What Schrems II Means for US Tech Startups

It’s now harder for US tech startups to legally export data from the EU to the US, adding hurdles when scaling into the EU market.

A s you may have read, the EU’s highest court recently issued a major data protection ruling in the case, Irish Data Protection Commissioner v. Facebook Ireland, Maximillian Schrems (“Schrems II”). The Court struck down a compliance framework called the EU-to-US Privacy Shield (“Privacy Shield”) that permitted personal data protected under EU data protection law (“EU personal data”) to be exported to the United States. Schrems II also called into question the use of Standard Contractual Clauses (or “SCCs”) and Binding Corporate Rules (or “BCRs”), which are additional mechanisms for EU-to-US personal data transfers. More than 5,000 companies were relying on Privacy Shield and even more rely on SCCs because these were the easiest-to-use mechanisms for legalizing EU-to-US data transfers. These companies will now need to come up with a Plan C.

Schrems II affects many global organizations, but there are several significant implications for US tech startups, including the Silicon Valley startup community. This blog post will walk through a US tech startup’s options, explain the downsides of each option, and discuss how they can spend their limited resources accordingly.

Background

For decades, the EU has restricted the transfer of EU personal data to countries outside the EU. But beginning in 2000, the US had a special arrangement with the EU called US-EU Safe Harbor (“Safe Harbor”) to authorize EU-to-US data transfers. In 2015, the EU’s highest court invalidated Safe Harbor in a case called Schrems I, which led to the new arrangement called the EU-US Privacy Shield (“Privacy Shield”).

Five years later in Schrems II, the Court struck down Privacy Shield. The Court’s main issue is that Privacy Shield neither prevented nor provided a legal remedy for non-US individuals whose privacy rights are violated due to the US government’s mass surveillance operations. In theory, the US could fix these issues by revamping its entire surveillance apparatus and passing a comprehensive federal privacy law, closer to the EU’s General Data Protection Regulation (GDPR). Because neither seem likely, at least under the current administration, US tech startups are stuck with questionable options for EU-to-US data transfers.

Data collection and cross-border data transfers are not the same thing, but EU data collection could quickly lead to a restricted EU-to-US cross-border data transfer. A cross-border data transfer occurs when an entity sends or makes EU personal data accessible to a receiver outside the EU. In practice, it could occur in several scenarios, including if a US tech startup receives and stores data in servers outside the EU, or if its engineering and data analytics teams analyze EU personal data outside the EU.

What Post-Schrems II Options Are Available For US Tech Startups?

With the Privacy Shield’s invalidation, a US tech startup is left with difficult options for addressing EU-to-US data transfers. Let’s review some of them and why they aren’t ideal:

Standard Contractual Clauses (SCCs). SCCs are EU-approved contracts for cross-border data transfers. They used to satisfy EU-to-US data transfer requirements. But as Schrems II points out, they don’t fix either the geopolitical problem that US companies are still subject to the US government’s mass surveillance programs, or the lack of a US comprehensive federal privacy law that mimics GDPR. The EU court indicated that SCCs could still work if they were supplemented with unspecified measures that would address US government surveillance. These supplemental measures could be technical measures like strong encryption or contract measures outlining an organization’s position against government data access requests. In theory, each company could do an analysis of their ability to solve the EU’s problems with US government surveillance, but such analyses would be expensive, irresolute, and not binding against any EU legal challenge. Unlike Privacy Shield, SCCs do not cover all data transfer types.

Approved Ad Hoc Clauses. A US tech startup can get an EU Member State data protection regulator to approve specific contract language allowing them to export personal data from that Member State. Unlike SCCs, these ad hoc clauses are non-standard and will vary from one organization to another. This option is unappealing because it’s limited to transfers from the approving EU Member State and does not cover data transfers from the greater EU. It also requires the help of expensive European data protection counsel to draft and submit the clauses to the EU Member State regulator for approval. Plus, their non-standard language will pose problems during negotiations.

Binding Corporate Rules (BCRs). Binding Corporate Rules (BCRs) are corporate policies for data transfers within multinational company groups. They are also not appealing to startups for several reasons. First, they do not cover data transfers from or to customers, partners, or vendors; they only authorize transfers within the corporate group. Second, they are only viable for startups that have an EU subsidiary that can accept GDPR compliance responsibility. That said, US startups that are planning EU expansion often end up establishing an EU subsidiary, which could make BCRs potentially viable.

But even if a US tech startup were to have the required corporate structure, the BCR preparation, application, approval, and ongoing implementation process is expensive, involved, and lengthy. And even if a startup were to have the resources and mature corporate structure to take on BCRs, like SCCs, BCRs would still then require additional measures to address surveillance risks, which could include adding policies and procedures for resisting government data requests. Most startups are not in a position to resist the US government.

Article 49 Derogations. Named after Article 49 of the GDPR, these are exceptions that allow for one-off data transfers. They are not supposed to be relied upon for ongoing transfers, and each exception has its own restrictive limitations.

