TrustArc Privacy Shield Ruling

Privacy Shield Ruling Resources

Latest Guidance and Information for Companies Navigating the Schrems II Decision

Ruling Summary

On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the Court ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid. While the Court ruled that existing SCCs remain valid, supervisory authorities and data controllers must now assess the situation in the destination country on a transfer-by-transfer basis.

TrustArc’s team of experts actively monitor global privacy developments and will continue to update the information and resources on this page to help organizations understand the impact of this judgement.

Privacy Shield Transition Package

The July 16th ruling by the CJEU invalidated Privacy Shield and ruled that standard contractual clauses (SCCs) need to be evaluated on a case-by-case basis for transferring data from the EU. What should current Privacy Shield members do now?

The Privacy Shield Transition Package helps organizations:

  • Review data transfers from the EU to be prepared for the next set of regulatory updates
  • Identify, manage, and mitigate data transfer risk through a risk algorithm that automatically detects data flows with transfer risk
  • Conduct data transfer assessments and access templates that help operationalize your current program and trigger compliance mechanisms
TrustArc Data Transfer Package

Regulator Resources

CJEU Judgement

CJEU Judgement

Read the July 16th ruling from the CJEU – 2016/1250

CJEU Press Release

CJEU Press Release

Read the CJEU Press Release

Department of Commerce

Department of Commerce Statement

Read the U.S Secretary of Commerce’s Response to Schrems II Ruling

EDPB Statement

EDPB FAQs

Read the European Data Protection Board’s FAQs released on July 24th 2020

Schrems-II DPA ResponseUpdated August 7, 2020

Interested in seeing how regulators are reacting to the Schrems-II decision?
Click through to review the regional Data Protection Authorities’ guidance and download the entire chart below. Where applicable, see regional regulator responses including their overall comment, specific Privacy Shield comment and guidance on SCC assessments.

European Union
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)
The verdict of the Court reaffirms “the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries”. The EDPB expects the “United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements” of the Court. As to the SCCs, the Supervisor announces he has already started a review of the consequences of the judgment on the contracts concluded by EU institutions, bodies, offices and agencies.
This is the second time in almost 5 years that a European Commission adequacy decision concerning the United States is invalidated by the Court. In its judgement, the Court confirmed the criticisms of the Privacy Shield repeatedly expressed by the EDPS and the EDPB. European supervisory authorities will advise the Commission on any future adequacy decisions, in line with the interpretation of the General Data Protection Regulation (GDPR) provided by the Court.
EUROPEAN DATA PROTECTION BOARD (EDPB)
Factual statement on the verdict – no information on enforcement or advice on transfers; further analysis to follow.

The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection to the EU. This assessment has to be taken into account for any transfer to the U.S.

The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data. However, if you are intending to keep transferring data despite this conclusion, you must notify your competent supervisory authority.

United States
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
U.S. Department of Commerce
EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.
Organizations’ continued participation in the EU-U.S. Privacy Shield demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.
For help determining the most appropriate data transfer mechanism for an organization, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

 

Austria
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Austrian Data Protection Authority
No statement yet
Belgium
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Data Protection Authority
Refers to EDPB official information

 

Bulgaria
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Commission for Personal Data Protection
Factual statement on the verdict – no information on enforcement or advice on transfers

 

Croatia
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Data Protection Agency
Factual statement on the veredict – no further guidance

 

Cyprus
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Commissioner for Personal Data Protection
No statement yet

 

Czech Republic
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Office for Personal Data Protection
Factual statement on the verdict – no information on enforcement or advice on transfers

 

Denmark
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Danish Data Protection Agency
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance
This means that in future no personal data can be transferred to the United States using the Privacy Shield. Privacy Shield is a special scheme based on the EU Commission Decision 2016/1250, which has previously made it possible to transfer personal data from the EU to companies in the USA that had joined the scheme.

 

Estonia
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Estonian Data Protection Inspectorate
Factual statement on the verdict – When transferring personal data to any third country with an insufficient level of data protection, it must be borne in mind that it is also important to be convinced of the third country’s adequate level of protection of personal data. Therefore, EU companies must always assess the European Commission’s data protection clauses themselves. The assessment must determine whether the protection of Europeans’ personal data can be protected in the future or in the future by ensuring data protection clauses. If the protection of personal data cannot be guaranteed, the transfer of data must be suspended. If it is desired to continue the data transfer, another appropriate safeguard must be found.
From 16 July 2020, data controllers cooperating with US companies listed in the Privacy Shield will need to review the transfer of data in accordance with data protection clauses accepted by the European Commission. This means that one option is to conclude a corresponding agreement, which has been set by the European Commission. Other safeguards can be used in the articles of the General Data Protection Regulation (GIP).

