transfer Risk Assessment To this end, the Controller (data exporter) must take into consideration inter alia:

the contractual clauses agreed between the data exporter and the data importer established in the third country concerned;
any access by the public authorities of that third country to the personal data transferred;
and the relevant aspects of the legal system of that third country (e.g.: the rule of law, the relevant domestic legislation, data protection rules, effective and enforceable data subjects rights, the international commitments the third country has entered into etc).

If, after having conducted the assessment, the data exporter considers, that the law of the destination third country does not ensure an adequate level of protection for the personal data, supplementary measures will have to be adopted to ensure a level of protection essentially equivalent to that prescribed by EU law.

The European Data Protection Board (EDPB) issued on 18 June 2021 recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In its recommendations, the EDPB outlined a six steps roadmap to help data exporters with the task of assessing third countries and identifying appropriate supplementary measures where needed:

In the context of a data migration into the cloud, specific attention should be given to step 3 that relates to the specific circumstances of the transfer. By migrating personal data into the cloud, the controller should, among others, take into account the risks related to processing of data into the cloud, e.g. the lack of control over the data (e.g. lack of intervenability: a cloud provider may not provide the necessary measures and tools to assist the controller to manage the data in terms of access, deletion or rectification of data) or the lack of transparency (e.g. the chain processing may involve multiple processors and sub-processors ).

The European Commission also reviewed its SCC and adopted on 4 June 2021 an implementing decision containing SCC for the processing and transfer of personal data in compliance with the GDPR . The SCC are divided in different modules:

Module 1: transfer controller to controller;
Module 2: transfer controller to processor;
Module 3: transfer processor to processor;
Module 4: transfer processor to controller.

In most situations, the relationship between a company and a cloud service provider established in a third country will be a controller-processor relationship. The company (the cloud client) is the one that determines the ultimate purpose of the processing and decides on the outsourcing of the processing and the delegation of all or part of the processing activities to an external organisation. The company is thus to be considered as Controller in the meaning of Art. 4 (7) of the GDPR. The Cloud provider is the entity that provides the cloud computing services and supplies the means and the platform, acting on behalf of the company (the cloud client) and acts therefore as Processor in the meaning of Art. 4 (8) of the GDPR. In those circumstances, the Module 2 of the SCC will have to be concluded between the company and the cloud service provider . According to Clause 2 of the SCC, the SCC can not be modified but it does not prevent the contracting parties from including the SCC in a wider contract and/or to add additional safeguards.

Finally, it should be pointed out, that the new SCC address some concerns raised by the European Court of Justice in its Schrems II Judgement. Thus, the Clause 14 of the SCC obliges the parties to conduct a Data Transfer Risk Assessment and Clause 15 relates to the actions to be taken by the data importer to handle government requests for data access.

Related resources on SCC

For more information about Standard Contractual Clauses, and how they differ from the old ones, please read our SCC Guide.

How can 2B Advice help your business after the Schrems II decision?

If you need help assessing the risk in your cloud migration, the 2B Advice Privacy Services team offers a number of services to set you on the right path, including privacy impact assessments (PIA), cloud migration impact assessments (CMIA), data transfer impact assessments (DTIA), as well as support to develop annexes for standard contractual clauses. If you are thinking about cloud migration or are in the process of migrating to the cloud, contact our Privacy Services team today.

Resources:

List of third countries for which the European Commission has recognised as providing adequate protection: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield; eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.207.01.0001.01.ENG
Caitlin Fennessy, The Schrems II decision (iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/): EU-US Data Transfers in question, 16 July 2020.
European Court Of Justice, Maximillian Schrems, 16 July 2020, C-311/18; curia.europa.eu/juris/document/document.jsf;jsessionid=C2EA592CF0ECCC8A34119E617FF907E8?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1309529
EDBP, recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, 18 June 2021; edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en
Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud computing, 01 July 2021, page 5 and 6; ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf
COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, 4 June 2021; ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
Article 29 Data Protection Working Party, Opinion 05/2012 on Cloud computing, 01 July 2021, page 8; ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf