Welcome to the first of many posts in the ‘Schrems II Series’ where we will be providing up to date information and legal analysis on the international developments following the Schrems II decision.
In a landmark case, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield as a mechanism to transfer personal data from the EU to the United States. The court found that the Privacy Shield did not provide EU citizens with sufficient protection for their personal data.
Businesses can take some comfort as the judgement did state that the Standard Contractual Clauses (“SCCs”) remain valid. Although the court didn’t confirm the SSC's validity without caveat. The judgement explains that when transferring personal data outside the EU supervisory authorities and/or the data exporters must ensure the third country has equivalent data protection guarantees as within the EU. To assess the level of protection one must consider not only the contractual clauses but also the rights of public authorities of the third country to access the personal data under national laws. As such, while the SCCs are valid, the judgement suggests organisations will be required to undertake additional due diligence and possibly implement ‘supplementary measures’ alongside the SCCs. Exactly what supplementary measures are required to ensure the SCCs are used as a valid transfer mechanism is not yet certain.
What does this actually mean for businesses?
Schrems II is likely to have a profound impact on organisations, particularly where personal data is transferred between the EU and the US. Businesses currently relying on the Privacy Shield in order to process EU personal data within the US will need to find an alternative transfer mechanism. Currently there has been no guidance on a transition period or regulatory moratorium in which businesses can transition away from the Privacy Shield. The UK regulatory (ICO) has said that businesses may keep using the Privacy Shield until further guidance is provided but don't start using the Privacy Shield during this time.
Businesses should avoid a knee jerk reaction to this judgement given the ongoing uncertainty clouding international data transfers. I'd recommend a considered approach starting with the following next steps:
- Undertake a due diligence exercise to identify all current data flows that rely on the Privacy Shield.
- Where the Privacy Shield is relied on, assess the data flow based on risk and likelihood that the data importer (US entity) will address potential disruption in an acceptable way (i.e. contracts with US based hyper-scale cloud service providers will likely contact you to request amends).
- For identified data flows that do require action put in place a strategy and plan to validate the data flow (i.e. implementing SCCs or a data localisation option).
The European Commission have hinted at modernised SCC's and priorities to ensure safe transatlantic data flows. Stay tuned, there will be plenty of updates to come as regulators digest the impact and effect of Schrems II.
For further information and a detailed analysis of the CJEU’s decision, Brexit implications and next steps please see here.
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.