It was already arduous for organisations to reconcile the demands of litigation and investigations in a foreign jurisdiction with the obligations under the EU’s General Data Protection Regulation (“GDPR”). The Schrems II decision, and the regulatory consequences stemming from it, added a further layer of complexity.

When an organisation has to disclose documents containing personal data to foreign courts or authorities in non-EEA “third countries”, such as the Securities and Exchange Commission in the context of United States based investigations, a significant number of GDPR-regulated international transfers can be involved.

  1. There may be an intra-group transfer. For example, between EU subsidiaries and their parent company in the US that is subject to the request or obligation.
  2. The process will typically implicate the sharing of personal data with external legal counsel in the EU or in a third country, and regularly with third party providers assisting with large-scale document reviews.
  3. Then there is the need to provide appropriate documents to the courts, foreign authority or regulator.
  4. Finally, organisations have to consider what onward transfer or data sharing may reasonably be expected as a consequence of providing the documents to such foreign courts or regulators. Although this transfer is out of the organisation’s control, it may need to be considered when deciding what information should be released and whether any steps can be taken to mitigate risks – not easy, especially when dealing with a regulator.

The impact of the Schrems II decision

On 16 July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield and confirmed – in a qualified way – the validity of the imperfect, but popular, European Commission-approved standard contractual clauses (“SCCs”). This simultaneously introduced greater doubt and complexity to organisations relying on SCCs.

"The loss of the less popular Privacy Shield will impact investigations and cross-border litigation far less than the uncertainty that now accompanies the use of SCCs."

The loss of the less popular Privacy Shield will impact investigations and cross-border litigation far less than the uncertainty that now accompanies the use of SCCs, especially when organisations have time constraints imposed by the proceedings. For example, if a European subsidiary is aware that data is to be transferred to a parent company outside the EEA and, thereafter, potentially to a regulator or foreign court, what does this mean for reliance on intra-group SCCs and the additional measures that might be required to guarantee adequacy of protection?

"Following Schrems II, organisations now need to risk assess whether SCCs provide adequate protection in light of the local legal framework of the recipient’s country and, where they do not, to deploy additional measures."

What other options are available to export data now?

There are some limited alternative options available. The use of Binding Corporate Rules for intra-group transfers during the document review process could be one, but this is only relevant for organisations that already have such rules in place. Organisations can also consider the derogations in Article 49 of the GDPR, but European Data Protection Board guidance states these are to be narrowly construed and most are irrelevant for the transfer of personal data in the context of international investigations and litigation.

CONCLUSION

The complexities of international data transfers now need to be assessed by reference to the European Data Protection Board’s draft recommendations on the use of supplemental measures adopted on 10 November 2020 (subject to public consultation until 21 December 2020). Organisations should continue monitoring the changing landscape of cross-border transfers and, in particular, be prepared to implement the European Commission’s new, updated SCCs expected to be adopted in early 2021 and currently available in draft. For organisations in the EU concerned about their ability to transfer data to the UK following Brexit, following this guidance will be vital. Unless and until the UK secures an adequacy ruling from the EU authorities, the UK itself is a “third country” after 31 December 2020. At the same time, transfers from the UK to the EEA will not be impacted, as the UK will formally recognise all EEA states as “adequate”.