Data transfers after Schrems II: Reflections from the Asia Pacific
Dr Clarisse Girot of Asian Business Law Institute, Mark Parsons of Hogan Lovells and Olga Ganopolsky of Macquarie Group discuss practical issues and geopolitical sensitives.
The decision of the Court of Justice of the European Union (CJEU) in Schrems and Facebook Ireland v Data Protection Commissioner (“Schrems II”) concerns the interpretation of the GDPR as a matter of EU law, but the implications of this ruling are global in their dimensions.
Until now, the consequences of the decision have mostly been analyzed in a transatlantic context, in the wake of the annulment of the EU-US Privacy Shield. Yet the ruling is very significant for APAC-based organisations with a direct or indirect EU link. In many cases, the organisation will rely on data processing infrastructure in more than one country, meaning that non-EU data privacy regimes, including those in APAC, will apply in cumulation. The decision is also significant for APAC authorities which must now assess its impact on their own data protection and transfer frameworks.
In this article, the authors seek to bring an APAC perspective to this difficult global discussion, by providing an overview of the policy challenges and practicalities of navigating the multiplicity of data transfer regimes in APAC in a ‘post Schrems II world’.
The background: APAC’s shifting data protection landscape
Despite the ongoing impact of the Covid-19 pandemic, APAC remains the world’s most dynamic region and hosts the world’s fastest growing economies. The digital economy is booming; Asia leads in digitalisation, fintech, e-commerce and a number of other “data intensive” areas of economic activity. Whilst APAC has for some time been understood to lag the EU in terms of the development of its data protection laws, recent years have seen a movement to catch up.
The national data protection laws broadly tracked the “first generation” data protection principles set out in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which also formed the framework for EU data protection laws. With the implementation of the GDPR and other modern privacy regimes, APAC laws are now drawing inspiration from “second generation” principles, incorporating extra-territorial reach, transfer provisions, revenue-based fines and concepts such as privacy by design, privacy impact assessments, breach notification, and data portability.
As APAC economies become increasingly digital in their orientation, and consumers have become increasingly vocal about data breaches and invasive data collection, there is greater awareness of the risks that data protection laws seek to redress. The “European approach” serves as an effective model of “data accountability”, even if national laws in APAC do not specifically derive from the same human rights concepts underpinning GDPR and the CJEU’s decision-making. As perhaps made most explicit in the 2004 APEC Privacy Framework, the regional approach to data regulation is often economic in its outlook – stronger data protection laws are an enabler of consumer trust in digital economies. International transfers of personal data support the use of regional technology platforms that promise efficiency and higher growth. It follows that many Asian integration initiatives seek to support the digital economy and regional or global data flows.
Data transfer provisions in APAC
In APAC as elsewhere, national data strategies generally recognise the need for rules regarding cross-border personal data transfers. At a high level, the approach taken by most jurisdictions with regard to data transfers fits with Chapter V of GDPR, as we can see a general increase in the standard of data protection across the region as national laws incorporate stronger protections, increased burdens on data exporters, and stronger powers for privacy regulators in case of violations, including with regard to the suspension or banning of transfers. Yet these rules are not always modelled after the GDPR, for instance in the Philippines or Australia, which implements an ‘accountability principle’ for the ‘overseas disclosure’ (as against ‘use’) of personal information without relying on the distinction between ‘controller’ and ‘processor’.
In addition, these regional regulatory trends, which suggest an alignment of approach, can obscure the fact that APAC jurisdictions have very diverse cultural norms and economic priorities. A closer look at regional regulatory developments reveals that some laws are more explicitly grounded in human rights considerations, some are focused on “cyber sovereignty” and national security and many others are more broadly concerned with advancing consumer protection and building confidence in the digital economy. It is also important to note that international transfer restrictions can, in some respects, support domestic economic development and at the same time serve as a lever in complex trade negotiations and geopolitical positioning.
By putting specific requirements on foreign government access to company data at the heart of the EU data transfer regime, the Schrems II ruling therefore has the indirect effect of adding a layer of complexity to a landscape already marked by legal fragmentation and uncertainty.
Schrems II in APAC: The great blur
As many questions about the ruling are yet to be debated in the EU-US context, uncertainty also prevails in APAC at the moment. The public response in the region has been fairly limited, and there is no sign that APAC authorities will issue guidance similar to that provided by the US authorities, particularly when the data protection challenges caused by government access to data are assessed by criteria other than those used in the EU (if at all). This is also because of the risk that their EU counterparts publicly disagree with their analysis. Few may in fact be sure to pass the EU test that access to data by their authorities is ‘limited to what is necessary and proportionate in a democratic society’, except currently Japan, the legal framework of which, applicable to access and use of personal data by public authorities, including oversight and individual redress mechanisms, has been positively assessed against the GDPR in the EU adequacy decision adopted in January 2019 (post Schrems I, but pre-Schrems II).
