Schrems-II: Where Are We Now?

August has come and gone, and the European institutions are back from their summer break. The coming weeks will likely bring more clarity on the consequences of the Schrems-II decision of the Court of Justice of the European Union at the start of the summer. The European Data Protection Board (EDPB) has announced further guidance on the required “additional appropriate safeguards” is forthcoming, and the European Commission is in the process of finalizing a whole new set of Standard Contractual Clauses (SCCs). The first indications of what is coming were given on Thursday, during a hearing of the European Parliament committee on Civil Liberties, Justice and Home Affairs (LIBE). The LIBE committee heard from Commissioner Didier Reynders (Justice), EDPB Chair Andrea Jelinek as well as from Max Schrems himself. All three commented both on the judgment itself and on the way forward. 

Mr. Reynders recognised the Schrems-II ruling is an important political and geopolitical issue, that will not be easy to solve. Conversations with the U.S. on a possible new data transfer framework have commenced, but it is impossible at this stage to provide a clear timeline. Especially the upcoming U.S. elections, as well as the likely need for Congress to be involved in any new agreement, exclude any quick fix. The Commissioner explained that the Commission wants to get it right this time, which also includes a completely new set of model clauses, that will take into account the conditions set by the Court. Mr. Reynders indicated that the draft standard contractual clauses – which will also align the clauses with the GDPR – are likely to be published in the coming weeks as part of a consultation procedure, with the aim to have them adopted by the end of the year. Apart from Controller-to-Controller and Controller-to-Processor clauses, also Processor-to-Processor clauses are expected to be published.

The EDPB Chair explained the Board is fully committed to support the Commission in developing a new, compliant ‘framework’ for EU-U.S. data transfers. What that will look like, is as yet unclear. In the meantime, the Board will provide as much guidance as possible to ensure businesses can continue to transfer personal data from the EU to third countries, not just the U.S. What is clear however, Mrs. Jelinek said, is that in the short run, there is no one-size-fits-all solution that will allow all data transfers to continue as if nothing has happened. Companies will need to take their responsibilities seriously, and start their case-by-case analysis. In the coming weeks and months, the Board will publish building blocks that can serve as further guidance for the required ‘additional appropriate safeguards’. In addition, the existing opinions related to international data transfers (think of the opinions on Binding Corporate Rules [1, 2, 3], the Adequacy referential and the use of the Article 49 Derogations, but also the working document on the European Essential Guarantees), will be updated to reflect the Schrems-II decision.

Mr. Schrems very quickly made clear he does not believe a solution to the EU-U.S. data transfer challenges could be found in another executive agreement. This has been tried twice, and both times the Court of Justice has made clear the agreements offered insufficient safeguards to protect our fundamental rights. This means there are two options: change how the European Union looks at fundamental rights, or change the U.S. surveillance laws interfering with those fundamental rights. Giving up our fundamental rights for most in Europe would be a no-go, meaning that the only remaining option is to talk to the U.S. about their government surveillance programs, how hard that may prove to be. Furthermore, Mr. Schrems expressed concerns that U.S. industry actors do not seem to be taking the CJEU ruling seriously. From industry calls he attended, he got the impression many companies are not expecting strict enforcement of the transfer modalities by DPAs and therefore are not committed to update their SCCs with additional safeguards.

During the question round with the members of the European Parliament, a lot of disappointment was expressed on the inactivity of the European data protection authorities. The GDPR has been in force for almost 2,5 years, but the enforcement of the rules is falling behind. As one MEP put it, it is thanks to diligent citizens like Mr. Schrems, who are willing to court over and over again, that there is still some protection of the fundamental right to data protection. Mr. Schrems added to this, that he has received indications from the Irish Data Protection Commission that, despite the clear conclusion of the Court that DPAs have a duty to enforce the GDPR, a decision in his case is not expected imminently.

Members of the Parliament furthermore called for improved legal certainty, especially for small and medium enterprises, more guidance and international agreements to solve these challenges, both on common privacy standards and on no spying between allies. An open question, that the European Commission will need to take up with their U.S. negotiating partners, is to what extent FISA 702 also covers the EU entities and data centres of U.S. companies, since that can further complicate any future deal. 

