On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.
The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease. EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.
Standard Contractual Clauses (SCCs)
The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers. On 4 June 2021, the European Commission published its final updated Standard Contractual Clauses that comply with GDPR and the Schrems 2 case. On 21 March 2022, the UK published its new international data transfer regime.
Responses and Actions
- Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
- Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
- Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses (June 2021) and implement these by December 2022.
- Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
- Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.
EU / US and Swiss / US Privacy Shield Home Page
Schrems II European Data Protection Board (EDPB) Frequently Asked Questions
Schrems II US Federal Trade Commission (FTC) Statement
Schrems II US Secretary of Commerce Statement
Schrems II Joint Statement from European Commission and US Department of Commerce
Schrems II Ireland Data Protection Commission (DPC) First Statement
Schrems II UK Data Protection Commissioner’s Office (ICO) First Statement and Updated Statement
Schrems II European Data Protection Board (EDPB) Taskforce on Post-Schrems II Complaints
Schrems II US Department of Commerce, US Justice Department & US Office of the Director of National Intelligence White Paper on US Privacy Safeguards for SCCs and other Legal Bases
Schrems II European Data Protection Supervisor (EDPS) Strategy for EU Institutions to comply with Schrems 2 Ruling
Schrems II European Data Protection Board (EDPB) Supplementary Measures for data transfer tools to ensure GDPR compliance – Consultation
Schrems II European Commission Standard Contractual Clauses (SCCs) 2020 – Consultation
Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries
European Commission Final Standard Contractual Clauses (SCCs) for Data Controllers and Data Processors and also International Data Transfers – June 2021
UK Information Commissioner’s Office (ICO) Consultation on UK International Data Transfers and UK Standard Contractual Clauses – August 2021
UK Information Commissioner’s Office (ICO) Response to DCMS Consultation “Data: A New Direction” – October 2021
UK GDPR Final International Personal Data Transfers Scheme and Documents – March 2022
European Commission announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle – March 2022
White House Briefing Room announcement of an EU/US Trans-Atlantic Data Privacy Framework Agreement in Principle and FactSheet – March 2022
European Commission Questions and Answers (Q&As) for the two sets of EU 2021 Data Protection Standard Contractual Clauses – May 2022
For Further Assistance, contact PrivacySolved:
Telephone (London): +44 207 175 9771
Telephone (Dublin): +353 1 960 9370