Businesses managing international data transfers containing personal data of individuals in the European Union (EU) and/or European Economic Area (EEA) to countries outside the EU must address the EU’s General Data Protection Regulation and Schrems II compliance requirements.
After the Schrems II decision on July 16, 2020, U.S. businesses could no longer use the EU–U.S. Privacy Shield for international data transfers because it was invalidated.
While a new Trans-Atlantic Data Privacy Framework was agreed in principle in March 2022, it has not been enacted.
U.S. businesses are essentially on the same GDPR footing as any business operating in another country (any country not a member of the EU or EEA).
Standard Contractual Clauses (SSCs) that were modernized after the Schrems II decision can be used to manage international data transfers from controllers or processors in the EU to their counterparts in other countries.
Schrems II compliance: expiry dates for older SCCs
The European Commission issued new SCCs under the GDPR for international data transfers on June 4, 2021.
Keep in mind that if your organization had any older SCCs already in place before June 4, 2021, the following expiry dates were set:
- September 27, 2021 – from this date it was no longer possible to conclude contracts incorporating older sets of SCCs.
- December 27, 2022 – until now, controllers and processors could still rely on earlier SCCs for contracts concluded before September 27, 2021, if the processing operations described in the contract were unchanged.
Below is a checklist of the main considerations for GDPR and Schrems II compliance before transferring any personal data from the EU.
Confirm GDPR and Schrems II Compliance Rules Apply
The Schrems II case considered whether the use of SCCs could adequately protect the privacy of EU/EEA citizens during international data transfers.
In the final decision on SCCs, the Court of Justice of the European Union ruled any SCC used for transfers of EU/EEA citizens’ personal data from the EU to other countries must result in an essentially equivalent level of protection of citizens’ personal data to the protections provided in the EEA.
The court was extremely clear that if a company handles any personal data of any citizen in the EU or EEA – whether as a controller or a processor, or both – then GDPR compliance is essential.
Under the GDPR, processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data” (GDPR Article 4(2)).
A controller is defined as any entity that “determines the purposes and means of the processing of personal data”.
Ensure All Parties in the Data Transfer Meet the SCC Requirements
Since the Schrems II decision, all organizations involved in international data transfers from the EU must prove they can meet all requirements of any SCCs they use.
This applies equally to exporters of data from the EU and importers of data in other countries.
Data importers must also confirm they will respect the core principles under the GDPR. The principles relating to processing of personal data are explained in GDPR Article 5:
- Lawfulness, fairness and transparency
- Purpose limitation (specified, explicit and legitimate purposes)
- Data minimization (the minimum amount of data needed for the purpose)
- Storage limitation (kept no longer than is necessary for the purpose)
- Integrity and confidentiality (suitably secured)
- Accountability – note: this principle also applies to controllers.
Conduct a Data Transfer Risk Assessment
Two weeks after the European Commission issued the new SCCs aimed at improving GDPR compliance, addressing issues raised by Schrems II, the European Data Protection Board (EDPB) adopted its final recommendations for international data transfers.
These recommendations set out a six-step roadmap to help organizations make data transfer risk assessments when considering transferring personal data from the EU:
- Know your transfers – reassess all data processing operations.
- Identify the tools you are relying on – review adequacy decisions, derogations and GDPR Article 46 transfer tools such as SCCs and binding corporate rules (BCRs).
- Assess appropriate safeguards – consider the circumstances of the transfer, including relevant legislation in the importing country, and decide which instrument/s will be most effective.
- Adopt supplementary measures – organizations typically need to adopt organizational, contractual and technical measures to ensure data security.
- Get data processing agreement (DPA) approval – some transfer mechanisms (such as BCRs and ad hoc clauses) will require DPA approval.
- Review and update – commit to regularly reviewing your policies, tools, systems and processes for all activities related to GDPR compliance.
Assess surveillance laws in other countries
Since the Schrems II decision, all data importers and exporters must also assess the data legislation of importing countries, before concluding the SCCs.
Data importers must verify the data laws in their country will not prevent them from meeting SCC requirements.
If the data could be subject to surveillance laws that may interfere with a data subject’s supplemental rights (such as the right to be informed, the right of access and the right be forgotten), then the transfers cannot be made based on SCCs.
Will any personal data be transferred from the EU to the U.S.?
SCCs can be used for international transfers of personal data of EU/EEA citizens from the EU to the U.S. on a case-by-case basis, provided the U.S. data importer is assessed as meeting all requirements of the SCCs.
However, a key requirement of GDPR and Schrems II compliance is that SCCs cannot be used to allow the transfer of personal data from the EU to the U.S. if that data might be subject to collection and/or access by U.S. authorities for national security purposes.
Remember the European Essential Guarantees for surveillance measures
After the Schrems I case, the European Data Protection Board (EDPB) published a new set of recommendations for international data transfers to ensure surveillance measures in any country would not have a negative influence on the protection of personal data and fundamental rights to privacy.
The EDPB recommendations published in February 2020 – before the Schrems II decision – noted: “the applicable legal requirements to make the limitations to the data protection and privacy rights recognized by the Charter of Fundamental Rights of the EU justifiable can be summarized in four European Essential Guarantees”:
- Guarantee A – processing should be based on clear, precise, and accessible rules.
- Guarantee B – necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated.
- Guarantee C – an independent oversight mechanism should exist.
- Guarantee D – effective remedies need to be available to the individual.
TrustArc Helps Manage Your GDPR and Schrems II Compliance for International Data Transfers
TrustArc’s expertise in data protection and privacy management helps organizations like yours identify your risks associated with international data transfers and manage compliance, including policy changes driven by landmark privacy cases such as the Schrems II decision.
Our automated platform combines expert risk analysis and deep knowledge of regulatory compliance, including the GDPR, to keep your data transfer assessments up to date.
Learn more about managing data privacy compliance for international data transfers using TrustArc’s International Data Transfer Package.