For latest guidance and information on the Schrems II decision, visit the TrustArc Privacy Shield Ruling Resources page.
On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the Court ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid. While the Court ruled that existing SCCs remain valid, supervisory authorities and data controllers must now assess the situation in the destination country on a transfer-by-transfer basis. TrustArc’s team of experts actively monitor global privacy developments and have provided the top ten frequently asked questions about the Schrems II decision to help organizations understand the impact of this judgement.
What do I need to do about my current Privacy Shield self-certification?
The U.S. Department of Commerce (DOC) has stated that it will continue to operate Privacy Shield and it expects participants to continue to uphold their Privacy Shield obligations. The U.S. DOC, European Commission, and European Data Protection Board all have indicated that they intend to create a successor to Privacy Shield. Remaining in Privacy Shield may simplify your transition to a successor arrangement between the EU and the U.S. At this time, you are required to continue to uphold your Privacy Shield protections for data you have collected pursuant to Privacy Shield. You do need to ensure an alternative mechanism to transfer personal data from the EU to the U.S., since Privacy Shield can no longer be used to do so.
Are prior data transfers under EU-US Privacy Shield affected?
All prior data transfers remain subject to the obligations of Privacy Shield.
Will there be a grace period?
EDPB has released guidance stating that there will be no grace period. Given that the Privacy Shield has been invalidated by the Court, companies that used the Shield so far for EU-U.S. data transfers will need to find an alternative legal basis for the transfer without undue delay.
Will there be a replacement for Privacy Shield?
We expect a replacement for Privacy Shield to be negotiated between the EU Commission, the EU Member States and the U.S. Government. At this time, no details on timeline or scope are available. Based on the CJEU decision, if changes are not made to U.S. law, it is possible that a replacement arrangement may have a more limited scope to organizations that are not subject to national security surveillance program requests.
The Department of Commerce has stated that it will continue to operate the Privacy Shield. Is there a benefit of continued participation?
The U.S. DoC, European Commission, and European Data Protection Board all have indicated that they intend to create a successor to Privacy Shield. Remaining in Privacy Shield may simplify your transition to a successor arrangement between the EU and the U.S. At this time, you also are required to continue to uphold your Privacy Shield protections for data you have collected pursuant to Privacy Shield. Remaining in Privacy Shield will simplify these processes for your organization and, depending upon how you have structured your privacy program, may also help your organization comply with other international data transfer commitments, such as those you would need to make if you are able to enter into SCCs for data transfers you receive.
What have the European regulators and authorities said about the decision and Privacy Shield?
Various authorities have provided guidance or statements on the decision including specifics regarding data transfers under Privacy Shield. Visit our website’s Resources page to read the latest regulator guidance. On 24 July, the EDPB released a first version of a FAQ document, providing initial answers on the Schrems-II fallout.
Can I transfer personal data from the EU to the U.S. under SCCs?
As long as the data are not subject to collection and/or access by U.S. authorities for national security purposes, SCCs can be used on a case-by-case basis subject to assessment of whether the U.S. data importer can meet its SCC obligations for the specific data processing. This means the burden of proof on both the data exporter and the data importer in the third country, has increased, to verify they can meet all the requirements of the SCCs. The data importer will also need to confirm that they will fully respect all the core principles under GDPR. It also means that the data importer and exporter will need to assess the legislation of the third country to see if for example they are subject to surveillance laws which may cause an interference of the supplemental rights. If that is the case, then the transfer cannot take place based on SCCs. This is similarly applied to Binding Corporate Rules (BCRs).
In their FAQ document, the EDPB has indicated it will provide further guidance on the legal, technical and organisational measures that could be taken to supplement SCCs to ensure a continued legal data transfer.
What assessment criteria should I consider for whether the data importer can meet its obligations under the SCCs?
- Is the data importer a provider of services that facilitate communications or electronic interactions between individuals, e.g., an Internet Service Provider or electronic communication services provider?
- Has the data importer ever been subject to a data access request for national security purposes?
- Has the data importer ever been subject to a data retention request for national security purposes? If the answer is “yes” to any of these, and the data importer is not in a country recognized by the EU as providing “adequate protection,” then SCCs are unlikely to be a valid transfer option in the absence of express authorization from the DPA in the originating country. If, “no,” proceed with a third party risk assessment to evaluate effectiveness of the importer’s controls.
Are the other transfer methods still valid for transferring data?
All data transfer mechanisms included in the GDPR have remained valid. The CJEU has invalidated one of the adequacy decisions (for the Privacy Shield) and has set stricter assessment criteria for the use of the other transfer mechanisms.
If my U.S. business shifts server or data location to the EU do I still have a need for a data transfer mechanism?
That depends on how the data is being processed within the company. As long as the data is stored on servers in the EEA and only accessed from within the EEA, no data transfer mechanisms will be needed. However, as soon as access to the data is made from outside the EEA countries, a data processing operation is taking place (according to the definition of Article 4(2) GDPR), which would also constitute a data transfer, thus requiring the use of a transfer mechanism. In addition, if the company is subject to U.S. surveillance legislation, including but not limited to Section 702 FISA and E.O. 12333, using an EU server is not a guaranteed protection. Both have a broad scope, that allow the U.S. intelligence and security services to also collect data outside the U.S. territory.
Need guidance with next steps? Learn about the International Data Transfer Risk Package.