TrustArc Privacy Shield Ruling

Privacy Shield Ruling Resources

Latest Guidance and Information for Companies Navigating the Schrems II Decision

Ruling Summary

On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the Court ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid. While the Court ruled that existing SCCs remain valid, supervisory authorities and data controllers must now assess the situation in the destination country on a transfer-by-transfer basis.

TrustArc’s team of experts actively monitor global privacy developments and will continue to update the information and resources on this page to help organizations understand the impact of this judgement.

International Data Transfer Risk Package

On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the Court ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid. While the Court ruled that existing SCCs remain valid, supervisory authorities and data controllers must now assess the situation in the destination country on a transfer-by-transfer basis.

TrustArc’s team of experts actively monitor global privacy developments and will continue to update the information and resources on this page to help organizations understand the impact of this judgement.

International Data Transfer Risk Package

Manage your risk, wherever data travels

  • Assess your program’s international data transfers by country and receive immediate mitigation mechanisms for each transfer
  • Automatically detect any data flows with transfer risk from 92 countries including the EU
  • Track cross-border transfer risk and the associated business process – mapped to your privacy program’s risk tolerance
  • TrustArc Data Transfer Package

    International Data Transfer Risk Package

    Manage your risk, wherever data travels

    • Assess your program’s international data transfers by country and receive immediate mitigation mechanisms for each transfer
    • Automatically detect any data flows with transfer risk from 92 countries including the EU
    • Track cross-border transfer risk and the associated business process – mapped to your privacy program’s risk tolerance
    TrustArc Data Transfer Package

    Important Resources

    CJEU Judgement

    CJEU Judgement

    Read the July 16th ruling from the CJEU – 2016/1250

    CJEU Press Release

    CJEU Press Release

    Read the CJEU Press Release

    Department of Commerce

    Department of Commerce Statement

    Read the U.S Secretary of Commerce’s Response to Schrems II Ruling

    EDPB Statement

    EDPB FAQs

    Read the European Data Protection Board’s FAQs released on July 24th 2020

    Schrems-II DPA ResponseUpdated July 27, 2020

    Interested in seeing how regulators are reacting to the Schrems-II decision?
    Click through to review the regional Data Protection Authorities’ guidance and download the entire chart below. Where applicable, see regional regulator responses including their overall comment, specific Privacy Shield comment and guidance on SCC assessments.

    European Union
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)The verdict of the Court reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. The EDPB expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies.This is the second time in almost 5 years that a European Commission adequacy decision concerning the United States is invalidated by the Court. In its judgement, the Court confirmed the criticisms of the Privacy Shield repeatedly expressed by the EDPS and the EDPB. European supervisory authorities will advise the Commission on any future adequacy decisions, in line with the interpretation of the General Data Protection Regulation (GDPR) provided by the Court.
    EUROPEAN DATA PROTECTION BOARD (EDPB)Factual statement on the verdict – no information on enforcement or advice on transfers; further analysis to follow.

    The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.

    The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.

    United States
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    U.S. Department of Commerce While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impactsThe Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

     

    Austria
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Austrian Data Protection AuthorityNo statement yet
    Belgium
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Data Protection AuthorityNo statement yet

     

    Bulgaria
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Commission for Personal Data ProtectionFactual statement on the verdict – no information on enforcement or advice on transfers

     

    Croatia
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Data Protection Agency Factual statement on the veredict – no further guidance

     

    Cyprus
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Commissioner for Personal Data Protection
    No statement yet

     

    Czech Republic
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Office for Personal Data Protection
    Factual statement on the verdict – no information on enforcement or advice on transfers

     

    Denmark
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Danish Data Protection Agency
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidanceThis means that in future no personal data can be transferred to the United States using the Privacy Shield. Privacy Shield is a special scheme based on the EU Commission Decision 2016/1250, which has previously made it possible to transfer personal data from the EU to companies in the USA that had joined the scheme.

     

    Estonia
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Estonian Data Protection Inspectorate
    Factual statement on the verdict – When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country’s adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission’s data protection clauses themselves. The assessment must determine whether the protection of Europeans’ personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found.From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which has been set by the European Commission. Other safeguards can be used in the articles of the General Data Protection Regulation (GIP).

