To understand how the Schrems II decision is affecting companies’ operations, we analyzed annual 10-K reports. SEC rules require that 10-Ks provide detailed information on certain key topics, including “Risk Factors.” According to the SEC, under this topic heading a company will provide information “about the most significant risks that apply to the company or to its securities.”
First, we searched for 10-K reports using the term “Privacy Shield” from January 1, 2021 to February 28, 2022. This yielded over 600 results (the SEC makes available a tool for searching company filings, known as EDGAR.). This means that Privacy Shield was mentioned over 600 times across companies’ 10-K reports and exhibits. Amending the start date to January 1, 2016, the year the Privacy Shield framework was created, yielded almost 1,500 results. Second, we searched 10-K reports for “Schrems II” from January 1, 2021 to February 28, 2022. This search returned over 130 results. Most of the companies that referred to “Privacy Shield” and “Schrems II” did so under the Risk Factors section of their 10-K.
Companies cited several concerns in their 10-K reports regarding the Schrems II decision. First, many mentioned that without a valid solution for data transfers, they will have to decrease data processing abilities in Europe or “localize” the data at “significant expense.” Second, companies said they may have to reduce or terminate services to European customers. Third, companies may face additional legal liabilities to comply with new regulations regarding personal data from the EU. All these issues will affect companies’ operations and financial conditions. This was true for companies across various industries including biopharmaceutical, marketing, cloud services, security, communications, and more.
Provided below are excerpts from a sample of 10-K reports that we reviewed.
“If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results . . . If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations.”
“The inability to import personal information from the European Economic Area, U.K. or Switzerland could restrict our clinical trial activities in Europe, limit our ability to collaborate with contract research organizations, service providers, contractors and other companies subject to European data protection laws, interfere with our ability to hire employees in Europe and require us to increase our data processing capabilities in Europe at significant expense.”
“If we are unable to implement a valid solution for personal information transfers from Europe, we will face increased exposure to regulatory actions, substantial fines, and injunctions against processing or transferring personal information from Europe, and we may be required to increase our data processing capabilities in Europe at significant expense. Inability to import personal information from Europe to the United States or other countries may decrease demand for our products and services as our customers that are subject to the GDPR may seek alternatives that do not involve personal information transfers out of Europe. Our inability to import personal information to the United States and other countries may decrease the functionality or effectiveness of our products and services and adversely impact our marketing efforts, plans and activities. ”
“We may experience reluctance or refusal by current or prospective European customers to use our products, and we may find it necessary or desirable to make further changes to our handling of personal data of EEA residents. The regulatory environment applicable to the handling of EEA residents’ personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs and could result in our business, operating results and financial condition being harmed . . . Additionally, we may be or become subject to data localization laws mandating that data collected in a foreign country be processed only within that country. If any country in which we have customers were to adopt a data localization law, we could be required to expand our data storage facilities there or build new ones in order to comply. The expenditure this would require, as well as costs of compliance generally, could harm our financial condition.”
“Following any issuance of final new SCCs, and in light of relevant regulatory guidance, we will need to identify different transfer mechanisms and/or change our use of SCCs in order to lawfully transfer certain personal data from the European Union to the United States. This could result in substantial costs, require changes to our business practices, limit our ability to provide certain products in certain jurisdictions, or materially adversely affect our business and operating results.”