Data Privacy News: Step-by-step guide to Schrems II and Privacy Shield’s invalidation, and what it means for you

6 minute read

Data Privacy News: Step-by-step guide to Schrems II and Privacy Shield’s invalidation, and what it means for you

Topics: Data Privacy

By Sophie Chase-Borthwick on 21 July 2020

Last Thursday, the Court of Justice of the EU (CJEU), the European Union’s top court, struck down the EU-US data sharing agreement, Privacy Shield, technically known as the EU-US Data Protection Shield.

 

The case known as Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (also referred to as Schrems II) ruled that the data sharing agreement between the EU and the US, Privacy Shield, is not suitable as it does not provide adequate protection for EU citizens’ personal data when stored in the United States. 

Schrems II

“The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield”

 

The above quote is the opening statement of the official press release from the CJEU regarding the case. Whilst the sentence appears simple enough, its ramifications are far more serious, and essentially puts thousands of businesses at risk of breaching GDPR.

 

Privacy Shield was one of the few mechanisms under GDPR where EU personal data could be transferred to the US, and with its immediate shut down, it leaves over 5,300 organizations who relied on this mechanism to find a new and safe way to transfer data.

 

The history behind the Schrems II ruling

June 2013

In June 2013, National Security Agency (NSA) whistleblower, Edward Snowden, discloses information regarding PRISM, a US government surveillance programme that collected data from some of American’s biggest tech companies which included Facebook, Google and Apple.

June 2013

In light of Edward Snowden’s disclosures, Max Schrems files his complaint to the Irish Data Protection Commission regarding Safe Harbor, an agreement prior to Privacy Shield, that was used to transfer EU citizens’ data to the US.

 

Schrems argued that by collecting his personal data and transferring it to the US for processing, Facebook was exposing him to mass surveillance, which is illegal under the EU’s Charter of Fundamental Rights.

June 2014

The following year, the Irish High Court refers the case, now referred to as the "Safe Habor decision" or “Schrems I”, to the CJEU (“Max Schrems v. Data Protection Commissioner”)

October 2015

The CJEU rules in Schrems’ favour and invalidates Safe Harbor, as it does not offer EU citizens adequate protection of their personal data against mass surveillance programmes in the US.

October –
December 2015

With the same motive as in 2013, i.e. resenting the potential exposure of his personal data to mass surveillance, Schrems files a second complaint to the Irish Data Protection Commission re the use of EU Standard Contractual Clauses, known as “Data Protection Commissioner v Facebook Ireland and Maximillian Schrems”. The case will also be referred as “Schrems II”.

July 2016

EU-US Privacy Shield was adopted as a mechanism for EU data transfers to the US, replacing Safe Harbor.

October 2017

The Irish High Court refers the Schrems II case to the CJEU

May 2018

On the 25th May 2018, Europe enforces its new data protection framework, the General Data Protection Regulation (GDPR) .

July 2019

The first hearing on the case Schrems II takes place at the CJEU

December 2019

CJEU Advocate General publishes his opinion on the Schrems II case.

16 July 2020

CJEU announce their judgement on the case, with Privacy Shield being immediately invalidated, but upholding data transfer via SCCs.

 

What did they say and why?

The important thing to note is that this decision was not based on business practices within the US, but in fact, on the surveillance and the regulatory climate within the USA.

 

As the U.S. Chamber of Commerce Executive Vice President and Head of International Affairs states, “…[the case] focuses not on commercial uses of data, but on concerns over potential government access.

 

There were two main rulings re Privacy Shield:

 

interface (1) US law enforcement agencies’ surveillance is not “limited to what is strictly necessary” – the EU standard. Therefore, any EU personal data transferred to the US under Privacy Shield is additionally – and unacceptably – exposed to surveillance. In fact, the judgement also revealed that strictly, US law states that surveillance on non-US citizens only needs to be “as tailored as feasible”.
interface (3) Protection of EU citizens’ privacy rights in the US is too weak. Neither EU member states, nor the US Ombudsman (set up to help EU citizens make any case) have either the authority or the practical ability to enforce GDPR in the US.

 

Considering these findings, it hardly comes as a surprise that the result came in as it did.

 

“In the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.”

 

There was then an additional key ruling on Standard Contractual Clauses:

interface (4)

 

Standard Contractual Clauses remain valid, though with a caveat that both the data “exporter” and “importer” must review whether the destination country offers a level of protection equivalent to that of the EU, and in particular what data access rights the country’s authorities may have.

