Schrems II: What About US-Based Organizations with Consumer-Facing Websites and Apps? (Part 1 of 2)

In its Schrems II decision, the Court of Justice of the European Union (“CJEU”) created a major headache for transatlantic trade when it invalidated the EU-US Privacy Shield Framework. The European Data Protection Board (“EDPB”), an independent EU body composed of representatives from EU member state data protection authorities, followed-up by issuing FAQs about the CJEU’s decision. Those FAQs stated, among other things, that there would be no grace period for organizations to align their practices with the ruling, and that the invalidation of Privacy Shield was effective immediately. Since then, much of the discussion has centered on what additional measures are needed for data exporters and data importers to transfer personal data pursuant to standard contractual clauses (“SCCs”). But what about US-based organizations for which SCCs are not an option because they collect or receive personal data directly from EU data subjects?

Consider US website operators or app publishers that store and process data in the US, are not “established” in the EU, but target EU consumers such that they are subject to the GDPR. Some of these organizations relied on Privacy Shield to support their cross-border collection of personal data from EU-based data subjects. Now that Privacy Shield has been invalidated, it is unclear whether organizations that collect personal data directly from EU data subjects—assuming that collection is considered a “transfer”—can comply with Chapter 5 of the GDPR, which restricts “[a]ny transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”

This post is the first in a two-part series considering this issue.

Unavailability of Article 46 Safeguards and Skepticism of Article 49 Derogations

Article 46 of the GDPR (“transfers subject to appropriate safeguards”) provides some transfer mechanisms, but they will not be viable for many organizations. Implementing binding corporate rules, for example, is an expensive and time-consuming process, and SCCs are not an option, as noted above. For purposes of this post, then, let’s set aside Article 46 safeguards and examine some of the derogations contained in Article 49.

Under Article 49, if personal data will be transferred to an “inadequate” country, like the US, and the data are not being transferred pursuant to appropriate safeguards under Article 46, an organization may rely on several specific “derogations,” depending on the circumstances. There are seven derogations set forth in Article 49, but there are two that are most likely to apply in a general commercial context: the performance of a contract with the data subject and consent.

The EDPB has, however, made clear that use of the derogations is disfavored. In its 2018 guidance on the subject (“2018 Derogation Guidance”), the EDPB characterized the derogations as “exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights.” The EDPB thus cautioned that derogations must be “interpreted restrictively.” Furthermore, according to the EDPB, “data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49(1).” To which many of us in the US privacy community reply, “Well, the European Court of Justice eliminated Privacy Shield, so here we are.”

Article 49(1)(b): Transfers for Performance of a Contract with the Data Subject

This derogation applies when “the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.” It could be used to transfer data to the US for processing when there is a contract in place between the data subject and the US-based organization. Many websites and mobile apps include terms of use, or similar contractual agreements, that could be leveraged for purposes of this derogation.

According to the EDPB, the language of this derogation triggers a “necessity test,” which “requires a close and substantial connection between the data transfer and the purposes of the contract.” Only the specific personal data that are “necessary” for the performance of the contract may be transferred based on this derogation. Therefore, organizations seeking to rely on this derogation would need to scrutinize existing contracts and/or restructure them accordingly. The 2018 Derogation Guidance suggests that there must be some significant geographic rationale for transferring the data, citing the transfer of personal data by a travel agent to a hotel located outside the EU as passing the test because “there is a sufficient close and substantial connection between the data transfer and the purposes of the contract (organization of clients’ travel).” That explanation also implies that transferring personal data to the US merely because that is where the receiving organization’s data processing facilities are located is not an adequate justification—an interpretation that would greatly curtail the derogation’s usefulness in this context.

In addition to passing the necessity test, transfers under Article 49(1)(b) must be “occasional.” The EDPB’s  position is that “[d]ata transfers regularly occurring within a stable relationship would be deemed as systematic and repeated,” and therefore “non-occasional.” This requirement, which is derived from Recital 111 of the GDPR, could present major challenges for website and mobile app operators, depending on their offerings’ functionality and the nature of the relationship with the data subject. For example, websites that perform all or substantially all processing activities, and store related personal data, in the US may have trouble meeting this requirement.

Article 49(1)(a): Explicit Consent

Explicit consent can provide a legal mechanism for transferring personal data under Article 49(1)(a) when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.” Fortunately, the EDPB recognized in its 2018 Derogation Guidance that, based on the text of Recital 111, the consent derogation is not “expressly limited to ‘occasional’ or ‘non-repetitive ‘transfers.’” The EDPB also took the position that the “necessity test” does not apply to consent.

