Does your company transfer personal data between the EU (including the UK) and the US?

If so, you may need assistance to navigate the complexities of the July 2020 Schrems II ruling to ensure your company’s data transfers are compliant. 

Our consultants have the analytical expertise, knowledge, and hands-on experience to work with your internal teams to put necessary new procedures in place.

Schrems II – what is it, and how might it affect my business?

The Schrems II ruling is a change in the way organisations transfer personal data between the EU and US that became immediately effective on 16 July 2020.

Until recently, there was a EU-US privacy shield in place that enabled personal data transfer in a compliant way, but it was removed in July by the Court of Justice of the European Union (CJEU) with immediate effect, because the privacy shield was determined to be incompatible with the protections afforded and required by EU law.

While the EU-US Privacy Shield has been completely invalidated, the Standard Contractual Clauses (SCCs) are still in place, but with strict conditions – however, the execution of SCCs alone are insufficient to meet the export requirements of the EU GDPR. Now, organisations must first undertake an assessment to ensure that data subjects are afforded appropriate safeguards, enforceable rights and effective legal remedies. This involves considering the provisions of the SCCs and the laws of the data importer’s country on a case-by-case basis, which could result in additional safeguards to remedy shortcomings (such as encrypting personal data in transit).

EU businesses are looking to their Data Protection Authorities (DPAs) for guidance, however there are differences in opinion between DPAs as to how to proceed. Whilst international data transfers must and will continue, conditions remain uncertain.

Who ordered the requirement and why?

Schrems II originated in 2015, when Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection Commissioner (DPC) alleging that the transfer of his personal data from Facebook Ireland to its parent company in the US, made on the basis of SCCs, did not protect his rights under EU law, as they lacked safeguards against US government surveillance. 

Following invalidation of the Safe Harbour in Schrems I, Ireland referred a preliminary ruling to the CJEU, who ultimately invalidated the EU-US Privacy Shield Decision, which can no longer be relied upon for EU-US data transfers (Schrems II).

Whom does it affect?

Schrems II affects all EU businesses that transfer personal data outside the EU – particularly between the US and the EU, due to the EU-US Privacy Shield Decision. Organisations are still working to understand their exposure, but there are three key takeaways:

1. Companies that previously relied on the EU-US Privacy Shield for data transfers between the EU and the US need to implement alternate safeguards.
2. Countries now have to follow the level of data protection provided in the ‘third country’ – the country outside the EU. That requires monitoring the relevant aspects of the legal systems of these countries to be integrated into compliance programmes.
3. The EU commission confirmed working on alternative instruments for personal data transmission and the further development of new safeguards by the EU Commission should be followed closely.

Where do I start? 

Our Schrems II Checklist below provides insight into what your Procurement, Legal, and Regulatory Compliance departments will need to review to put procedures in place that satisfy EU to US personal data transfers.