On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. They ruled that the EU-U.S. Privacy Shield is to be invalidated.
Nearly two years later, on Mar 25, 2022, the President of the European Commission, Ursula von der Leyen, and U.S. President Joe Biden released a joint statement.
They confirmed a new breakthrough agreement “in principle” had been reached, called the Trans-Atlantic Data Privacy Framework.
Top 10 Questions about the Schrems II Decision
Data practitioners have been hoping for a breakthrough agreement for EU-US data transfers. Questions about the Schrems II decision have been plentiful over the past two years.
Although an agreement has been reached in principle, organizations still need to understand the impact of Schrems II and associated decisions.
1. Will there be a replacement for Privacy Shield?
The March 2022 joint statement between the European Commission and the U.S. stated an agreement in principle has been reached on a new framework for transatlantic data flows. Both sides have a bit more work to do before the text is final.
In laying out the next steps, both sides offered high-level overviews of what the new Framework will include. The US has provided a press release and a fact sheet.
In the press release, the U.S. identified the general commitments it would adopt by way of a presidential Executive Order in order to implement this new “breakthrough agreement.”
2. When will the Trans-Atlantic Data Privacy Framework be adopted?
While many details still remain unclear, the U.S. and EC have represented that the next steps will be to translate the agreement in principle into legal documents.
First, consider that the last two adequacy decisions adopted by the EU ran 93 pages (the UK) and 122 pages (South Korea). Both are significantly longer than the current Privacy Shield Framework.
Also, the mechanisms the US must implement by way of the Executive Order are not trivial, especially creating a Data Protection Review Court.
That said, we will continue to monitor the developments of this agreement and look forward to updating you when the requirements have been released.
Once prepared, the agreement will be submitted to the European Data Protection Board for approval as required by the General Data Protection Regulation.
3. Is there a benefit of continued participation in the Privacy Shield Program?
Remaining in Privacy Shield may simplify your transition to the successor agreement in principle between the EU and the U.S. At this time, you also are required to continue to uphold your Privacy Shield protections for data you have collected pursuant to Privacy Shield.
Remaining in Privacy Shield will simplify these processes for your organization.
Depending upon how you have structured your privacy program, it may also help your organization comply with other international data transfer commitments. Such as those you would need to make if you are able to enter into SCCs for data transfers you receive.
4. What do I need to do about my current Privacy Shield self-certification?
The U.S. Department of Commerce (DOC) has stated that it will continue to operate Privacy Shield and it expects participants to continue to support their Privacy Shield obligations. If you are currently part of the Privacy Shield program, we recommend you stay.
Staying in Privacy Shield may simplify your transition to the new agreement between the EU and the U.S. once the documents are finalized.
You do need to ensure an alternative mechanism to transfer personal data from the EU to the U.S. since Privacy Shield can no longer be used to do so.
5. Can I transfer personal data from the EU to the U.S. under SCCs?
As long as the data are not subject to collection and/or access by U.S. authorities for national security purposes, SCCs can be used on a case-by-case basis subject to an assessment of whether the U.S. data importer can meet its SCC obligations for the specific data processing.
The burden of proof on both the data exporter and the data importer in the third country, has increased to verify they can meet all the requirements of the SCCs. The data importer will also need to confirm that they will fully respect all the core principles under GDPR.
The data importer and exporter will need to assess the legislation of the third country to see if, they are subject to surveillance laws that may cause interference of the supplemental rights. If that is the case, then the transfer cannot take place based on SCCs. This is similarly applied to Binding Corporate Rules (BCRs).
6. What assessment criteria should I consider for whether the data importer can meet its obligations under the SCCs?
- Is the data importer a provider of services that facilitate communications or electronic interactions between individuals, e.g., an Internet Service Provider or electronic communication services provider?
- Has the data importer ever been subject to a data access request for national security purposes?
- Has the data importer ever been subject to a data retention request for national security purposes?
If the answer is “yes” to any of these, and the data importer is not in a country recognized by the EU as providing “adequate protection,” then SCCs are unlikely to be a valid transfer option in the absence of express authorization from the DPA in the originating country.
If, “no,” proceed with a third party risk assessment to evaluate the effectiveness of the importer’s controls.
7. Are the other transfer methods still valid for transferring data?
All data transfer mechanisms included in the GDPR have remained valid. The CJEU has invalidated one of the adequacy decisions (for the Privacy Shield) and has set stricter assessment criteria for the use of the other transfer mechanisms.
8. If my U.S. business shifts server or data location to the EU do I still have a need for a data transfer mechanism?
That depends on how the data is being processed within the company. As long as the data is stored on servers in the EEA and only accessed from within the EEA, no data transfer mechanisms will be needed.
However, as soon as access to the data is made from outside the EEA countries, a data processing operation is taking place (according to the definition of Article 4(2) GDPR). This also constitutes as a data transfer, thus requiring the use of a transfer mechanism.
In addition, if the company is subject to U.S. surveillance legislation, including but not limited to Section 702 FISA and E.O. 12333, using an EU server is not guaranteed protection.
Both have a broad scope, that allows the U.S. intelligence and security services to also collect data outside the U.S. territory.
9. Are prior data transfers under EU-US Privacy Shield affected?
All prior data transfers remain subject to the obligations of Privacy Shield.
10. Will there be a grace period?
There was no grace period between the Schrems II decision and the latest agreement in principle. Given that Privacy Shield was invalidated by the Court, companies that used the Shield for EU-U.S. data transfers continue to need to find an alternative legal basis for the data transfer.
We highly recommend using the Standard Contractual Clauses (SCCs) as a fallback option post-Privacy Shield, as preparing your international data transfers with the SCCs will also prepare your organization to adopt the replacement to the Privacy Shield (whenever it arrives).
Managing the Risks of International Data Transfers
When it comes to international data transfers, TrustArc has you covered. The risks of international data transfers are complicated, nuanced, and time-consuming. TrustArc’s automated approach combines deep regulatory understanding and expert risk analysis, keeping your transfer assessments up to date.
TrustArc’s International Transfer Package helps organizations:
- Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
- Conduct data transfer and risk threshold assessments
- Leverage templates that help operationalize regulatory requirements and trigger compliance mechanisms