A recent major ruling in Europe undermines a mechanism thousands of firms use to transfer personal data to the US. This has big implications for sectors such as private banking and wealth management. This publication talks to experts at Clifford Chance.

July’s invalidation of the US Privacy Shield (known as the Schrems II ruling) struck a major blow for firms that had relied upon this data transfer mechanism to comply with GDPR. In this exclusive interview, Dan Silver, partner at Clifford Chance, and associate Brian Yin take a deep dive into the ramifications – particularly for the multitudes of wealth managers outsourcing data-heavy tasks and functions.

Schrems II explicitly upheld Standard Contractual Clauses (SCCs) as a valid transfer mechanism, but charged data controllers with ensuring that data importers can comply with those in light of local law. What does this mean for wealth managers’ due diligence obligations in an outsourcing context?
Dan: Wealth managers that rely on Standard Contractual Clauses (SCCs) to facilitate transfers of personal data from the European Economic Area (EEA) will need to re-evaluate these arrangements to determine whether they are compliant with the Schrems II ruling.  While the ruling explicitly reaffirmed the validity of SCCs, the court stated that data exporters had to verify on a case-by-case basis whether the SCCs provide adequate protection for transferred personal data in light of the laws of the recipient country. The court specifically noted the potential impact of surveillance laws in the US, but the ruling suggests that data exporters must take into consideration any laws of recipient states that might diminish the protections and rights afforded to transferred personal data. 
 
Wealth managers who are subject to the GDPR and have outsourcing arrangements with data processors who rely on SCCs to conduct cross-border transfers will similarly need to ensure that these data processors have sufficiently considered the risks imposed by the laws and practices of recipient nations.
 
There is not yet clear guidance from data protection authorities regarding how data exporters should conduct this case-by-cases analysis. Some regulators have suggested that Schrems II means that companies cannot transfer data to the US in reliance on SCCs at all - at least not without unspecified additional measures. Others have said that companies can continue to rely on SCCs. The European Data Protection Board, which is tasked with providing guidance on consistent application of the GDPR, has said that it will issue additional guidance on these points in the future.
 
This leaves wealth managers relying on SCCs to transfer data from the EEA to the US and other jurisdictions in a precarious position. The safest (but unrealistic) course is to immediately cease all data transfers out of the EEA and find localised solutions that do not require SCCs. Obviously, this is likely to be impractical. A more reasonable approach is to conduct an entity-specific analysis of the risks associated with transferring data to a particular third party in a particular jurisdiction and determining if additional protective measures are advisable (e.g. by using encryption, pseudonymisation, etc.).
 
The Department of Commerce is clear it is holding Privacy Shield participants to their obligations for data already collected. Do you agree that there are benefits for data processors in maintaining compliance with it irrespective going forward?
Brian: “Benefits” is probably the wrong word - “obligations” may be more appropriate. Organisations that participate in the Privacy Shield and received data pursuant to the programme may be required to maintain their obligations under the programme, and could even suffer regulatory enforcement action due to non-compliance. In July, the FTC finalised a Privacy Shield-related settlement against a New Jersey medical device maker that had claimed participation in and compliance with the Privacy Shield in spite of allowing its certification to lapse. As part of the settlement, the company was required to comply with the company’s “continuing obligation” under the Privacy Shield to protect personal information collected while participating in the programme or return or delete that information. 
 
Companies that no longer wish to be bound by the Privacy Shield’s obligations must follow the Privacy Shield’s formal withdrawal process. This includes contacting the Department of Commerce and completing a questionnaire to verify whether the company will return, delete, or continue to apply Privacy Shield principles to personal information received while participating in the Privacy Shield. The Department of Commerce will then remove the company from the Privacy Shield list on the Privacy Shield website and instead add the company to the record of organisations that had previously self-certified but have since withdrawn from participation. Notably, however, even this withdrawal does not entirely eliminate a company’s obligations with respect to data collected while participating in the Privacy Shield - including annually affirming to the Department that the company continues to abide by those obligations. 
 