Given the surveillance and regulatory climate of the US, and the judgement also actively encouraging Supervisory Authorities to strike down any SCCs where the guarantees within them are not upheld or capable of being upheld, it is unclear for how long SCCs will survive as a recognised legitimate mechanism.

 

Unsurprisingly, guidance is soon expected from the EU and Supervisory Authorities, though in the meantime, SCCs are an entirely legitimate data transfer mechanism.

 

What does this mean in practice?

If your business transfers EU data subjects’ data to the US, you may need to take certain steps to ensure continued compliance with the GDPR.

 

Circumstances include:

  • US-based organizations receiving data from EU customers
  • Moving data internally within your organisation, for example from EU regional office to US HQ
  • Using US suppliers for EU service delivery
  • …and plenty more

If any of these or similar circumstances apply to you, we have set out below some “what if…?” scenarios to help guide your next steps.

 

1. What if I am Privacy Shield-certified?

Privacy Shield may be insufficient, but it is still in operation. The US Chamber of Commerce has stated that it will

 

“continue to administer the Privacy Shield program…[and] today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

 

 

Therefore, if you are Privacy Shield-certified, you must maintain this certification unless you formally withdraw from the scheme.

 

However, on top of this certification, you will now have to implement another mechanism for the lawful transfer of EU Personal Data to the US.

 

2. What if I only rely on Privacy Shield to transfer personal data from Europe to the US?

The Judgement has determined that Privacy Shield does not offer suitable protections for the transfer of EU Personal Data to the US. This means that you must put in place one of the following mechanisms with immediate effect, and then update your data sharing policies and documentation to reflect the change.

 

Standard Contractual Clauses

This is likely to be the most common mechanism relied on for transferring personal data to the US.

 

SCCs are contract articles pre-approved by the EC for use by organisations performing international transfers of EU personal data. They create the necessary obligations – beyond those of typical GDPR compliance clauses found in many supplier contracts – for how the data should be handled by the receiving party (in this case, based in the US).

 

However, given the uncertainty over SCCs’ future usefulness, this risk ought to be entered on your risk register.

 

Binding Corporate Rules

Binding Corporate Rules (legal mechanisms that allow multinational companies to transfer EU personal data to entities outside Europe) would likely be suitable for protecting EU Personal Data moving to the US. However, these require Supervisory Authority approval and take months if not years to finalise. These are therefore unlikely to be a viable option unless your business already has Binding Corporate Rules already in place.

 

If you are in the process of putting in place Binding Corporate Rules that cover transfers to entities outside Europe, but these are not yet approved, then you will still have to utilise another mechanism pending their approval – most likely, Standard Contractual Clauses.

 

Derogations

There are limited situations in which transfers of personal data to the US may be permitted without any formal mechanism in place. You should obtain legal advice if you are intending to rely on a derogation, as their application is very limited.

 

Consent

If you do not believe you will be able to put Standard Contractual Clauses in place and none of the other mechanisms apply, you should obtain the consent of your European data subjects to any transfer of their personal data to the US.

 

Please note that this consent must still comply with GDPR requirements – i.e. it must be freely given, specific, informed, and unambiguous.

 

3. What if I already have Standard Contractual Clauses or Binding Corporate Rules in place?

Standard Contractual Clauses and Binding Corporate Rules continue to be recognised as an appropriate safeguard for personal data transfers outside Europe.

 

 

Note from our experts on SCCs

Technically, Standard Contractual Clauses only cover transfers from European controllers to non- European processors/controllers, the general consensus has historically been that they will not be challenged if used in relation to transfers from European processors to non-European sub-processors / controllers, although that may change with the new judgement.

 

Note too that some Data Processing Agreements may even expressly require the non-European based processor to put Standard Contractual Clauses in place with their non-European sub-processors. You should, nonetheless, get legal advice on whether Standard Contractual Clauses would be enforceable in these circumstances.

 

 

Calligo designs continuous safety, privacy, and protection into every business data use, ensuring that every action is legal, ethical, and meaningful.

 

Find out more about our Data Privacy Services and how our experts in data privacy, data security and technology can build and support your data privacy programme by clicking below, or alternatively, contact the team directly, here

 

Data_Privacy_Regulation_Services

 

Data Privacy Services

Trust in safer data, that drives performance, innovation and growth