 

Finland
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Data Protection Authority
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

 

France
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Commission Nationale de l’Informatique et des Libertés
Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance
The CJEU invalidated the “Privacy Shield” adequacy decision, adopted in 2016 by the European Commission following the invalidation of the “Safe Harbor”, which allowed the transfer of data between the EU and US companies adhering to its data protection principles.

 

Germany

 

Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Commissioner for Freedom of Information
Reliance on the Privacy Shield is no longer possible for transfers to the U.S. The use of SCCs requires special safeguards to be taken for the data exchange with the U.S.
Now, special safeguards have to be taken for the data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which has been declared null and void by the ECJ. With regard to the transition, we will, of course, provide intensive advice.
The ECJ’s decision provides a clearer framework for international data traffic with the European Union. In this context, the ECJ places high demands on the special safeguards, such as standard contractual clauses, which have to be adopted by companies and authorities, and which have to be controlled by supervisory authorities. The BfDI will issue a further statement after the publication of the entire judgment and the deliberations in the European Data Protection Board. In this context, the focal point will be the revision of the standard contractual clauses by the European Commission, as well as the need for the USA to ensure that the European people enjoy the same fundamental rights as US-nationals.
Press release from the Conference of Independent Data Protection Supervisors
The European Court of Justice declared Privacy Shield invalid because the US law assessed by the CJEU does not Offers a level of protection that is essentially equivalent to that in the EU
The transfer of personal data to the USA on the basis of privacy Shield is not permitted and must be discontinued immediately.

For a transfer of personal data to the USA and other third countries the existing standard contractual clauses of the European Commission basically continue to be used. However, the ECJ emphasized the responsibility of the Responsible persons and the recipient to assess whether the rights of the persons concerned enjoy the same level of protection in the third country as in the Union. Only then can be decided whether the guarantees from the standard contractual clauses in the Practice can be realized. If not, it should be checked what additional measures to ensure a level of protection in the EU essentially equivalent levels of protection can be taken.

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
(Baden-Württemberg)
No statement yet
Bavaria State Office for Data Protection Supervision
(Bavaria – Private Sector)
No statement yet
Bavarian State Commissioner for Data Protection
(Bavaria – Public Sector)
No statement yet
Berlin Commissioner for Data Protection and Freedom of Information
(Berlin)
Data controllers transferring personal data to the United States, especially those using cloud services, will need to stop doing so henceforth, and ensure the data are stored in the EU or in a country with an adequate level of protection. Specifically call our China, Russia, and India as countries for which there will be similar problems for data transfers.
The state representative for data protection and for the right to inspect files in Brandenburg
(Brandenburg)
No statement yet
The State Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen
(Bremen)
No statement yet
Hamburg Commissioner for Data Protection and Freedom of Information
(Hamburg)
Would have like to seen that the CJEU had also invalidated SCCs as a means for transfer to the U.S., since the risks and safeguards for Privacy Shield and SCCs are the same. Expects hard times for all international data transfers.
Data protection supervisory authorities in Germany and Europe must now swiftly come to a common understanding on how to deal with companies that are now illegally continuing to rely on the Privacy Shield.
Both the proportionality of access by the authorities and the guarantee of functioning legal protection must be demonstrated by the exporter to his local data protection authority on request.
The Hessian Data Protection Officer
(Hessen)
No statement yet
State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern
(Mecklenburg-Vorpommern)
Only a link to the CJEU press release on the DPA website press page
The State Commissioner for Data Protection Lower Saxony
(Lower Saxony)
No statement yet
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia
(North Rhine-Westphalia)
No statement yet
State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate
(Rhineland-Palatinate)
The Court has made clear data controllers have a strong responsibility to verify the actual legal situation in a third country before transferring personal data. Just signing the SCCs is not enough. If the requirements of EU data protection law cannot be met, the transfer must be stopped.
The CJEU declared the EU-US Privacy Shield invalid, which is therefore no longer the legal basis for data transfers to the USA.
The CJEU has clarified that companies cannot free themselves from their audit obligations by using the standard contractual clauses,” explains Professor Kugelmann. “The ball is now in the field of those responsible. They cannot avoid dealing intensively with the national laws of the third country to which they want to transmit data. If the data recipients are subject to the legal rules of their home country that violate European data protection law, they may not be able to comply with the contractual provisions of the standard contractual clauses.
State representative for data protection and freedom of information
(Saarland)
No statement yet
Saxon Data Protection Officer
(Saxony)
State Commissioner for Data Protection Saxony-Anhalt
(Saxony-Anhalt)
No statement yet
Independent state center for data protection in Schleswig-Holstein
(Schleswig-Holstein)
No statement yet
Thuringian State Commissioner for Data Protection and Freedom of Information
(Thuringia)
As yet it is unclear, how SCCs can still be used for data transfers to the U.S., given the extensive criticism voiced by the Court on the national surveillance legislation.
If the ECJ now emphasizes that the protective mechanisms of the Standard contractual clauses and their compliance by the data exporter and the Data recipient must be checked before transmission, then I do not know as in the case of data transmission to the USA, an EU data protection compliant Test result should come to.