Processor Binding Corporate Rules confer “safe processor” status, but acquiring BCR approval can be a lengthy process costing hundreds of thousands. How does this stack up against a US outsourcing provider opting to establish European operations/data centres? (i.e. how much of a fix is data localisation?)
Dan: Data localisation is a solution, but it can be quite costly, and it may simply not be an option for wealth managers that have US operations. Additionally, a comprehensive data localisation solution would include data repatriation, which can add significant expense and administrative burden. Unless special circumstances suggest otherwise, the more prudent course would likely be to perform a risk-based analysis of existing transfer mechanisms. 
 
In addition, it is important to note that the Schrems II decision is not limited to SCCs - its reasoning appears to also apply to Binding Corporate Rules (BCRs). This is the position various EU authorities have taken. In other words, data exporters who transfer data pursuant to BCRs must also evaluate whether the laws of the recipient’s country permit the recipient to comply with the BCRs. Accordingly, BCRs are not a bulletproof solution in the absentce of further guidance from regulators. 
 

It’s thought that around a third of participants signed up to the Privacy Shield to transfer human resources data. Do you see multinational wealth and asset managers comprising a significant proportion of these? What solutions can they seek?
Brian: Multinational wealth and asset managers that are based in the US - or that otherwise have significant operations in the US - are likely to be caught in the limbo created by the invalidation of the Privacy Shield. For these companies, the immediate next step should be to identify all transfers reliant on the Privacy Shield (whether internal or through service providers) and implement alternative mechanisms - most likely SCCs, given the cost and burden of BCRs and data localisation. 
 
It seems inevitable that both SCCs and BCRs are going to be subject to challenge on the same grounds as Privacy Shield (mass surveillance and lack of judicial redress for data subjects). Long term, is a political solution likely?
Dan: Yes - while the Schrems II decision was a clear shot aimed at US surveillance laws, all indications suggest that US and EU authorities want to maintain lawful mechanisms for cross-border data flows. Indeed, EU and US authorities have already stated that they are committed to finding a practical solution for cross-border data transfers. For example, on August 10, the European Commission and US Secretary of Commerce issued a joint statement announcing that they had begun discussing an “enhanced” EU-US Privacy Shield framework that would comply with the Schrems II decision. More generally, the European Commission has recognised that international data flows are “indispensable” for European companies to maintain their competitiveness.
 
It is important to note that this is an election year, and the global pandemic continues to push all other priorities aside. So, any legislative fix is likely to be delayed until at least 2021. However, companies can take some comfort in the fact that aggressive enforcement activity may not be imminent. If the past is any indication, data protection authorities will try to give companies time to respond to the decision. When Safe Harbor, the predecessor to the Privacy Shield, was invalidated in 2015, European data protection authorities did not initially pursue enforcement action to give companies the chance to adapt.
 
However - the Schrems II decision did not establish a formal grace period and data protection authorities have rejected calls for explicit delays in enforcement, so asset managers should act promptly and not rely on any grace period that data protection authorities appear to be providing. 
 
Some see Schrems II as the “canary in the mineshaft” for an international data transfer crusade by the EU (the UK possibly being next on the block). How do you see this theme playing out in the years to come given the internationalised nature of this sector?
Brian: China seems to be a more deserving target than the UK. But, while there may be some local data protection authorities that wish to reduce or eliminate cross-border data flows, it is unlikely that this will be the dominant view. As noted above, US and EU authorities have already said that they are committed to finding a solution to address the gap created by the invalidation of the Privacy Shield, and the European Commission has recognised that international data flows are necessary for European companies to compete globally. 

The US isn’t party to the Common Reporting Standard (the mechanism under which 102 countries exchange bank account details to weed out tax cheats), but is, itself, very keen to look into the financial affairs of US taxpayers. How do these two issues dovetail?
Dan: The Schrems II decision reveals deep scepticism of US government surveillance practices - and perhaps more generally of US exceptionalism. The extraterritorial reach of US public and private law has become increasingly controversial, and Schrems II can be viewed as a backlash against this perceived encroachment on European sovereignty. 
 
However, for years observers speculated that, with the passage of the GDPR, the US would be likely to follow suit and implement a comprehensive national privacy and cybersecurity law. Yet, four years later there has only been limited progress.
 
By keeping privacy issues in the forefront, the Schrems II decision may help slowly change US attitudes towards privacy, and ultimately affect the balance between privacy rights and national security protections. But it would be wrong to expect imminent change. In the near term, major privacy reforms in the US are unlikely and we can expect a more nationalist response, at least under the current administration.