Keeping Data Localized In The EU. Keeping data localized in the EU is not really a data transfer option; instead, it’s the “no data transfer” option. Data localization requires heavy lifting from technical teams who will need to do substantial work to set up their systems in a way that keeps EU personal data in the EU. This could mean setting up their own EU data centers or working with vendors with EU data centers.

Even if a startup were able to achieve this architectural feat for their products, EU personal data would likely still have to leave the EU given that most tech support teams are in the US or India. To truly keep the data in the EU, startups would need to hire localized support teams in the EU. Startups would also have to address their marketing, HR, and vendor/procurement systems, which may capture EU data but typically would process or store it in the US. They would also need to re-architect these systems, choose third-party software tools with configurable server locations, and train internal teams not to inadvertently export data outside the EU. It’s neither pragmatic nor achievable for a US tech startup to keep EU data solely in the EU, given their limited and focused resources.

Ignore EU-to-US Cross-Border Data Transfers. A US tech startup might be tempted to ignore EU-to-US cross-border data transfers. But compared to the remaining data transfer options, this is an even more untenable course of action. As a US tech startup scales and enters the EU market, regulatory, customer, partner, and competitive pressures will quickly force it to address the issue. The next section addresses these points.

What Should US Tech Startups Take Away From Schrems II?

Unfortunately, there’s not a one-size-fits-all solution. How a US tech startup should respond to Schrems II will largely depend on their data collection and processing practices, data systems set-up, customer and partner demands, and risk tolerance. That said, below are some takeaways to think about:

Recognize When To Worry About EU-to-US Data Transfers. A US tech startup needs to start worrying about EU-to-US data transfers just before they begin collecting personal data subject to EU data protection law. This allows them to analyze whether their data collection turns into a cross-border data transfer. As they scale and begin to expand to the EU market, they will quickly need to perform EU-to-US data transfers. This means planning for how they collect personal data from their EU customers, prospective customers, customers’ customers, employees, applicants, consultants, partners, subsidiaries, affiliates, and vendors.

Understand That Customers And Business Partners Will Demand Compliance — And That Competitors Will Take Advantage of This. Regulators are not the only ones demanding EU-to-US data transfer compliance; customers, partners, and competitors are also putting the same pressure. For example, A B2B startup is unlikely to close deals with EU customers and partners — or even with US entities that are required to comply with the EU’s data transfer rules — without a clear legal mechanism for EU-to-US cross-border data transfers. These companies will demand contractual assurances about EU-to-US data transfer compliance to cover their own bases.

In comparison, a B2C startup is more public-facing, which increases their chances of getting caught non-compliant. Compared to business transactions, consumers are less likely or unable to bring up data transfers in a transaction like an app download. But serious risks remain given the strong network of consumer privacy advocacy groups and privacy activists like Max Schrems who are taking up this issue with the regulators and to the courts.

Additionally, a US tech startup is particularly disadvantaged when scaling globally, compared to their EU or Israel tech hub competitors. The EU currently has a special accommodation that legalizes data transfers from the EU to Israel. The US doesn’t have any equivalent restrictions for transferring US personal data out of the US.

To overcome this disadvantage and compete in the eyes of their privacy-aware customers, a US tech startup will still have to do their best to dot their i’s and cross their t’s, even though the current data transfer options are bad. This could mean investing in data systems re-architecture, localized servers, and legal and compliance costs.

Inventory And Map Out Each Type Of EU-To-US Data Transfer. Before spending lots of cash on hiring or retaining competent data protection counsel, a US tech startup needs to understand how they collect and transfer EU personal data. This means inventorying and mapping out their EU-to-US data transfers. Only then can a US tech startup and their counsel prioritize the transfers that involve bigger risks, identify the low-hanging fruit, and implement solutions accordingly.

Get Technologists Involved In Data Transfer Solutions. In the past, lawyers largely handled EU-to-US data transfers purely through legal mechanisms, like how they drafted contracts, policies, or certifications. Those days are over. Now, companies need to get their technologists — product, engineering, security, and IT teams — involved in implementing solutions. They need to re-architect or overhaul data systems, redesign products, and deploy strong encryption.

Factor Legal & Brand Risks Into The Calculus. Companies are always worried about their legal risk, and the legal consequences of illegal cross-border data transfers can be significant: up to 4% of global annual revenue or 20 million euros, whichever is greater. Financial damages aside, startups could be effectively banned from doing business in the EU. The risk of being publicly outed as a GDPR violator is even more significant given customers’ and partners’ increasing privacy and data protection expectations.

The Gist

Given Schrems II, the related legal and brand risks, customer expectations surrounding personal data, and the catapulting of privacy into the mainstream, a US tech startup can no longer wait until closer to IPO before addressing EU-to-US cross-border data transfers. The currently remaining options are particularly bad for US tech startups, but they are much needed Band-Aids that will enable a US tech startup to continue scaling, while EU and US regulators figure out a long-term fix. Ignoring the EU-to-US cross-border data transfer challenge will not make it go away. Compliance and fines aside, a US tech startup’s brand, product, bottomline, and business operations could be directly impacted, especially as they expand to the EU market.