The recording of the LIBE committee meeting is available on the website of the European Parliament. All of TrustArc’s guidance on the consequences of the Schrems-II decision, is available on our Privacy Shield microsite.

Serious Privacy Podcast – Get Schooled: Professor Solove’s Insight on Privacy Developments

Privacy is like driving a car – lots of rules which change across borders and you need to look both ways before crossing the street. In both the US and EU, the Schrems-II decision on 16 July is a major development in data protection navigation. But we are just at the beginning of understanding all the consequences of the verdict of the EU Court of Justice. Don’t worry – also in the coming weeks, we’ve got you covered. #SeriousPrivacy will keep you posted on important developments and views. 

In this episode, Paul Breitbarth and K Royal speak with Professor Dan Solove with the George Washington University Law School, a renowned educator in both privacy and data security legislation, an internationally-known expert and a prolific writer of books and articles on these topics. He certainly has an opinion of what happens next in transatlantic data relations and intra-US with the California Privacy Rights Act (CPRA).  

Listen in as we discuss the implications of Schrems-II, the CPRA, privacy legislation and enforcement, and developments in this space. For example, the CPRA now faces opposition from a coalition led by the American Civil Liberties Union (ACLU) of California. In addition, we discuss Prof. Solove’s views over the past few decades of the advance of the privacy field and what he hopes to see in the coming years. Listen to this week’s episode on our website or stream the episode below.

A Memorable Week in Hong Kong at the 39th ICDPPC

By Hilary Wandall, TrustArc General Counsel & Chief Data Governance Officer


I provided some highlights of the first day at the 39th ICDPPC conference in Hong Kong. Now I will share some additional insights.  

It was a remarkable week in Hong Kong with current and former IAPP Board members and other privacy friends and colleagues most of whom I’ve known for decades, but also a few I had the pleasure of meeting for the first time as we explored global issues and local culture together.

Over 750 delegates representing more than 65 data protection authorities, the United Nations, industry privacy leaders, think tanks, universities and civil society joined together to discuss the connections between western and eastern approaches to privacy and impact on policy and regulation across the globe.  Conference host, Hong Kong Privacy Commissioner Stephen Wong, summarized the experience well with a thoughtful keynote and a special tutorial for current and former members of the IAPP board on the different approaches to writing “privacy” in Chinese at the closing data protection authority luncheon hosted by the IAPP on Friday afternoon.


The growing significance of regulatory interoperability to drive cooperation, simplicity – and by extension – prioritization, including a broad range of approaches from CBPRs and Privacy Shield to GDPR certification, BCRs and adequacy, dominated panel discussions from the main stage to side events such as the Centre for Information Policy Roundtable on CBPRs and GDPR.  In addition to our own Josh Harris, TrustArc Director of International Regulatory Affairs, who spoke at multiple sessions on CBPRs, CBPR participating companies, such as Apple and Cisco, discussed the importance of CBPRs to global accountability at both the Roundtable and on the main stage.

GDPR preparedness also permeated discussions, including those at the IAPP KnowledgeNet on Wednesday, where we heard the perspectives of local and regional colleagues in Hong Kong and Asia Pacific, respectively, on coordinating with their privacy teams in Europe and the U.S. for effective implementation.  It was a special honor to join IAPP Board Member and Promontory Managing Director, Simon McDougall, to discuss the operational impact of GDPR.  Most expect that the impact of GDPR on both regulators and organizations will only have begun to be understood over the next year, and that May 25, 2018 will be only the beginning of GDPR compliance.

I am looking forward to the timely opportunity of next year’s 40th ICDPPC, which will take place in Brussels, to get a comprehensive read out on global progress on both GDPR implementation and regulatory interoperability and to exploring how our work on comprehensive DPIAs will tie into next year’s theme of digital ethics.

Until then, learn more about GDPR compliance and how TrustArc can help your organization here: TrustArc GDPR Privacy Solutions.