Certainly, the effort to clarify the conditions under which foreign governments may access data is ‘a universal challenge’ which has not just come into focus in APAC because of Schrems II. The subject is at the heart of the geopolitical debates that animate discussions at international forums and include many APAC economies. It is an important sub-component of the ‘Data Free Flows with Trust’ implementing the Osaka Track launched by Japan’s G20 leadership in 2019 and of consequential work ongoing at OECD and WEF, but also of China’s Global Data Security Initiative announced in September, or the Clean Network program launched by the US Department of State in August.
Schrems II marks a significant escalation of the debate due to the hefty fines and transfer suspension orders available to regulators under the GDPR in the event of a breach. While diplomatic efforts go at their own pace, businesses thus find themselves pressed to assess the impact of the decision on their non-EU operations on a very short timescale.
The level of diligence expected from EU exporters to assess the state of the law in the destination country is very high, and legitimately they will turn to non-EU importers to make clarificationsas the Court and European Data Protection Board (EDPB) suggest. Yet in most cases the importer entities have no control over the access regime available to their respective governments, so might not always be able to help if the government/regulator itself does not make clarifications. This problem applies particularly in APAC jurisdictions where little information (if any) is in the public domain about the rules and practices relating to the interception of data or government access to data (for example, in China).
Uncertainty also prevails as to the stringency of the “additional safeguards” to those offered by the Standard Contractual Clauses (SCCs) s which would be required to ensure “compliance with the level of protection required under EU law” with regard to access by the public authorities of non-EU country to that data.
It is important to note in this respect that the implementation of data sharing and transfer rules in APAC naturally led regulators to promote protections comparable to those supplementary safeguards detailed by the EDPB: encryption, de-identification, pseudonymization, organizational and contractual measures (including with regard to onward transfers), etc. These measures would also commonly be recommended and implemented under APAC’s most mature transfer regimes. Generally speaking, the perception is that the recommendations may be operationalised provided they align to a risk-based framework and allow for a working combination of controls (whether technical, organisational or contractual) to address protection, not prescribing one in favour of the other. Whilst the Court’s ruling was understood as leaving some space for an approach based on the actual risk that a government effectively requires access to that data, in contrast the EDPB draft recommendations are read as potentially ‘catching’ all transfers to such jurisdictions without distinction. There is the risk that any transfers based on the SCCs to such jurisdictions de facto become an exception rather than the rule.
Adequacy in APAC: A multi-faceted discussion
In practice, in judging what an adequate level of protection means, the CJEU has essentially given extraterritorial application to the European Charter of Fundamental Rights, thus setting ‘a very high bar for other jurisdictions to reach’. This bar, for now, may be considered passed by those APAC jurisdictions deemed adequate by the EU (Japan and New Zealand) and possibly soon in South Korea following the overhaul of its data protection regime. But with Schrems II, the ‘EU adequate’ talent pool in APAC has become very small, thus pushing the necessary cooperation on data flows between the EU and APAC jurisdictions to further diversify.
This point is significant for those APAC transfer regimes that have introduced, or sought to introduce concepts similar to adequacy, whereby data protection authorities or governments may ‘white list’ jurisdictions which are deemed acceptable for the receipt of transfers of personal data without other compliance measures being taken. However, there are many obstacles to the viability of such solutions in APAC, where picking and choosing jurisdictions for inclusion (or exclusion) from white lists immediately invites geopolitical sensitives, and can burden smaller data protection authorities with a difficult task of assessing and re-assessing jurisdictions.
A few APAC jurisdictions further, by default, require, or offer organisations the possibility to self-assess the transfer regime in the country of destination. Businesses have generally struggled to efficiently assess the adequacy of a destination’s legal system against domestic data protection standards, meaning that unless the international transfer regime allows a data exporter to rely on consent, the use of contracts or some form of certification of transferees, ‘adequacy’ represents a difficult basis for APAC economies to follow as a general means of validating international transfers of personal data. On the whole, an ‘accountability’ approach to transfers, such as the Australian Privacy Principles, thus appears to be best suited in an APAC context, and it is undoubtedly in this area that regional and international cooperation actions would be the most promising.
Contracts as key compliance tools
In practice, organizations seeking to implement international transfers of personal data in the APAC region tend to look to contracts as the key compliance tool. The Court’s ruling reinforces their practical significance, since they offer the cumulative benefit of a legally binding nature with the aptitude to anchor additional contractual provisions and controls.
