The EU Court’s Schrems II judgement – urgent revisiting of international personal data transfer mechanisms required
Wasn’t the MDR about More Data Required, and the same for the IVDR? Aren’t more and more devices running software that processes patient and user data? Isn’t the medical devices industry a very international business? Indeed – so the ability for companies working with the MDR and IVDR to transfer personal data internationally for all kinds of purposes MDR and IVDR related such clinical investigations, PMCF/PMPF, usability testing, trouble shooting / support, registries, communication of dimensions of custom implants, training of AI, cloud storage of patient data, linking patients to samples, eHealth and mHealth solutions, moving of IVD test results from one place to the other – basically anything involving clinical data that is personal data – is an important thing.
Since data is the blood pumped around in the MDR and IVDR architecture, I address data protection issues on this blog to raise awareness (for example here (about data subject damages), here (about cybersecurity) and here (more general about MDR/IVDR and GDPR)). I find in practice that companies and service providers in the medical devices industry often can do a much better job at data protection compliance and do not design their products and services with data protection principles of privacy and security by design in mind. The MDR and IVDR require you to manage risks with safety principles in mind, and the EU’s General Data Protection Regulation (“GDPR”) is no different: like the MDR and IVDR it requires risk management as a design factor. For EU purposes both physicial integrity and privacy are fundamental rights of patients and users of devices, which is reflected in the requirements in the MDR and in the GDPR. This is why I advise companies to integrate design processeses under the MDR and IVDR with those under the GDPR and not treat devices RA/QA and privacy as different silos in the company. The MDR and IVDR on the one hand and the GDPR on the other hand share many important links between, so non-compliance with one of them will often imply non-compliance with the other, for example with regard to cybersecurity.
This blog is a co-production with my firm’s data protection expert Cécile van der Heijden, who wrote the biggest part of it, and it addresses the recent GDPR bombshell judgement of the European Court of Justice (“CJEU”) in the Schrems II case, of which the impact on internal transfers from the European Economic Area (“EEA”) to third countries can hardly be overstated. The CJEU press release about the Schrems II case can be found here.
International transfers and the Schrems case
The GDPR allows transfers of personal data to a third country outside of the EEA only if the transferring party has provided appropriate safeguards and ensured that enforceable data subject rights and effective legal remedies are available for data subjects. Every medical devices company or service provider to that industry that works internationally and has some kind of connection to substance outside the EEA, uses cloud services or engages service providers that transfer data outside of the EEA (for example because they use cloud service providers or entities outside the EEA) will be directly or indirectly transferring data internationally.
This is why the CJEU’s judgement of 16 July 2020 in the Schrems II case (or the second Facebook case as it is known too) was so much anticipated. The case concerns conditions for transfer of personal data out of the EEA to the United States under an adequacy decision (in this case the EU-US Privacy Shield Framework, (“Privacy Shield”)) and standard data protection clauses (“SCC”). More particularly, the Schrems II case concerns transfer of personal data from Facebook Ireland Ltd to Facebook Inc in the US for processing. The judgement was rendered in a preliminary reference procedure in which the CJEU has answered questions of the referring Irish court concerning:
- the applicability of the GDPR to transfers of personal data to third countries outside of the EEA, focussing on the SCC laid down in Commission Decision 2010/87 (EU controller to non-EEA processor);
- the level of protection the GDPR requires in relation to such transfer;
- the obligations that are imposed on supervisory authorities in relation to such transfer; and
- whether both Commission Decision 2010/87 and Commission Decision 2016/1250 (the adequacy decision concerning the EU-US Privacy Shield Framework) are valid.
GDPR applies to transfers of personal data to third countries outside of the EEA
The CJEU has confirmed in Schrems II that – unsurprisingly and contrary to what was argued in defense – the GDPR does apply to a commercial transfer of personal data between two economic operators (terminology that also can be found in the MDR), even if the personal data is also processed by the authorities of the third country in which the recipient is established for the purpose of public security, defence and national security, for example by intelligence services.
Privacy Shield invalid as legal basis for transfer
The CJEU declares the EU-US Privacy Shield framework invalid due to the absence of adequate level of data protection in the US due to the existence of extensive governmental surveillance programs that lack effective judicial review and do not protect the rights of data subjects established in the EEA. Most notably, these surveillance programs in the US concern the US Foreign Intelligence Surveillance Act (“FISA”) and US Executive Order 12333. Privacy Shield does not offer sufficient safeguards in relation thereto.
