The Court of Justice of the European Union (CJEU) didn’t give Maximillian Schrems exactly what he wanted in his second big international data privacy case (now known as Schrems II).
He argued the use of standard contractual clauses (SCCs) and the EU–U.S. Privacy Shield by organizations for cross-border data transfers meant individuals were not guaranteed the same privacy they had in the EU.
The EU–U.S. Privacy Shield was just a few years into its adoption by organizations for cross-border transfers of personal data from the EU to the U.S., following the outcome of Schrems’ first big case.
The CJEU did rule the EU–U.S. Privacy Shield to be invalid, but the primary focus of Schrems’ argument was on the validity of SCCs.
Although, at the time, the CJEU ruled the use of SCCs was still valid, the court explicitly noted the SCCs needed modernizing to align with the GDPR and other laws relating to international transfers of personal data.
The SCCs have been reviewed and updated several times since.
International data transfers before the Schrems II decision
Before the summer of 2020 (and the Schrems II decision), the European Economic Area (EEA) had a simple, three-pronged approach for permitting international data transfers:
- Adequacy decisions
- Appropriate safeguards
- Specific derogations (exemptions).
All three were designed to allow personal data originating in the EEA to be transferred to or accessed from another country (any country or territory outside the EEA) provided certain conditions were met.
Adequacy decisions
Adequacy decisions meant the European Commission had determined a country’s personal privacy legislation offered an essentially equivalent level of data protection as that offered in the EEA.
Appropriate safeguards
Appropriate safeguards for international data transfers had to be approved by the supervisory authority, whether the transfers included the use of SCCs, ad hoc contractual agreements, certifications, codes of conduct or binding corporate rules.
Specific derogations
Specific derogations or exemptions in contracts covering personal data transfer to or access from another country were allowed if neither of the first two options applied, but only under very strict rules.
Rules about individuals giving consent for international transfers of their personal data for example, noted an individual must be properly informed of their rights and given genuine choice and control over how their data was used.
In the EEA, derogations could not be used for any massive, continuous or structural data transfers.
GDPR Article 44: general principle for transfers
The EEA’s use of the three-pronged approach suggested the lower the administrative burden on the controller to start an international data transfer, the higher the initial assessment threshold should be.
Clearly, the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) should not be undermined.
Under the GDPR, any EU-originating international data transfer could be restricted by conditions set out in Article 44:
- Under Chapter 5, it prohibits international data transfers beyond the EU to a recipient country that cannot prove adequate data protection is provided.
- It also states all provisions of Chapter 5 must be applied to “ensure the level of protection of natural persons guaranteed by this regulation is not undermined”.
International Data Transfers After the Schrems II Decision
The GDPR become enforceable on May 25, 2018, approximately halfway into the Schrems II case.
Indeed, it was Schrems’ argument to the Irish Data Protection Commissioner that Facebook’s international data transfers did not comply with the GDPR that led to the Schrems II case being heard by the CJEU from July 2019 to July 2020.
He raised concerns that when his personal data was transferred from Facebook’s servers in the EU to its servers in the U.S., his privacy became vulnerable because his data might be accessed by U.S. intelligence agencies using the U.S. data privacy law exemptions for national security concerns.
Schrems and the Irish Data Protection Commissioner both highlighted Article 44 of the GDPR in their arguments during the CJEU hearing.
The court’s decision on Schrems II changed the dynamic of the EEA’s three-pronged approach to allowing international data transfers.
It meant appropriate safeguards used by organizations in other countries – including SCCs – had to meet a key requirement for adequacy decisions granted to countries outside the EU: they must result in a level of data protection essentially equivalent to that offered in the EEA. Otherwise, the GDPR data privacy guarantees could be weakened or undermined.
Global impact of Schrems II
Initially the Schrems II case focused on Maximillian Schrems’ privacy concerns about personal data transferred from Ireland in the EU (where the GDPR offered reasonable protection) to the U.S. (where Europeans had limited protection under U.S. surveillance laws).
However, Schrems always intended the case to have a much bigger global impact.
It wasn’t just about stopping Facebook transferring his personal data internationally, it was about highlighting a raft of disparities in data privacy laws exploited by companies around the world: especially SCCs.
Schrems might not have gained the decision from the CJEU he really wanted – for SCCs to be held invalid – but several iterations of the SCCs have continued to be heavily scrutinized ever since.
During the Schrems II case, the CJEU raised concerns about whether the SCCs at the time did, in fact, offer appropriate safeguards for international data transfers containing personal information – particularly when personal data could be accessed by organizations in countries with extensive surveillance laws.
These concerns prompted the European Data Protection Board (EDPB) to release a set of supplementary measures recommendations on November 10, 2020.
The European Commission released a draft of its revised SCCs for international data transfers to the public for comment on November 12, 2020.
Seven months later, on June 4, 2021, the European Commission issued new SCCs under the GDPR for international data transfers – effectively answering the CJEU’s call for modernized SCCs after the Schrems II decision.
How the new SCCs apply to international data transfers
Following the Schrems II decision, the effective dates for the new SCCs spanned 18 months from their introduction (from June 2021 to late December 2022):
- All new data contracts for international data transfers between controllers or processors in the EU (i.e. subject to the GDPR) and controllers or processors in other countries had to use the new SCCs from September 27, 2021.
- All existing/old contracts for international data transfers must have incorporated the new SCCs under the GDPR by December 27, 2022.
The modernized SCCs include several elements that were influenced by the Schrems II decision:
- Proof an importer can comply – a data exporter must make reasonable efforts to verify the importer can meet its obligations under the SCCs through “technical and organizational measures”.
- Risk-based approach – a data exporter may be allowed to take a risk-based approach, provided an impact assessment is completed in every case.
- The assessment must consider the purposes of transferring and processing the data, along with the data privacy laws of the importing country.
- If more than one importer is involved, the assessment must consider and account for every organization involved in the data processing.
- Determining potential risk versus real-world risk – when considering the data laws and practices of the importing country, an exporter conducting an impact assessment can consider the real-world risk to data privacy when it is accessed and/or stored by an importer, rather than a theoretical risk.
- This point addresses the concern raised in Schrems II about U.S. intelligence authorities potentially accessing private data of European citizens when, in reality, the importer has never had an intelligence authority request to access the data it imports.
- Restrictions due to local laws – if local laws prevent the importer from meeting its contractual obligations, then processing of data is not permitted.
- Note: there are exceptions under Article 23 of the GDPR, which refers to a data controller or processor whose local laws restrict the scope of some of the obligations and rights provided for in other articles, “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defence, public security”.
- Public authority requests for access – if the importer receives a request to access the data from a government or public authority (e.g. an intelligence agency), then it must let the exporter and any data subjects know of this request, along with any steps the importer takes to challenge such requests.
- Note: the EDPB’s guideline on these requests is that government access must “not go beyond what is necessary and proportionate in a democratic society”.
- Supervisory authority – all parties must identify the competent supervisory authority for their international data transfers, and the importer must submit to that authority.
- New SCCs must be made under the law and jurisdiction of an EU member state.
TrustArc’s International Transfer Package
Understanding how to manage international data transfers can be time consuming and the Schrems II decision in 2020 made the risks more complicated.
TrustArc’s international transfer package helps organizations:
- Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
- Conduct data transfer and risk threshold assessments
- Save time by using our templates that help operationalize regulatory requirements and trigger compliance mechanisms.