     

    Finland
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Data Protection Authority
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    France
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Commission Nationale de l’Informatique et des Libertés
    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidanceThe CJEU invalidated the “Privacy Shield” adequacy decision, adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor”, which allowed the transfer of data between the EU and US companies adhering to its data protection principles.

     

    Germany
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Commissioner for Freedom of Information
    Reliance on the Privacy Shield is no longer possible for transfers to the U.S. The use of SCCs requires special safeguards to be taken for the data exchange with the U.S.Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice.The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities. The BfDI will issue a further statement after the publication of the entire judgment and the deliberations in the European Data Protection Board. In this context, the focal point will be the revision of the standard contractual clauses by the European Commission, as well as the need for the USA to ensure that the European people enjoy the same fundamental rights as US-nationals.
    State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
    (Baden-Württemberg)
    No statement yet
    Bavaria State Office for Data Protection Supervision
    (Bavaria – Private Sector)
    No statement yet
    Bavarian State Commissioner for Data Protection
    (Bavaria – Public Sector)
    No statement yet
    Berlin Commissioner for Data Protection and Freedom of Information
    (Berlin)
    Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically call our China, Russia, and India as countries for which there will be similar problems for data transfers.
    The state representative for data protection and for the right to inspect files in Brandenburg
    (Brandenburg)
    No statement yet
    The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen
    (Bremen)
    No statement yet
    Hamburg Commissioner for Data Protection and Freedom of Information
    (Hamburg)
    Would have like to seen that the CJEU had also invalidated SCCs as a means for transfer to the U.S., since the risks and safeguards for Privacy Shield and SCCs are the same. Expects hard times for all international data transfers.Data protection supervisory authorities in Germany and Europe must now swiftly come to a common understanding on how to deal with companies that are now illegally continuing to rely on the Privacy Shield.Both the proportionality of access by the authorities and the guarantee of functioning legal protection must be demonstrated by the exporter to his local data protection authority on request.
    The Hessian Data Protection Officer
    (Hessen)
    No statement yet
    State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern
    (Mecklenburg-Vorpommern)
    Only a link to the CJEU press release on the DPA website press page
    The State Commissioner for Data Protection Lower Saxony
    (Lower Saxony)
    No statement yet
    State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
    (North Rhine-Westphalia)
    No statement yet
    State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
    (Rhineland-Palatinate)
    The Court has made clear data controllers have a strong responsibility to verify the actual legal situation in a third country before transferring personal data. Just signing the SCCs is not enough. If the requirements of EU data protection law cannot be met, the transfer must be stopped.The CJEU declared the EU-US Privacy Shield invalid, which is therefore no longer the legal basis for data transfers to the USA.The CJEU has clarified that companies cannot free themselves from their audit obligations by using the standard contractual clauses,” explains Professor Kugelmann. “The ball is now in the field of those responsible. They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data. If the data recipients are subject to the legal rules of their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses.
    State representative for data protection and freedom of information
    (Saarland)
    No statement yet
    Saxon Data Protection Officer
    (Saxony)
    State Commissioner for Data Protection Saxony-Anhalt
    (Saxony-Anhalt)
    No statement yet
    Independent state center for data protection in Schleswig-Holstein
    (Schleswig-Holstein)
    No statement yet
    Thuringian State Commissioner for Data Protection and Freedom of Information
    (Thuringia)
    As yet it is unclear, how SCCs can still be used for data transfers to the U.S., given the extensive criticism voiced by the Court on the national surveillance legislation.If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, an EU data protection compliant Test result should come to.

     

    Greece
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Hellenic Data Protection Authority No statement yet

     

    Hungary
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    National Authority for Data Protection and Freedom of Information
    Links to the CJEU press release on the DPA website front page

     

    Ireland
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments
    Data Protection Commission The application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. The DPC also refers to the EDPB for further joint guidance, while welcoming the clarity brought by the verdict on various points of principle.

     

    Italy
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Garante per la Protezione dei Dati Personali

    No statement yet

     

    Latvia
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Data State Inspectorate

    Adheres to the EDPB plenary statement, no own guidance

     

    Lithuania
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    State Data Protection

    Factual Statement with reference to further EDPB guidance.

