In the past week we have been flooded with questions regarding the impact of the famous Schrems II case on international data transfers, in particular the validity of the Privacy Shield and the Standard Contractual Clauses. We have therefore compiled the following FAQ to help you better understand the ramifications of this ground-breaking case on your company’s data practices.
What is the Schrems II judgment?
On 16 July 2020, the Court of Justice of the European Union (CJEU) confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU/EEA (SCCs) in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (“Schrems II”), while invalidating the EU-US Privacy Shield. The Schrems II case originated from the 2015 CJEU decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (“Schrems I”), which invalidated the EU–U.S. Data Protection Safe Harbor decision from 2000 (the so-called “Safe Harbor”) for the international transfer of personal data.
In Schrems II, the CJEU confirmed that the EU Standard Contractual Clause (SCCs) provide appropriate safeguards for international transfers of personal data. However, it highlighted that data exporters established in the European Union need to consider not only the international data transfer agreements based on the SCCs agreed between them and the data importer established in the third country, but also the relevant aspects of the data importer’s legal system, in particular any access by public authorities to the data transferred. If an essentially equivalent level of protection cannot be guaranteed, data controllers are required to terminate such data transfers and also, if necessary, the contract with the data processor in the third country.
In addition, the CJEU held the view that another data transfer mechanism, the EU-U.S. Privacy Shield, does not include satisfactory limitations in order to ensure the protection of EU personal data from access and use by US public authorities on the basis of US domestic law. The CJEU therefore invalidated the EU-US Privacy Shield Decision, which can no longer be relied upon for EU-US data transfers with immediate effect.
I am not certified under the Privacy Shield. Does the Schrems II decision affect me?
If you are a US company certified under the US Privacy Shield, or if you are a Swiss or EU company that transfers personal data to US companies based on the US Privacy Shield, you will need to find a new legal basis for the transfer of personal data from the EU and Switzerland to the US (see next question). However, the Schrems II judgment does not affect your personal data transfers to/from the US if you rely on other transfer mechanisms (such as the SCC or binding corporate rules).
Are SCCs still valid, and am I covered if I use them?
According to Schrems II, the SCCs remain valid. However, the CJEU emphasized the requirements that organisations will need to satisfy in order to be able to rely on the SCCs moving forward, namely carrying out an assessment of the level of protection in the destination country, taking into consideration both the contractual clauses agreed between the EU data exporter and the non-EU data importer and, with regards to any access by the public authorities of the destination country to the data transferred, the relevant aspects of the legal system of that third country.
Organisations have been used to assuming that SCCs can always be used as a means to provide adequate protection for personal data, without any additional safeguards. The CJEU clarifies that this is not the case. In particular, if a third country allows public authorities to access data, then more will be required. In this situation, a party wanting to rely on the SCCs must consider the third country’s legal system – including the factors which are relevant in an adequacy decision, as described in Art. 45 (2) GDPR. The CJEU also notes that these factors are non-exhaustive, meaning that additional factors can be introduced to an assessment of adequacy. This assessment has to be made by the data exporter on a case by case basis.
The Schrems II judgment contains a brief reference as to what the supplementary measures to the SCCs could be but refrains from describing them in detail. As the core problem here is potential access by public authorities to data, it is recommended to use technical safeguards prior to the transfer.
I work with US companies that are certified under the Swiss-US Privacy Shield. What does Schrems II mean for me?
The Federal Data Protection and Information Commissioner (FDPIC) has recently issued a statement highlighting that the Swiss-US Privacy Shield is still in effect, as the CJEU ruling is not directly applicable to Switzerland. As with the Safe Harbor ruling (Schrems I), companies in Switzerland can continue to use the Swiss version of the Privacy Shield as long as it is offered. However, it is doubtful whether the Privacy Shield will continue to be in force much longer after the CJEU’s decision. You should follow the FDPIC’s announcements closely, and already start preparing to switch to another safeguard.
I work with (sub)processors which are certified under the EU-US Privacy Shield. Will I need to adjust my Privacy Policy and data processing agreement?
This could very well be the case. It is common practice for privacy policies to state something along the lines of “We may use data processors that are certified under the EU‑US Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176).” You should consider adjusting this after consulting with your data processors to ensure that they have indeed switched to a safeguard other than the Privacy Shield.
For instance, the following wording is advisable: “We take all the steps reasonably necessary to ensure that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place. In particular, for transfers of Personal Data outside the EEA, contracts containing the EU Standard Contractual Clauses according to the EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010)593) constitute appropriate and suitable safeguards to ensure compliance with GDPR.”
In your data processing agreement, you should adjust the section concerning international data transfers to exclude the Privacy Shield, and examine whether you need to sign additional SCCs to cover data transfers to the US.
I, as a processor, use subprocessors which are certified under the EU-US Privacy Shield. Are there additional risks?
According to Art. 28 (4) GDPR, where a processor engages another processor to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract shall be imposed on that other processor by way of a contract. Where the subprocessor fails to fulfil its data protection obligations, you shall remain fully liable to the controller for the performance of the subprocessor’s obligations.
If your subprocessor is transferring data outside the EU/EEA and Switzerland on the basis of the EU/US Privacy Shield, you may be breaching your data processing agreement with the data controller. Ask your subprocessor what they are doing to mitigate the situation, and check your data processing agreement with the controller and the subprocessor. If a subprocessor is established or otherwise processes personal data in the US, you should enter into an agreement with the subprocessor that incorporates the SCCs.
Please note that the SCCs have to be entered into between the controller and the subprocessor, not the processor and the subprocessor. Therefore, the processor is normally given proxy by the controller to enter into the agreement in the name and on behalf of the controller, and in line with the data processing agreement.
What are my other options, besides SCCs?
Frankly, quite limited. Binding corporate rules (BCRs) can be relied on by organisations for their intra-group data transfers, but they require substantial time and resources, as they must be approved from data protection authorities.
There are also other derogations from the general prohibition on transfers of personal data outside the EU (such as consent and contractual necessity), but consent is revocable (so not a practical solution) and contractual necessity is very narrow (so unsuitable for repeat, large-scale data transfers).
Finally, for the time being, there are no approved codes of conduct or certification mechanisms which companies can rely upon.