The EU SCCs can provide inspiration, or even a short-cut to preparing these agreements, and the draft SCCs are seen as a significant improvement (e.g. modular structure, docking clause, removal of cross-references, and efforts to address Schrems II). That said, the use of EU SCCs for intra-APAC transfers is generally seen to be “over compliance”, given that the SCCs introduce legal rights and obligations that may have no basis in the local laws that apply to the transfer, with variations between jurisdictions (e.g. third-party beneficiary clause; joint and several liability; right of the individual to obtain a copy of the clauses). Now that the GDPR has introduced additional data processing requirements, the picture is even cloudier.
In many cases, there are practical solutions in data transfer agreements that are “right-sized” to the relevant jurisdictions, noting that key obligations such as secure processing requirements continue to be largely principles-based under APAC data protection laws, and most jurisdictions have not been prescriptive as to the form of contract or undertakings that data exporters must secure in order to achieve compliance. The Model Contractual Clauses recently published in New Zealand, the model clauses currently revised in Hong Kong, or the ASEAN model clauses to be adopted in 2021, are thus all intended as non-binding.
Last but not least, although not the intent of CJEU, there is concern that the decision may also encourage countries to adopt data localisation laws. Data localisation has risen to prominence in the APAC region, particularly with China’s introduction of a localisation measure as part of its 2017 Cyber Security Law, a measure which has been replicated in its draft Data Security Law and Personal Information Protection Law. India’s draft Personal Data Protection Bill includes a similar measure and there are a number of sector-based data localization measures in place across the region. If EU data protection policy could be interpreted as pushing towards localisation—albeit ‘by contract’ where service providers are asked to host data in EU/EEA servers rather than by law, APAC region lawmakers could follow suit, particularly in the current geopolitical climate, which shows some tendency towards trade protectionism and increasing concerns about cyber sovereignty. Data localisation, whether explicit or by imposing criteria or standards which are unachievable in practice, would seriously undermine the progress that has been made towards working models for APAC data transfers.
International data flows support global business models, and in effect national and regional data transfer regimes have become inter-dependent. A peculiarity in APAC, which is not shared in the transatlantic context, is that the extraterritorial effect of GDPR is articulated in this region with an increasing number of laws and rules relative to personal data transfers, which will inevitably lead to conflicts. Viable solutions for cross-border data transfers may only be found if the underlying challenges are acknowledged globally, and a collective response is brought that will come from within and outside the EU.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
This analysis has first been posted at Privacy Laws & Business International Report 168, December 2020: www.privacylaws.com/reports
Dr Clarisse Girot, Senior Fellow, Data Privacy Project Lead, Asian Business Law Institute, Singapore; Mark Parsons, Head of Corporate Practice, TMT Partner at Hogan Lovells, Hong Kong; and Olga Ganopolsky, General Counsel, Privacy and Data at Macquarie Group, Sydney.
 (2020) CJEU Case C-311/18
 Recent developments include: Data Protection Bills pending in India and Indonesia; a draft Personal Information Protection Law recently released in China; reviews of existing comprehensive data protection laws recently completed in New Zealand, Japan, South Korea, and Singapore, and ongoing in Australia, Hong Kong, Malaysia, and the Philippines. Thailand’s PDPA will come into force in 2021.
 Cf. the e-Commerce chapters in CPTPP and RCEP, or the ASEAN Framework for Personal Data Protection
 Australian Privacy Principle (APP) 8
 See for instance Blog of the Privacy Commissioner of New Zealand, “International data transfers: The Schrems II decision” (6 August 2020), https://privacy.org.nz/blog/international-data-transfers-the-schrems-ii-decision/
 White Paper released by the US Depts. of Commerce and Justice, and the Office of the Director of National Intelligence, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II” (July 2020)
 Commission Implementing Decision (EU) 2019/419 of 23 January 2019 on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, Paras. 113 and ff.
 Eduardo Ustaran, Unspoken truths about Schrems II, Hogan Lovells Engage 29 September 2020
 C-311/18 (Schrems ll), paragraph 134
 Samm Sacks, ‘China’s cybergovernance system and Chinese government access to data’, testimony before the US Senate Governance Committee, 2 March 2020
 C-311/18 (Schrems ll), paragraph 133
 Cf. for instance the APP Guidelines, Chapter 8 (8.16), in Australia
 This interpretation is based on Paragraph 134 of the ruling which refers to the need to verify “on a case-by-case basis” whether the personal data transferred under the SCCs would not be adequately protected under EU law by the law of the destination country.
 Eduardo Ustaran, ibid