     

    Luxembourg
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    National Commission for Data Protection

    CNPD welcomes the judgment; will work with EDPB counterparts on further guidance.

     

    Malta
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Information Data Protection Commissioner

    No statement yet

     

    Netherlands
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Autoriteit Persoonsgegevens

    Mainly factual statement. Up to European Commission to come up with a solution.

     

    Poland
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Inspector General for the Protection of Personal Data – GIODO

    Controllers need to carry out an individual assessment of the level of data protection ensured as part of cross-border data transfers, which must take into account not only the contractual provisions agreed between exporters and importers of data, but also legal provisions in a third country, in particular regarding possible access by authorities public authority of that country to the data transmitted. Further guidance will follow via the EDPB.Personal data can no longer be transferred to the U.S. on the basis of the Privacy Shield from the date of the verdict onwards (16 July).

     

    Portugal
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    National Commission for Data Protection

    No statement yet

     

    Romania
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    National Supervisory Authority for Personal Data Processing

    Factual statement; suggests to look at alternative transfer mechanisms (SCCs, BCRs, derogations) for U.S. data transfers to replace Privacy Shield as a legal basis

     

    Slovakia
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Office for Personal Data Protection

    Factual statement on the verdict – no information on enforcement or advice on transfers

     

    Slovenia
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Office of the Information Commissioner

    The EU Court of Justice annulled t. i. privacy shield, and organizations are given other listed data transfer mechanisms to take care of as soon as possible. Disclosures of personal data are still possible, provided that the controller of the personal data itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they are responsible for assessing the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the U.S. and have so far relied on the recipient to be a company that can be found at t. i. in the Privacy Shield list, they must ensure as soon as possible that the transfers are justified on another basis (eg standard contractual clauses, binding business rules, exceptions). Otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the predecessor of the Privacy Shield was annulled by the Court of Justice of the European Union, i.e. safe harbor agreement, organizations have often based data transfers in the U.S. on standard contractual clauses they have entered into with partner organizations.

     

    Spain
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Spanish Data Protection Agency (AGPD)
    (Federal)

    No statement yet

    Basque Data Protection Agency
    (Basque Country)

    No statement yet

    Catalan Data Protection Authority
    (Catalonia)

    No statement yet

     

    Sweden
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Data Inspection Board

    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    EUROPEAN ECONOMIC AREA

    Iceland
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Data Protection Authority

    Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

     

    Liechtenstein
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Data Protection Office

    However, the European Court of Justice also made clear in its ruling that data can still be transferred to the USA on the basis of other suitable guarantees under Art. 46 ff. GDPR, in particular also on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible now have to rely on such instruments. The data protection agency has published a compilation of the requirements and various suitable guarantees for data transfers to third countries on its website.

     

    Norway
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Data Protection Authority

    Companies that currently use the Privacy Shield mechanism must consider what other transfer bases can be used to transfer personal information to the United States. You can read more about the basis for transfer abroad here. The Norwegian Data Protection Authority will, in collaboration with other supervisory authorities in the EEA, provide further guidance on how companies can comply with the decision.

     

    OTHER RELEVANT JURISDICTIONS

    Switzerland
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Federal Data Protection and Information Commission

    The Schrems-II decision has no immediate effect on the Swiss-U.S. Privacy Shield. The Federal Data Protection Commissioner will analyse the verdict before deciding on next steps.

     

    United Arab Emirates
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Dubai International Financial Centre

    DP Assessment Tool – Data Export and Sharing.

    As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

    Special Note about Privacy Shield:  Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield.

     

    United Kingdom
    Entity/RegionCommentSpecific Statement on Privacy ShieldGuidance on SCC Assessments

    Information Commissioner
    UK

    The ICO will consider the impact of the verdict and stands ready to support to UK government to find solutions for transfers to the U.S. 

    We are currently reviewing our Privacy Shield guidance after the judgment issued by the European Court of Justice on Thursday 16 July 2020.  If you are currently using Privacy Shield please continue to do so until new guidance becomes available. Please do not start to use Privacy Shield during this period.

     

    Additional Resources

    FAQs

    Schrems 2 Decision FAQs

     Updated July 27, 2020

     

     

    Webinar

    Privacy Shield Webinar

    Blog

    Privacy Shield Blog

    Podcast

    Privacy Shield Podcast