The September edition of the Global Alliance for Genomics & Health’s (GA4GH’s) monthly newsletter, the GDPR Brief, examines the ramifications of the European Court of Justice’s Schrems II judgment on 16 July 2020. The brief focuses primarily on how the new decision can lead to strengthened obligations on anyone transferring data out of the European Economic Area (EEA). It was co-written by the EUCANCan colleagues Fruzsina Molnár-Gábor from Heidelberger Akademie der Wissenschaften and Michael Beauvais from McGill University’s Faculty of Law.

Five years after the Schrems I case led the European Court of Justice to invalidate the Safe Harbor arrangement, the court published the Schrems II judgment on 16 July 2020. In the GA4GH’s September GDPR Brief, the co-authors Fruzsina Molnár-Gábor and Michael Beauvais discuss the ruling’s implications for cross-border data flow. In the GA4GH’s September GDPR Brief, the co-authors Fruzsina Molnár-Gábor and Michael Beauvais discuss the ruling’s implications for cross-border data flow. They underline that the decision on the EU-US Privacy Shield can add another level of complexity to transfers of data out of the EEA. 

According to Schrems II, all data exporters and regulators are required to conduct a case-by-case analysis to determine whether foreign protections concerning government access to data transferred meet EU standards. This makes the decision highly relevant to EUCANCan’s goal, which is to implement a cultural, technological, and legal integrated framework across Europe and Canada that enables and facilitates efficient sharing of cancer genomic and clinical data. Representing Heidelberger Akademie der Wissenschaften, Fruzsina Molnár-Gábor is co-leading the development of this framework.

Michael Beauvais works as a research assistant for Prof Bartha Maria Knoppers who is responsible for, among other things, developing overarching guidance aimed at all EUCANCan partners.   

Schrems II risks jeopardising the standard contractual clauses reliability 

According to the new decision, standard contractual clauses (SCCs) must provide for an ‘essentially equivalent’ level of data protection as that of the GDPR (which, per the GDPR itself, is a requirement for transfers under an adequacy decision). 

Fruzsina Molnár-Gábor and Michael Beauvais write that ‘both data exporters and importers using SCCs must examine aspects beyond the metaphorical four corners of the contract’. 

They continue to argue that ‘the difficulty of assessing third-country data protection levels and defining supplementary measures on a transfer-by-transfer basis is extreme’, referring to that Schrems II states that it is up to the data exporter’s assessment to determine whether personal data is transferable using SCCs.

Uncertainties on the legal basis for data transfers after Schrems II

In strongly affirming the importance of maintaining a high level of protection of personal data transferred from the EU to third countries, Schrems II creates a lot of uncertainties on the legal basis of future data transfers from the EU to other countries.

According to Fruzsina Molnár-Gábor and Michael Beauvais, ramifications include: 

• an increased burden on supervisory authorities (SAs) who must suspend or prohibit the transfer of personal data to a third country where they believe the SCCs are not or cannot be complied with, or where the required level of data protection cannot be otherwise ensured
• that the application of other safeguards will depend on the level of data protection in third countries
• limited possibilities to establish standardised solutions via consent forms as data subjects must be informed of the specific risks of transfers to third countries without adequate protection
• the risk of increasing cloistered “data jurisdictions” when SAs are more motivated to find data processing solutions within the EEA

The bottom line is that if the requisite level of data protection cannot be assured, the transfer must be suspended outright.

According to Fruzsina Molnár-Gábor and Michael Beauvais, the Schrems II impact on transfers to international organisations, including research institutions, needs further clarification. They end on the note that ‘work is needed to promote the free flow of data, measured not only by theoretical legal compliance but also by options for factual compliance, upholding the spirit of the GDPR’.