SCC valid as a legal basis for transfer, provided that country of import offers equivalent protection as GDPR
At the same time, the CJEU declares that the SCC (as laid down in Commission Decision 2010/87) are valid as a mechanism but cannot be regarded as a ‘tick the box’ exercise because the rights offered to EEA data subjects abroad should be, at least, at an equivalent level to those guaranteed under the GDPR. This means that all transferring parties, regardless of whether the personal data is transferred by a controller or processor, have a responsibility. This requires a risk assessment by the parties involved in the transfer. They must verify on a case-by-case basis (where appropriate in collaboration with the extra-EEA recipient of the personal data) whether the laws of the third country to which the personal data are transferred offer adequate protection in line with the requirements of EU data protection law.
The way that the legal framework in the country where the recipient is established works may lead to a need to provide additional safeguards in addition to those documented in the SCC. It goes without saying that this holds relevance for all SCC adopted by the European Commission beyond those documented in Commission Decision 2010/87. As most companies transfer personal data under SCC in absence of an applicable adequacy decision, this decision of the CJEU directly impacts nearly all parties that transfer personal data to outside of the EEA.
The CJEU requires a case-by-case review whether the laws of the third country in which the recipient is established respect data subject rights at a similar level as the GDPR, including by allowing for judicial review where the authorities have access to the personal data, e.g. for intelligence purposes. Where such level of protection cannot be met, the transfer must be suspended or the agreement between the parties must be terminated.
Immediate consequences Schrems II
The primary consequence of Schrems II is that personal data can no longer be transferred to the US under the Privacy Shield, meaning that companies must suspend all such transfers until another permitted transfer measure under the GDPR has been applied. Although Schrems II only concerns the SCC documented in Commission Decision 2010/87, the criteria set for the use of SCC have broader applicability. As a result, all transfers under SCC, regardless of the exact country to which the personal data are transferred, require a thorough and adequately documented review of the legislation of the recipient country for the transferring party to be able to demonstrate a lawful transfer.
Schrems II shows that general legislation that allows processing of personal data in as far as is necessary in a democratic society to safeguard, inter alia, national security, defence and public security which is subject to effective judicial review is acceptable. However, far-reaching processing of personal data by public authorities (i.e. through intelligence surveillance programs) in a third country that is not subject to effective judicial review does not offer the required level of protection to EEA data subjects. For example, the US Ombudsman linked to the Privacy Shield has no effective control over EEA data subbjects’ data being processd by the US intelligence services. Based on these criteria the CJEU ruled that the US does not offer appropriate levels of protection of data subjects similar to those offered in the EEA.
Schrems II has far reaching consequences for all EEA-based companies who collaborate with US businesses (e.g. for research activities or for intra-group activities, such as internal transfer of pharmacovigilance data, clinical trial data or post market surveillance data), use US-based processors (service providers) certified under the EU-US Privacy Shield (including CROs, cloud providers and providers of cookies for company websites) and for all other EEA-based companies that use SCC to transfer personal data to recipients.
While it may be difficult to perform the required review of national law of the receiving country, Schrems II has created an immediate problem in relation to transfers of personal data to the US, even where such transfers take place under SCC if no additional measures are taken. As the CJEU has determined that the US currently does not offer an adequate level of protection in line with the level of protection offered in the EU under the GDPR in relation to Privacy Shield, it is difficult to imagine how a transfer to the US under SCC will be considered adequate as these transfers will be subject to the same controls in the US. Therefore, where FISA or Executive Order 123333 are applicable to personal data transferred to the US, Schrems II effectively endangers transfers of those personal data to the US due to the lack of adequate protection of data subjects subject to the GDPR without the transferring parties adopting additional measures. While the CJEU has performed an analysis of the level of data protection offered by the US, the same would apply to a transfer to any other country outside the EEA that is not subject to an adequacy finding and where processing of personal data by the government (including for surveillance purposes) takes place beyond what is reasonably necessary in a democratic society.
There is another issue with the use of SCC: even where the assessment required by Schrems II can be conducted in practice, the SCC available do not cover all possible transfers. For example, a transfer between an EEA-based processor and a controller based in a third country is not covered by any SCC model, albeit that a solution is allowed if an EEA-based controller signs the clauses with the receiving controller.
Currently, SCC have only been adopted for transfers between two controllers and for a transfer between an EEA-based controller and a processor established outside of the EEA. While certain supervisory authorities may be convinced to allow broader use of the existing standard data protection clauses outside of their original context, this is not a universally accepted solution. Consequently, this approach requires clearing with the relevant supervisory authorities to avoid non-compliance with the GDPR.