 

 

 

Greece
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Hellenic Data Protection Authority
No statement yet

 

Hungary
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
National Authority for Data Protection and Freedom of Information
Links to the CJEU press release on the DPA website front page

 

Ireland
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments
Data Protection Commission
The application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis. The DPC also refers to the EDPB for further joint guidance, while welcoming the clarity brought by the verdict on various points of principle.

 

Italy
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Garante per la Protezione dei Dati Personali

Adheres to the EDPB FAQ

 

Latvia
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Data State Inspectorate

Adheres to the EDPB plenary statement, no own guidance

 

Lithuania
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

State Data Protection

Factual Statement with reference to further EDPB guidance.

 

Luxembourg
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

National Commission for Data Protection

CNPD welcomes the judgment; will work with EDPB counterparts on further guidance.

 

Malta
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Information Data Protection Commissioner

No statement yet

 

Netherlands
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Autoriteit Persoonsgegevens

Mainly factual statement. Up to European Commission to come up with a solution.

 

Poland
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Inspector General for the Protection of Personal Data – GIODO

Controllers need to carry out an individual assessment of the level of data protection ensured as part of cross-border data transfers, which must take into account not only the contractual provisions agreed between exporters and importers of data, but also legal provisions in a third country, in particular regarding possible access by authorities public authority of that country to the data transmitted. Further guidance will follow via the EDPB.
Personal data can no longer be transferred to the U.S. on the basis of the Privacy Shield from the date of the verdict onwards (16 July).

 

Portugal
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

National Commission for Data Protection

No statement yet

 

Romania
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

National Supervisory Authority for Personal Data Processing

Factual statement; suggests to look at alternative transfer mechanisms (SCCs, BCRs, derogations) for U.S. data transfers to replace Privacy Shield as a legal basis

 

Slovakia
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Office for Personal Data Protection

Factual statement on the verdict – no information on enforcement or advice on transfers

 

Slovenia
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Office of the Information Commissioner

The EU Court of Justice annulled t. i. privacy shield, and organizations are given other listed data transfer mechanisms to take care of as soon as possible. Disclosures of personal data are still possible, provided that the controller of the personal data itself provides appropriate safeguards to ensure the protection of privacy and the fundamental rights and freedoms of individuals. European companies exporting personal data must be aware that they are responsible for assessing the lawfulness of the export and further processing, and that they must ensure that all principles of European data protection are covered and respected in each case of the transfer of personal data. Organizations that export data to the U.S. and have so far relied on the recipient to be a company that can be found at t. i. in the Privacy Shield list, they must ensure as soon as possible that the transfers are justified on another basis (eg standard contractual clauses, binding business rules, exceptions). Otherwise, data may not be transmitted in the United States. In a very similar situation in 2015, when the predecessor of the Privacy Shield was annulled by the Court of Justice of the European Union, i.e. safe harbor agreement, organizations have often based data transfers in the U.S. on standard contractual clauses they have entered into with partner organizations.

 

Spain
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Spanish Data Protection Agency (AGPD)
(Federal)

No statement yet

Basque Data Protection Agency
(Basque Country)

No statement yet

Catalan Data Protection Authority
(Catalonia)

No statement yet

 

Sweden
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Data Inspection Board

Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

 

EUROPEAN ECONOMIC AREA

Iceland
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Data Protection Authority

Factual statement on the verdict – no information on enforcement or advice on transfers; refers to EDPB for follow-up guidance

 

Liechtenstein
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Data Protection Office

However, the European Court of Justice also made clear in its ruling that data can still be transferred to the USA on the basis of other suitable guarantees under Art. 46 ff. GDPR, in particular also on the basis of standard data protection clauses. At least in the medium term, until a new agreement with the USA on data transmission can be concluded by the EU Commission, those responsible now have to rely on such instruments. The data protection agency has published a compilation of the requirements and various suitable guarantees for data transfers to third countries on its website.

 

Norway
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Data Protection Authority

The Schrems II ruling was actually about whether Facebook could transfer information about users in Europe to the United States. The Court also took the opportunity to comment on transfers to third countries in general. It concluded that the transfer basis known as the Privacy Shield is no longer valid. There are still other valid transfer bases, but the court said that using such bases in itself is not enough.
The additional requirements of the European Court of Justice have already begun to apply, and it is also no longer possible to use the Privacy Shield as a basis for transfer. The requirements apply to both new and existing transfers.
It is no longer sufficient to use a valid transfer basis such as the European Commission’s standard contractual clauses or binding corporate rules (BCR).

 

OTHER RELEVANT JURISDICTIONS

New Zealand
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Privacy Commissioner

The Court considered that certain programmes enabling access by US authorities to personal data transferred from the EU for national security purposes create limits on the protection of that personal data. These limits mean there is a lack of protection that is “essentially equivalent” to EU law, and that data subjects do not have actionable rights before the courts against US authorities.
Transfers of personal data from the EU to New Zealand are conducted on the basis of the adequacy decision in place (article 45 of the EU General Data Protection Regulation).
The European Commission formally ruled in December 2012 that New Zealand’s privacy law provided an ‘adequate level’ of privacy protection to meet European standards.
We will also be considering the decision in Schrems II as we develop model contract clauses under the new Privacy Act 2020. Now that the new Privacy Act 2020 has been passed (coming into force on 1 December 2020) New Zealand has new limits on international transfers of personal information (new IPP 12).

 

Switzerland
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Federal Data Protection and Information Commission

The Schrems-II decision has no immediate effect on the Swiss-U.S. Privacy Shield. The Federal Data Protection Commissioner will analyse the verdict before deciding on next steps.
The Swiss-US Privacy Shield (“”Swiss Shield””) mirrors the US Shield to a great extent, however, it was not invalidated by the CJEU:

Despite this, the Swiss Data Protection and Information Commissioner (“”FDPIC””) will amend its state list that deemed self-certified US corporations provided adequate protections:
if the US is qualified as a country with inadequate protection, US transfers under the Swiss Shield will not necessarily be legally permissible – however: the state list is only indicative; and
Swiss companies can continue to export data to the US using the Swiss Shield if they believe it ensures adequate protection.

Companies relying on the Swiss Shield should take necessary steps to:
mitigate risks of illegal data transfers; and
base transfers on SCCs. if SCCs are already in place:
assess their levels of protection; and
supplement with additional contractual guarantees where necessary:

Consider if a common approach can be agreed on for requests from US authorities for personal data of Swiss citizens do not abruptly end transfers.

 

United Arab Emirates
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Dubai International Financial Centre

DP Assessment Tool – Data Export and Sharing.

As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

Special Note about Privacy Shield:  Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield.

 

United Kingdom
Entity/Region
Comment
Specific Statement on Privacy Shield
Guidance on SCC Assessments

Information Commissioner
UK

The judgment says that supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our Regulatory Action Policy.
 

The CJEU has confirmed how EU standards of data protection must travel with the data when it goes overseas, which means this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.

Further work is underway by the European Commission and EDPB to provide more comprehensive guidance on extra measures you may need to take. In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

 

TrustArc Resources

FAQs

Schrems 2 Decision FAQs

 Updated July 27, 2020

 

 

Webinar

Privacy Shield Webinar

Podcast

Privacy Shield Podcast

Blog

Privacy Shield Blog