On 16 July 2020, the Court of Justice of the European Union (‘CJEU’) issued the Schrems II decision in the case Data Protection Commission v. Facebook Ireland, Schrems, which determined that the EU-U.S. Privacy Shield Framework is no longer valid as an EU-U.S. data transfer mechanism.
The Schrems II decision has impacted many businesses as Privacy Shield was one of the most widely used mechanisms for personal data transfers between the EU and the U.S. and it called into question the ability of EU organisations to continue legally transfer personal data to the U.S. and other countries.
Prior to Schrems II, most organisations relied on data transfer agreements - Standard Contractual Clauses (‘SCCs’) – to transfer personal data to countries outside the EU. Organisations which transfer personal data to the U.S. also often relied on the EU-U.S. Privacy Shield. The CJEU was asked to consider if law and practice in the U.S. relating to access to personal data by the intelligence services should mean that either, or both – of these mechanisms should be invalidated.
The decision concluded that the Privacy Shield is invalid for two main reasons:
SCCs remained valid, however, the CJEU set out a heavy burden on data exporters which wish to use SCCs; the data exporter must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Additional safeguards, beyond the SCCs, may be required. The CJEU didn’t specify what the additional safeguards might be, but this was later explained by the European Data Protection Board (‘EDPB’) in its recommendations on supplementary measures following the CJEU Schrems II ruling.
The case is the continuation of an earlier complaint made by privacy activist Maximilian Schrems against Facebook in 2013. In 2013, Schrems filed a complaint with the Irish data protection authority claiming that Facebook’s transfer of EU citizens’ personal data under the Safe Harbor framework to Facebook in the U.S. violated privacy rights. It was argued that personal data, both in transit to and when stored in the U.S., could be accessed by U.S. intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU law.
The CJEU held that the Safe Harbor framework was invalid (Schrems I). Among other reasons, this decision was based on the fact that U.S. legislation did not limit the interference with an individual’s rights to what is strictly necessary.
As they could no longer rely on the Safe Harbor provisions following Schrems I, the use of SCCs was the alternative mechanism Facebook relied on to legitimise EU to U.S. data flows. Since then, Schrems reformulated his complaint and decided to challenge the transfers of personal data to the U.S. performed on the basis of SCCs which ultimately led to Schrems II.
On June 4, 2021, the European Commission adopted new EU SCCs, which reflect, according to the EU Commission, the new requirements under the GDPR and take into account the CJEU Schrems II judgement, ensuring a high level of data protection for EU citizens.
The new SCCs require the parties to conduct a so-called “Transfer Impact Assessment” (‘TIA’) to ensure that the transfer mechanism under GDPR is effectively guaranteeing an adequate level of data protection in the third country and is not undermined by the transfer in practice or local legislation. If a TIA is not prepared, the SCCs could become unlawful which would result in an illegal transfer of personal data from the EU to a third country.
In addition, on June 18, 2021, the EDPB adopted updated recommendations for safe transfers of personal data outside of the EU in a six-step guide for companies and organisations, delivering clarity to the industry confusion that has existed since the Privacy Shield was struck down by Schrems II.
Here’s what you need to know to make sure you’re transferring data safely post Schrems II:
You need to know your data transfers, i.e. where in the world you send end-user personal data to.
Once you have mapped all transfers of personal data to third countries, you need to make sure that you use the right transfer mechanism. If there’s no adequacy decision from the European Commission, you need to rely on one of the transfer tools listed under Article 46 GDPR, such as the SCCs or binding corporate rules.
You need to evaluate whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for data subjects and their personal data. The best practice to do this is by conducting a TIA for all your data transfers.
You may need to identify and adopt supplementary measures. This step is only necessary if your TIA reveals that the third country legislation does not offer an equivalent level of data protection.
The supplementary measures in the EDPB recommendations include:
If you have identified supplementary measures, you need to document your data transfer practices.
EDPB encourages you to reevaluate your data transfer practices at appropriate intervals to make sure that you’re always up to date on the latest developments in the countries you send personal data to.
If you would like a tool to help you with mapping all your data transfers, you are welcome to contact us at Openli.
We’ll be happy to show you how we can automate the work related to mapping your data transfers and documenting your transfer risk assessments.