On July 16, 2020, the Court of Justice of the European Union (CJEU) published their highly anticipated ruling in the Schrems II (Irish Data Protection Commissioner vs. Facebook & Schrems) case.

This case and decision will have long lasting impacts on companies transferring data from the European Union to the United States due to the fact that the decision invalidates the EU-US Privacy Shield Framework but upholds Standard Contractual Clauses (SCCs).

In this article, we will discuss data transfer mechanisms under GDPR, the decision made in this case and its consequences and tips for changing your personal data management practices in light of this decision. 

What obligations does GDPR impose on transfers of personal data? 

The General Data Protection Regulation (GDPR) is a privacy law that protects the personal data of residents of the European Union. The law is highly enforced and has a very strict set of obligations, including Privacy Policy, data collection, individual rights and data transfer requirements. GDPR provides that transfers of personal data to a third country or an international organization can take place only under the following general principles:

1. The Commission has determined that the third country or international organization ensures an adequate level of protection for the personal data transferred there; or 
2. The controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available. This provision includes binding corporate rules, standard data protection clauses, codes of conduct, certification mechanisms and SCCs.

If you cannot meet the conditions above, GDPR also sets forth the following additional set of circumstances that allow for personal data transfers:

1. The data subject has explicitly consented to the proposed transfer; 
2. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures taken at the data subject’s request; 
3. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; 
4. The transfer is necessary for important reasons of public interest; 
5. The transfer is necessary for the establishment, exercise or defense of legal claims; 
6. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or 
7. The transfer is made from a register which, according to EU or Member State law, is intended to provide information to the public and which is open to consultation.

As you can see, there are a multitude of mechanisms under which one may transfer personal data from the EU to a third country or an international organization. In the US, many companies have been using the EU-US Privacy Shield Framework and SCCs to transfer data for quite some time now. 

What is the EU-US Privacy Shield Framework?

The EU-US Privacy Shield Framework was created and implemented as a method for companies to transfer personal data from the EU to the US. In 2016, the European Commission deemed this framework as adequate under GDPR Article 45, thereby allowing for transfers of personal data. The Privacy Shield Framework strived to protect the fundamental privacy rights of EU residents when their data was transferred to the US. Specifically, Privacy Shield included:

• Strong data protection obligations on companies receiving personal data from the EU; 
• Safeguards on US government access to personal data; 
• Effective protection and redress for individuals; and 
• An annual joint review by the EU and US to monitor the correct application of the arrangement.

The EU-US Privacy Shield Framework allowed companies to opt in and receive its protection after an assessment process was completed. Companies that wanted to be certified under this framework, has to meet the following requirements:

• Inform individuals about data processing; 
• Provide free and accessible dispute resolution; 
• Cooperate with the Department of Commerce; 
• Maintain data integrity and purpose limitation; 
• Ensure accountability for data transferred to third parties; 
• Ensure transparency related to enforcement actions; and 
• Ensure commitments are kept as long as data is held.

The framework has been relatively popular with US-based companies, with over 5,000 organizations certifying that they are participating in the framework. The Schrems II decision will directly impact all of the organizations on the Privacy Shield Framework List.

How does the Schrems II decision impact the EU-US Privacy Shield Framework? 

The Schrems II case argued that Facebook’s data transfers from Ireland to their servers in the United States is in violation of GDPR. Mr. Schrems claimed that the US does not offer sufficient protection for personal data and requested that such transfers be stopped. The CJEU discussed the surveillance practices undertaken by the US government and found that transfers of personal data to the US under the Privacy Shield Framework would put the fundamental privacy rights of EU residents in jeopardy. Specifically, the CJEU cited the ability of US public authorities to obtain broad access to personal data under surveillance programs and the fact that Privacy Shield’s Ombudsperson function was deficient. Thus, the CJEU invalidated the Privacy Shield Framework. This means that US companies can no longer use the framework to receive personal data from the EU and must establish a different transfer mechanism to stay compliant with GDPR. 

What are Standard Contractual Clauses and how are they affected? 

SCCs are data protection clauses in a contract that allow for the transfer of personal data from the EU to a third country or international organization. These standard clauses are intended to provide privacy and security safeguards inherent in GDPR, including data subject rights. Using SCCs would lead to international data transfers not violating data subject rights. The Schrems II decision upheld the use of SCCs for data transfers, but it also included a warning to companies that blindly use SCCs without first examining all of the circumstances of the data transfer.

The CJEU stated that data controllers must verify whether the law of the third country to which data is sent ensures adequate protection under EU law. Data controllers are also required to verify, prior to any transfer, whether the level of protection required by the EU is respected by the third company. Anyone using SCCs for data transfers will now need to examine those transfers on a case by case basis, and need to become or hire experts to understand how certain governments protect privacy, which is no small feat. If you cannot confirm that data subjects will get adequate protection, even with SCCs in place, the data transfer must end. 

What now? Tips for compliance in light of Schrems II

The Schrems II decision will have a large impact on organizations relying on the EU-US Privacy Shield and SCCs for international transfers of personal data. If you use Privacy Shield, you must determine an alternative legal basis for transfers such as binding corporate rules or SCCs. If you are using SCCs, you will need to perform a case by case assessment to determine if there are sufficient data protections in the transfer. If there are not, you will need to end such transfers.