One year ago, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). At issue were data transfers between the EU and the U.S.
In a decisive blow to normal operating procedures for thousands of U.S. businesses, the Schrems II court upended two mechanisms that most companies relied on to transfer data – the EU-U.S. Privacy Shield and standard contractual clauses (SCCs). The Privacy Shield was determined inadequate for data privacy protection and invalidated, effective immediately. While the court upheld the validity of SCCs, it now requires each transfer be evaluated on a case by case basis to ensure adequate protection. If lacking, the court found, "additional safeguards" could be required; however, no clarification was offered to indicate which supplemental measures sufficiently protect a subject's data.
The consequences of Schrems II were immediate, massive, and confounding. Over the past year, some guidance has issued with respect to SCCs, but a resolution to the Privacy Shield remains to be seen.
Status of the Privacy Shield
One year out, no replacement to the Privacy Shield exists, yet the U.S. and the EU have publicly committed to working together to come up with a resolution. In a move that signaled the new administration's prioritization of privacy issues, President Biden appointed Christopher Hoff to oversee negotiations for a replacement, effective the day of Biden's inauguration in January 2021.
Status of SCCs
Significant guidance has issued in the wake of Schrems II with regard to SCCs, including the publication of guidelines issued by the European Data Protection Board (EDPB) and draft replacement SCCs issued by the European Commission.
In November 2020 and June 2021, the European Data Protection Board (EDPB) released guidelines advising organizations on Schrems II compliance, elucidating six specific concepts that require consideration for data transfers. They include:
- Know your transfers
- Identify the transfer tool that your transfer relies on
- Assess whether the Article 46 GDPR transfer tool on which you are relying is effective in light of all circumstances of the transfer
- Identify and adopt supplemental measures
- Take formal procedural steps
- Re-Evaluate at appropriate intervals
Know your transfers
To successfully transfer data, the exporter must understand the flow of data. The first step is to identify, record, and map all transfers.
Identify the transfer tool that your transfer relies on
Next, data exporters identify the tools relied upon to transfer data. Use of appropriate mechanisms include adequate SCCs, BCRs, codes of conduct, certifications mechanisms, or ad hoc contractual clauses. If the data is being transferred to one of twelve countries covered by an adequacy decision sanctioned by the European Commission, no additional inquiry is required. If the transfer is occurring with a country like the U.S. where data protection has been deemed inadequate, additional safeguards are necessary.
Assess whether the relied upon transfer tool is effective in light of all circumstances of the transfer
Transfer tools must ensure that the level of protection guaranteed by the GDPR is not undermined. The EDPB explained the need "to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer."
A data exporter must therefore assess whether and what laws of the importing country apply to the data being transferred. When laws require disclosure of data to government agencies such as criminal law enforcement, regulatory supervision, and national security agencies, the data exporter must utilize relevant EDPB guidance to determine whether these laws can be regarded as justifiable interference.
A framework offered by the EDPB clarifies what should be considered when evaluating foreign laws. Major points include:
- The rules of the importing country should be clear, precise and accessible.
- If the importing country's objectives are legitimate, necessity and proportionality must also be demonstrated.
- The importing country should have an independent mechanism overseeing data transfers
- Effective remedies must be available to the data subject.
Identify and adopt supplemental measures
If the assessment determines that the third country's laws do not effectively safeguard user data, then, in collaboration with the data importer, supplementary measures must be implemented to ensure a level of protection essentially equivalent to that guaranteed within the EU.
These supplementary measures may have a contractual, technical, or organizational nature. The guidance recommends having these measures be additive and interdisciplinary to ensure adequate data protection. If the identified deficiencies cannot be remedied, the transfers must be stopped.
Take formal procedural steps
When supplemental measures are in place, the EDPB requires the organization to document the changes and encourages it to seek authorization from the supervisory authority.
Re-evaluate at appropriate intervals
Once data transfers comply with the Schrems II decision, the exporter has an ongoing obligation to monitor the countries involved in the data transfer and re-evaluate the level of adequacy based on any developments.
New Draft SCCs
In June 2021, the European Commission published new SCCs governing international data transfers and exchanges. This marked the first update to SCCs in more than 10 years. The new SCCs reflect the evolution of privacy laws in the interim, including the General Data Protection Regulation (GDPR) and the Schrems II decision.
The new SCCs took effect on June 27, 2021. The old SCCs can be used for new data transfers through September 27, 2021, but existing contracts for data transfers that rely on the old SCCs must adopt the new SCCs by December 27, 2022.
Current Status of Schrems II Implementation
In the year after the decision was handed down, the aftermath of Schrems II has been onerous and frustrating to U.S. companies. In the context of unprecedented conditions caused by COVID-19, including increased use of cloud platforms as many employees work from home, the implications of the decision have become more complex. However, considering the enormous task of maintaining EU data protection standards in a global economy, the issuance of new SCCs and a demonstrated commitment to replace the Privacy Shield indicate impressive progress.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.