Why Words Alone Cannot Comply With Schrems II*

Although “words are the lawyer’s tools of the trade”2, trying to address Schrems II requirements using words alone will always fail, regardless of whether the words come in the form of revised contracts, new treaties, policies, or digital terms of use.
Download PDF
Organisations focused on updating Standard Contractual Clauses (SCCs) miss the point that words alone cannot make data transfers lawful under Schrems II. It is critical to understand that new technical controls are required in addition to updating SCCs.
Attempting to avoid massive Schrems II-related disruptions to international data flows3 using words alone will be unsuccessful. This is because:
  • The fundamental rights of European Union data subjects are not available to barter for commercial or surveillance benefits;4 and
  • GDPR-compliant technical safeguards must supplement SCCs to reduce the risk of violating data subjects' fundamental rights for international data transfers to be lawful.5
There is no political solution to Schrems II that removes the obligation to implement new technology controls. The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) states that even the promise of a US federal privacy law is insufficient to remove that obligation because of ongoing surveillance concerns. In addition, Schrems II impacts the evaluation of adequacy decisions for countries around the globe.6

Also, despite reports to the contrary7, there is no certainty of a post-Brexit adequacy decision for the United Kingdom. This uncertainty is highlighted by:
  • The recommendation by the Information Commissioner's Office (ICO) for UK "businesses working with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data"8 (emphasis added); and
  • The European Data Protection Supervisor (EDPS) Opinion 3/2021 on the Conclusion of the EU and UK Trade Agreement and the EU and UK Exchange of Classified Information Agreement, raising concerns about whether UK data transfers comply with Schrems II.9
Relying on “Words Alone” by updating contracts and hoping for treaties produces unsustainable operations because no contract or treaty will remove the need for new technology controls to protect data when in use.
Why New Technology Controls Are Required to Comply with Schrems II
Anonos technology solves international cross-border legal challenges, enabling the highest data protection levels, accuracy, and utility on a global scale.10
Schrems II fundamentally changes how data-driven global business must be conducted to be lawful. Hundreds of companies attended Anonos’ Schrems II webinars, including regulators, industry experts, and leading nongovernmental organisations (NGOs). Numerous stakeholders asked Anonos to answer the following two questions:
  • Can Anonos help me to legally process data using US-based cloud (and other) technology companies and still comply with Schrems II?
  • Can Anonos technology help my organisation reduce risk exposure and ensure predictable business operations now that the UK is no longer part of the EU and is subject to the UK GDPR?11
The answer to both questions is yes. Anonos’ patented12 Variant Twin technology enables Lawful Borderless Data for international cross-border transfers and processing using SCCs in compliance with Schrems II.

It’s important to remember that the remedy for violating Schrems II requirements is injunctive termination of processing, rather than the assessment of penalties.13 This highlights the risk of immediate disruption to business operations that comes from non-compliance. The imposition of injunctions shifts the burden of proof onto organisations to regain the right to process data and get the injunction removed. This is a significant change from the fines-based penalties resulting from GDPR violations levied in the past.

In addition, waiting to establish a defensible position for using US-based and other non-EEA cloud, SaaS, and outsourcing solutions (including UK providers) creates the risk of personal exposure for Board members and officers.14 Auditors are obligated to report non-compliance to authorities, and are also becoming increasingly aware of Schrems II data protection audit requirements.15 Contracts, policies, and treaties do not provide the technical controls required for Schrems II compliance, and this issue is time-critical. Organisations should implement European Data Protection Board (EDPB) recommended technical controls to comply with Schrems II, such as GDPR-compliant Pseudonymisation.
  • * “Schrems II” refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems.
  • See The Discipline of Law by Lord Denning, Butterworths (1979) at page 15.
  • See 24 February 2021 Reuters article “EU-U.S. Data Flows Could Face Massive Disruption” at https://www.reuters.com/article/us-facebook-privacy-dixon-interview-idUSKBN2AP009
  • The CJEU cites recital 114 of the GDPR “In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.” See paragraph 8 at http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404
  • The EDPB stresses that while “in principle, supplementary measures may have a contractual, technical or organisational nature...contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country...there will be situations where only technical measures might impede or render ineffective access by public authorities” (emphasis added). See paragraphs 47 and 48 at https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
  • See https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/RE/2021/02-04/1222135EN.pdf
  • See https://diginomica.com/and-data-shall-flow-eu-and-uk-step-towards-post-brexit-data-adequacy-accord-albeit-lacking-entente
  • See ttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on-the-extended-period-for- personal-data-flows-that-will-allow-time-to-complete-the-adequacy-process/
  • See paragraphs 28 and 42 of EDPS Opinion 3/2021 at https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-conclusion-eu-and-uk-trade-agreement-and_en. Attempts to retrieve EDPS Opinion 3/2021 result in “Page Not Found”, however, a cached version is available at https://webcache.googleusercontent.com/search?q=cache:biPIaBeCpHoJ:https://edps.europa.eu/sites/edp/files/publication/2021_02_22_opinion_eu_uk_tca_en.pdf+&cd=1&hl=en&ct=clnk&gl=us
  • UK data protection laws are “essentially the same as the EU GDPR, with some technical amendments to make it work in a UK-only context.” See https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/transition-period-faqs. For example, UK data protection law includes sections 171 and 198, not found in the EU GDPR. Under Section 171, it is a criminal offense to knowingly or recklessly re-identify information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. Under Section 198, a “director, manager, secretary or similar officer of the body corporate” may be found personally liable for failing to comply with data protection requirements “by consent, connivance, or in a way that is attributable to neglect” (emphasis added).
  • Anonos is a vendor of state-of-the-art data protection and enablement technology. Anonos is not a legal or advisory firm. Anonos technology embodies significant legal and technical subject matter expertise but is not, nor should it be construed as, providing any legal opinion or conclusion. Using Anonos technology is not a substitute for obtaining professional advice from qualified legal counsel.
  • Anonos technology is protected by an international intellectual property portfolio that includes but is not limited to: Patent Nos. EU 3,063,691 (2020); CA 2,975,441(2020); US 10,572,684 (2020); CA 2,929,269 (2019) US 10,043,035 (2018); US 9,619,669 (2017); US 9,361,481 (2016); US 9,129,133 (2015); US 9,087,216 (2015); and US 9,087,215 (2015); plus 70+ additional domestic and international patent applications. Anonos, Variant Twins and Lawful Borderless Data are trademarks of Anonos Inc. protected by federal, state and international statutes and treaties.
  • See http://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404 at paragraphs 121, 135, 146, 154, and 203(3)
  • See https://www.financierworldwide.com/roundtable-risks-facing-directors-officers-aug17.
  • See International Ethics Standards Board for Accountants (IESBA) Non-compliance with Laws and Regulations at https://www.ifac.org/system/files/publications/files/IESBA-NOCLAR-Fact-Sheet.pdf at page 3. Also, Accountancy Europe, which unites 50 professional organisations from 35 countries, notes that when non-compliance is committed intentionally, it “may be considered as fraud by stakeholders” and notes that this is “particularly relevant in case of breaches of …data protection rules” (emphasis added). See https://www.accountancyeurope.eu/wp-content/uploads/Fraud-recommendations-to-strengthen-the-financial-reporting-ecosystem.pdf at page 5.
  • See paragraphs 80 and 135 and footnote 69 at https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf