Schrems II Impact Survey Report
There is no doubt that the decision of the Court of Justice of the EU (CJEU) taken in Schrems II (Case C-311/18) has dramatically altered the state of international data flows.
The EU data economy is expected to amount to €827 billion by 2025, and the ability to transfer data across borders will be crucial for the recovery of the European economy after the COVID crisis.
Our respective memberships, hailing from many different sectors, crucially rely on international data flows to carry out their business operations. Manufacturers supporting their customers overseas, health companies developing vaccines to end the global pandemic, any company incorporating advanced data analytics and machine learning methods into their services or simply having employees in multiple countries – all these data transfers predominantly rely on standard contractual clauses (SCCs) to legally carry out these day-to-day activities.
While Schrems II confirmed that SCCs remain a valid data transfer tool, it placed greater responsibilities on businesses to assess whether a third country’s domestic laws and practices afford equivalent protection before each individual data transfer is made. If a risk of non-equivalence exists, the business exporting the data would have to put ‘supplementary measures’ in place. Not only does this represent a large burden increase in demonstrating compliance, but also legal uncertainty. How are European SMEs expected to determine the legal frameworks of a multitude of foreign states? Will their assessments of risk and the related supplementary measures be accepted by regulators?
The European Data Protection Board (EDPB) has begun to interpret the ruling and offered draft guidance to organisations on these issues. It seems to us that in its current form such guidance would make it almost impossible for businesses to rely on SCCs. This is not only in conflict with the European Commission’s new draft set of SCCs, but even with the Schrems II decision itself.
In order to ensure a pragmatic and legally certain situation for international data flows, we need a deep understanding of how SCCs work in real life: who are they used by, for what purposes, and what actual risks do these transfers entail? To this end, we want to contribute the best data we have to date. We believe this is crucial insight to guide decision-makers.
Europe’s interpretation of the Schrems II ruling must enable a practical and safe path for businesses to continue transferring data across borders in a globalised economy. Not least because 75 per cent of those using SCCs are European, and Europe’s prosperity and global influence rely upon their use.
Table of contents
- Overview of findings
- Survey methodology
- Companies of all sizes and sectors use SCCs
- European companies are heavy users of SCCs
- SCCs are critical for business operations
- SCCs are used to transfer data across the world
- The ruling’s impact is substantial, and many companies are unprepared
Overview of findings
This survey provides a snapshot of how personal data is transferred from Europe to the rest of the world. In particular, our goal has been to provide estimates about the use of SCCs – one of the legal mechanisms for transfers envisaged under the GDPR – in order to understand the economic impact of the recent Schrems II ruling.
While famous for annulling the EU-US Privacy Shield, the ruling requires all organisations transferring personal data outside the European Economic Area (EEA) to assess or reassess their use of SCCs in order to verify that it complies with the conditions set out in the ruling, notably in terms of preventing access by third-country governments.
The impact of these obligations can be significant, considering that potentially they apply to all data controllers and processors in the EEA, which for the most part are SMEs. However, real-world data about the use of SCCs has so far been lacking, and the economic impact of complying with the ruling remains largely unknown.
Our data shows that:
- SCCs are by far the most widely used mechanism for data transfers. Of all companies surveyed, 85 per cent are estimated to use SCCs, while other transfer mechanisms such as adequacy decisions, binding corporate rules (BCRs) or derogations (e.g. consent) account for a little more than 5 per cent of transfers. Only 9 per cent of companies surveyed do not appear to be transferring any data outside the EU.
- The vast majority of companies using SCCs (75 per cent) have their headquarters in Europe, with US-headquartered companies coming in a distant second (13 per cent).
- The information and communications technology (ICT) sector is the single largest user (37 per cent), but just about all industry sectors rely on SCCs for their transfers, with manufacturing coming in second (22 per cent).
- Most companies using SCCs are business-to-business (B2B) entities (90 per cent) relying on data transfers to enable service offerings to other companies. Only 10 per cent of respondents are pure business-to-consumer (B2C) companies.
- Over half of SCC users transfer data to close business partners or non-EU subsidiaries (57 per cent use controller-to-controller SCCs), while almost all transfer data in order to outsource processes or services (92 per cent use controller-to-processor SCCs). (Base = 166)
- Three-quarters of companies aware that they are using SCCs transfer data to more than one non-EU country. Almost everybody transfers to the US, but six out of ten transfer data to Asia or the UK. South America, the Middle East and Africa account for a smaller but not insignificant portion of transfers.
- Nine in ten companies that have reassessed their use of SCCs to comply with the ruling consider that the cost of doing so is moderate or high. Only half of estimated SCC users have reassessed their use of SCCs.
- 25 per cent of respondents appear not to be aware that they transfer data outside of the EU, most likely through SCCs. This is despite the fact that most contributions to the survey have come from data protection or compliance professionals. SMEs are more likely to be in this group but almost a quarter of bigger companies are also affected. This proves a fairly widespread lack of understanding about personal data transfers and the ensuing obligations, which may expose companies to sanctions for GDPR infringement.
The data in this report is derived from a survey conducted between 26 October and 18 November 2020 by DIGITALEUROPE, BusinessEurope, the European Round Table for Industry (ERT) and ACEA. For a list of National Trade Associations that may have shared the survey with their members, please consult the DIGITALEUROPE and the BusinessEurope websites. In total, 292 responses were collected from companies headquartered in 25 different countries. Survey respondents are from all major industries, with the exception of transport and postal services, and a mix of company sizes. More than 75 per cent of responses came from privacy or compliance professionals; another 20 per cent came from business line managers.
Companies of all sizes and sectors use SCCs
A striking majority of companies transfer data outside Europe and do so by incorporating SCCs into their contracts. This includes virtually all larger companies above 250 employees, but also more than two-thirds of all SME respondents. Only 9 per cent of respondents keep their data purely within the EU, and only 5 per cent transfer data using other legal transfer mechanisms such as BCRs or adequacy decisions adopted by the European Commission.
While the different branches of ICT are the single largest user, SCCs are used for data transfers by a variety of industry sectors, with manufacturing in second place.
7 We note that almost half of responses come from digital trade associations’ members. As a result, the answer to this question may be skewed towards the ICT sector.
European companies are heavy users of SCCs
EU-headquartered companies account for nearly eight out of 10 users of SCCs. Only 13 per cent of respondents transfer data to a US-headquartered parent, while 8 per cent transfer to a UK headquarters.
SCCs are critical for business operations
SCCs highlight the complex nature of modern economies, where business relationships involve multiple entities performing different functions, including within the same group of companies operating internationally.
Data flows and SCCs are part and parcel of long business value chains. Most companies using SCCs do so to provide services and products exclusively to other businesses, followed by companies that also provide direct services to consumers. Only a minority of respondents are pure consumer-facing companies.
While most companies using SCCs transfer data to ‘processors’ (other entities that process data based strictly on the transferring company’s instructions, for example for payroll management), more than half among them also transfer data to one or multiple other ‘controllers’ (entities that will use the data independently, for example for their own manufacturing or sales operations). These can be non-EU subsidiaries or close business partners.
SCCs are used to transfer data across the world
SCCs underpin trade relations, very rarely with just one country. Three-quarters of companies who are aware that they use SCCs transfer data to more than one non-EU country simultaneously. While almost everybody transfers to the US, SCCs are used by six out of ten respondents to transfer data to Asia or the UK. South American and African countries are also relevant destinations for European companies using SCCs.
The ruling’s impact is substantial, and many companies are unprepared
Just over half of companies estimated to use SCCs have reassessed their use as required by the Schrems II ruling in order to be able to rely on SCCs. Among these, 92 per cent of respondents find that the cost of such assessment has been moderate or high for them.
Only half of estimated SCC users have reassessed their use, as required by the Schrems II ruling.
Particularly given the overall high proportion of privacy/compliance professionals who contributed to the survey, we were surprised to find that 25 per cent of companies surveyed are almost certainly transferring data – and are therefore most likely using SCCs, or should be putting them in place – yet are not aware of it.
For example, 68 per cent of those who do not know whether their company is transferring data, or believe it is not transferring data, either have an establishment outside the European Economic Area (EEA) or are outsourcing services to non-EU companies, or both. In the former case, they simply do not have a legal mechanism in place for the transfer; in the latter case, they are using SCCs and should be reassessing them in light of the ruling. Either way, they are unprepared to comply with the ruling and are exposed to sanctions for GDPR infringement.
Among the SMEs surveyed, 39 per cent are unaware that they are likely transferring personal data using SCCs – more than those who are aware (30 per cent). Three out of ten other companies under 2,000 employees, where resources might be scarce, are also concerned. Larger companies are less affected, yet 12 per cent of those surveyed appear unaware that they are likely users of SCCs.