More than 5,300 companies in the United States used the EU-US Privacy Shield Framework for the transfer of personal data from the European Union to the United States. On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its infamous decision in Schrems II, invalidating the Privacy Shield and leaving companies scrambling to continue these transfers without violating the requirements of the General Data Protection Regulation (GDPR). The following is a summary of the CJEU's decision and steps that should be taken while the respective EU and U.S. agencies continue to work together to reach a solution satisfactory to European data protection authorities.
What did the court say?
Privacy Shield is invalid. |
|
Do you use Privacy Shield for transfers from the EU to the U.S.? |
|
Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)? | The GDPR applies to the transfer of personal data for commercial purposes from the EU to a third country, regardless of whether that data would be further processed by the authority of the third country for surveillance programs or national security reasons. |
What should you do?
Do you use Privacy Shield for transfers from the EU to the U.S.? |
|
Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)? |
|
What has happened since the Schrems II decision?
November 10, 2020 | The European Data Protection Board (EDPB) issued "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" setting out a framework for navigating transfers of data out of the European Economic Area (EEA). The EPDB also issued "essential guarantees" that must be respected in order to ensure that interference with individual's privacy and data protection rights, through surveillance of transferred data, does not "go beyond what is necessary and proportionate in a democratic society." |
December 31, 2020 | The EDPB updated its "Information note on data transfers under the GDPR to the U.K. after the transition period" from the entry into force of the EU-UK Trade and Cooperation Agreement until a decision about adequacy of the UK is adopted (June 30, 2021 at the latest). During the interim period, all transfers of personal data between stakeholders subject to GDPR and UK entities will not be considered transfers to a third country. |
January 15, 2021 | The EDPB and the European Data Protection Supervisor (EDPS) have adopted joint opinions on two sets of SCCs. One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries. Once finalized, the International SCCs will replace the existing sets of SCCs, which were drafted under the Data Protection Directive. |
What is the impact of this decision?
Unless your company is in one of the ten countries with an adequacy decision, Schrems II has had the unfortunate effect of leaving thousands of companies who rely exclusively on Privacy Shield for transfers of data into the U.S. in legal limbo. The Department of Commerce, which administered Privacy Shield, has said that it will work with European regulators to limit the negative consequences of the decision. However, given the current state of U.S. data surveillance laws, which permit government access to data in certain circumstances, it is unclear how the U.S. and the EU can move forward to establish rules to which both sides can agree.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.