Are other transfer measures than Privacy Shield or SCCs possible?
SCCs are not the only appropriate safeguards that can be used in absence of an adequacy decision but are (in general) the only safeguards readily available. Many appropriate safeguards require prior approval of a national supervisory authority or even the involvement of the European Data Protection Board or the European Commission. For example, the waiting time for approval of binding corporate rules by the Dutch Data Protection Authority is currently three to five years. Additionally, barely any codes of conduct have been approved thus far and can therefore not offer any solace. Such appropriate safeguards are therefore not workable for any company that is currently already undertaking transfers and wishes to continue these transfers. However, it is to be expected that application of other safeguard measures under the GDPR is held to the same standard as the use of SCC.
Where it cannot be established that national law in the country where the recipient is based offers sufficient protection to data subjects, the transferring party may be able to base the transfer on one of the derogations of article 49 of the GDPR. The EDPB considers these derogations to be exemptions from the
“general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards”.
However, as the EDPB has clarified, such transfers are limited to occasional, non-repetitive transfers and therefore offer no solution for large scale transfers.
Next steps for EU authorities and next steps for companies
It is expected that the collective supervisory authorities and the European Commission will provide additional guidance in relation to the consequences of Schrems II. We also expect the supervisory authorities to provide clarification on the exact parameters of required review of national law in the country where the receiving country is established as such extensive review will be difficult to realize for any company. The Dutch Supervisory Authority has indicated that the European Data Protection Board, in which all national supervisory authorities and the European Data Protection Supervisor are united, will soon provide guidance concerning the additional measures companies can include in the SCC. Authorities on both sides of the Atlantic need to quickly figure out what this judgment will mean for them, and how they will work with international data transfers in the future. The EU authorities will need to be more practical about what the required standard is, and other authorities will have the opportunity improve the quality of data protection regulation to take fundamental rights into account better.
We currently do not expect supervisory authorities to immediately begin enforcing Schrems II as the supervisory authorities are still reviewing the best manner to deal with Schrems II and how to apply the judgment in a practical manner. Nevertheless, we advise all companies transferring personal data to the US directly or via a (sub-) processor under Privacy Shield as well as companies using SCCs for data transfers to carefully map out any transfers that they are currently undertaking and make a best effort assessment whether the country of import offers protection of the rights of data subjects that can be considered adequate in the light of the GDPR (Schrems II does not require identical protection, but adequate protection).
Documentation is key for compliance after Schrems II. Companies should be transparent and document their analysis of national law in the country of import in detail. As a minimum, such analysis should include a review of:
- the applicable data protection legislation in the country of import;
- applicable legislation on surveillance by public authorities in the country of import, including in transit situations;
- the availability of data subject rights, including judicial review of such processing activities by the public authorities in the country of import;
- the scope, volume and application of the aforementioned measures.
Supervisory authorities or the European Commission may provide additional or different requirements for such analysis of national law in the country of import.
Regarding US transfers, there does not seem to be a way for data transfers to proceed legally in full compliance with the GDPR at the moment. To limit all risks companies may consider (temporarily) suspending personal data transfers from the EEA to the US until official guidance on the consequences of the Schrems II judgment becomes available. They should consider carefully which additional contractual safeguards can be incorporated under SCCs and have SCCs in place where they or their services providers relied on Privacy Shield. Where suspension of transfers is impossible in an individual case (for example in relation to ongoing treatment that cannot be postponed, ongoing participation in a clinical trial with an extra-EEA sponsor or manufacturing of a custom made implant outside the EEA), we advise to review whether such transfer can nevertheless take place under a specific derogation of article 49 of the GDPR. The information obligations of the transferring party in relation to the use of a derogation may increase due to Schrems II.
Where companies continue to transfer personal data under SCC or a derogation, rigorous application of the principle of data minimisation and to practice encryption may serve as a non-regulatory solution to provide a degree of technical protection against import country scrutiny of data. This would help in meeting the requirement to apply extra measures in addition to the SCC as referred to in Schrems II. Nonetheless, such measures by themselves do not constitute a legal basis for an adequate transfer in compliance with the GDPR.
Schrems II makes implementation of the basic principles of data protection in the GDPR very relevant, as this ruling emphasizes that ‘with big data comes great responsibility’. The more personal data that a company collects and exports, the more responsibility it takes on. Questions? Cécile and I are at your service.