39th International Conference of Data Protection and Privacy Commissioners – Hong Kong

By Hilary Wandall, TrustArc General Counsel & Chief Data Governance Officer

This week I am attending the International Conference of Data Protection and Privacy Commissioners from September 25 – 29 in Hong Kong. This conference has convened since 1979 and serves to provide leadership on privacy and data protection at the international level.

I will be sharing some of the highlights on the evolution of privacy and its importance for all organizations.

Privacy Shield Declared a Success!  

The U.S. Department of Commerce, the Federal Trade Commission and the European Commission kicked off the conference with a session reporting out on last week’s Joint Annual Review of the Privacy Shield.  They highlighted key presentations and discussions that contributed to demonstrating the effective functioning of the Privacy Shield, including the Independent Recourse Mechanism and Verification presentation we provided on behalf of TrustArc.  While the European Commission’s official report is not expected until the second half of October, Bruno Gencarelli declared that “from the perspective of the European Commission, Privacy Shield is a success!”

Privacy Regulation Expanding

As we kick of the 39th Annual ICDPPC here in Hong Kong today, I am surrounded by many familiar faces as the East and West connect here on privacy.  We’ve marveled at how much the privacy and data protection landscape continues to evolve not only in terms of substantive challenges related to transparency and fairness in artificial intelligence and machine learning or data transfers among countries in the west and east, but also the 110 regulatory authorities that now comprise the ICDPPC.  In fact, since the 32nd ICDPPC in Jerusalem, where I moderated a session on the then novel topic of personalized medicine, 26 new regulatory authorities have been accredited as members of the ICDPPC.

Next Generation Technologies Necessitate Comprehensive DPIAs

Our policy partners, the Information Accountability Foundation (IAF) and the Future of Privacy Forum (FPF), co-hosted a session on Sustainable Innovation with Effective Data Protection.  Researchers identified some of the privacy challenges in artificial intelligence and machine learning, and policy leaders, including Singapore Deputy Data Protection Commissioner, Yeung Zee Kin, proposed solutions such as procedural safeguards, principles and the type of comprehensive DPIA that we have been partnering with IAF to develop.

Tomorrow I will share additional highlights from the conference.


Swiss-US Privacy Shield Rollout: What to Expect – Webinar Recap

Adding Swiss-US Privacy Shield self-certification.

As part of the TRUSTe Privacy Insight Webinar Series, Nasreen Djouini, Michelle Sylvester-Jose of the U.S. International Trade Administration, and Josh Harris of TRUSTe discussed the rollout of Swiss-US Privacy Shield.

Some examples of where the Swiss-US Privacy Shield framework and the EU-US Privacy Shield framework vary are:

  • When covering HR data received from Switzerland, an organization must commit to cooperating with the Swiss Federal Data Protection Information Commissioner authority (FDPIC) as the independent recourse mechanism. However, for non-HR data, an organization can elect to use the Swiss Federal Data Protection Information Commissioner or use another Independent Dispute resolution Provider (IDR).
  • The Choice Principle has been modified. The definition of “Sensitive Data” has been expanded upon.
  • For the EU-US Privacy Shield, there was a grace period; however, there is no grace period for the Swiss-US Privacy Shield.
  • The binding arbitration option will be put in place at the first annual review of the Swiss-US Privacy Shield.

Although there are a few places where these frameworks vary, the Swiss-US Privacy Shield and EU-US Privacy Shield frameworks touch back to the same core principles. Companies should be able to use the work done to become compliant with one framework toward compliance with the other.

While we highlighted one of the webinar topics in this blog post, the webinar covered several additional topics:

  • How the Swiss-U.S. Privacy Shield was developed 
  • What you should do to prepare to self-certify to Privacy Shield for the first time, or to add the Swiss – U.S. Privacy Shield to your EU-U.S. Privacy Shield certification
  • How to navigate the self-certification process on
  • How to re-certify on an annual basis

To view, listen to all topics covered, and share the webinar recording, please find a shareable link here.