Schrems II: 3 Key Takeaways for All Companies Transferring Personal Data Outside the EU

Written by John Falzone, VP Privacy Certified
July 28, 2020

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment in the Schrems II case that will have implications for data transfers throughout the world. Specifically, the CJEU ruled on the validity of two popular safeguards utilized by companies to transfer personal data from the European Union to the United States: the EU-U.S. Privacy Shield Framework (Privacy Shield), which over 5,000 companies have certified to follow, and Standard Contractual Clauses (SCCs), which are the most utilized safeguard to effectuate the transfer of personal data in compliance with the EU’s General Data Protection Regulation (GDPR). For companies scrambling to make sense of Schrems II and to determine next steps, we want to highlight 3 key takeaways.

1. Transfer of personal data relying solely on Privacy Shield is now illegal in the EU.
In the last few years, over 5,000 companies have devoted time and resources to certifying compliance with Privacy Shield. For those companies, Schrems II is an immense disappointment. They did nothing wrong. In fact, they did exactly what they were asked to do. Nonetheless, after July 16, those companies that continue to rely solely on Privacy Shield to transfer personal data from the EU to the U.S. are violating GDPR.

EDPB has made clear there is no grace period. While EU regulators might not be rushing to file enforcement actions, the regulatory risk is high. To mitigate it, companies must take immediate action. In addition to identifying a new lawful basis on which they can rely, companies must also go through the painstaking process of looking at their processors and joint controllers to ensure they too have a lawful basis to transfer data to the U.S.

2. Privacy Shield certified companies are still bound by Privacy Shield.
Although the benefit of Privacy Shield certification may now be superficial, at best, the U.S. Department of Commerce has made clear that companies certified under Privacy Shield are still bound to uphold its principles. In other words, companies cannot simply remove the Privacy Shield disclosures from their privacy policies and move on. Even if a company decides not to renew its certification, the company will still be bound by the certification for any data collected during the time it was certified. Failure to live up to the certification could result in an enforcement action by the Federal Trade Commission.

3. Privacy Shield is not the only safeguard impacted by Schrems II.
At first glance, Schrems II was a win for the many companies relying on SCCs to transfer personal data from the EU. Afterall, the CJEU upheld the validity of SCCs in its decision. However, the CJEU’s decision is far more nuanced.

The CJEU invalidated Privacy Shield primarily because (i) U.S. federal surveillance laws, and (ii) lack of adequate redress for EU data subjects, results in less than adequate data protection for EU data subjects. Following the judgment, EDPB has made two things clear: One, the CJEU’s basis for invalidating Privacy Shield could also impact data transfers to the U.S. that rely on other safeguards, such as SCCs and binding corporate rules (BCRs). Two, the consequences of Schrems II are not limited to data transfers to the U.S. While EDPB did not explicitly say it, many third countries suffer from the same, or far worse, data protection inadequacies.

As a result, companies that rely on SCCs or BCRs to transfer data to any third country that has not received an adequacy decision from the EU must conduct a transfer adequacy assessment. If the conclusion of the assessment is that appropriate safeguards cannot be ensured when transferring the data, i.e., the company cannot overcome the inadequacies identified in Schrems II, then companies must stop the transfers or rely on an alternative mechanism.

These assessments will put an enormous burden on companies. Companies and EU supervisory authorities alike are sure to reach inconsistent conclusions. At the same time, companies are left with few choices and short of storing all EU data in the EU, will likely retain some risk.

Have more questions about the impact of Schrems II? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.CC