But the EDPB still views the consent derogation skeptically. Transfers based on consent must, according to the board, be “interpreted in a way which does not contradict the very nature of the derogations as being expectations from the rule that personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”

To that end, there are several specific roadblocks to the use of consent in the 2018 Derogation Guidance. Consent must be provided for specific purposes, and the “data subject should give his/her consent for this specific transfer at the time when the transfer is envisaged.” The EDPB’s commentary suggests that blanket consent for extensive processing activities that occur in the US obtained prior to collection may not be valid.

This guidance presents a challenge for organizations that collect information directly from EU consumers and perform all or most of their processing activities in the US. Blanket consent may be the only practical way to obtain consent in some instances; obtaining granular consent to transferring personal data for each processing activity may prove operationally difficult or even impossible. Furthermore, it is unclear how this standard would apply to future contemplated processing activities such as disclosures of personal data in response to legal process or in the event of the sale of a business unit that may occur, if at all, well after the transfer.

The EDPB also underscored the requirement in Article 49(1)(a) to inform the data subject of the possible risks of the transfer. The information provided to data subjects to obtain consent “should also specify all data recipients or categories of recipients, all countries to which the personal data are being transferred to, that the consent is the lawful ground for the transfer, and that the third country to which the data will be transferred does not provide for an adequate level of data protection based on a European Commission decision.” On the latter point, the EDPB’s commentary suggests that the organization transferring the data should inform the data subject of specific risks such as the lack of a supervisory authority, “data processing principles,” and data subject rights.

Note that the stipulations discussed above must be layered on top of the additional requirements applicable to consent under Article 7 of the GDPR. These separate requirements present challenges for US-based organizations that collect personal data directly from consumers—particularly in light of guidance issued by the Article 29 Data Protection Working Party in 2016 and subsequently endorsed by the EDPB (the “WP29 Consent Guidance”). For example, under the WP29 Consent Guidance, consent will not be considered “freely given” if bundled with other contractual terms or the data subject is unable “to refuse or withdraw his or her consent without detriment.” If the organization is unable to provide the relevant service without transferring personal data to the US, it could be argued that the data subject cannot refuse consent without detriment. An organization that relies on consent must also implement a mechanism to enable data subjects to withdraw consent—the practical effect of which may be disabling all functionality associated with the relevant app or website if data must be transferred to the US to enable the data processing that facilitates that functionality. The withdrawal mechanism must also make it as easy to withdraw consent as it is to provide it.

The EDPB’s Supplementary Measures Guidance

The EDPB recently weighed in with more guidance on how data exporters can legally transfer data to “third countries” in light of Schrems II (the “Supplementary Measures Guidance”). As we explained in a prior post, the Supplementary Measures Guidance sets forth a six-step framework for evaluating the need for, and implementing, “supplementary measures” to ensure an adequate level of data protection.

Step two in that process requires the data exporter to identify the “transfer tool” that it is relying on. If the organization is relying on an Article 46 safeguard, the organization must analyze whether the mechanism provides an adequate level of data protection in practice and, if not, implement supplementary measures to ensure GDPR compliance. The Supplementary Measures Guidance does not require these steps for the derogations. Once an organization determines that it is relying on a derogation, rather than an Article 46 safeguard the remaining steps in the Supplementary Measures Guidance do not apply.

While supplementary measures are not required, the EDPB did reiterate its position that derogations are “exceptional” and must be “interpret[ed] restrictively.” The guidance document also notes that the derogations “mainly relate to processing activities that are occasional and non-repetitive” (emphasis added). Although not stated explicitly, this language recognizes that some of the derogations may apply even if they relate to ongoing transfers, including the consent derogation, as noted above. Therefore, this aspect of the Supplementary Measures Guidance is arguably a rare silver lining for US-based organizations.

Looking Ahead

US-based organizations that target EU consumers and collect their personal data directly, but are not established in the EU, do not have great options when it comes to data transfer mechanisms. SCCs are not an option, and relying on derogations will require careful analysis of the underlying requirements and associated preferences of regulators, the nature of the data flows, the necessity of transfers, and the frequency with which personal data are transferred. It should be noted that EU data protection authorities may have differing views on this subject, which can cut both ways.

But the heavy skepticism of the derogations and the lack of an obvious data transfer mechanism for these organizations also merit consideration of a separate, fundamental question: Should these data flows even be considered “transfers” of personal data that are subject to Chapter 5 of the GDPR?

We will address that issue in our second post in this series.