Skip to Main Content.

More than 5,300 companies in the United States used the EU-US Privacy Shield Framework for the transfer of personal data from the European Union to the United States.  On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its infamous decision in Schrems II, invalidating the Privacy Shield and leaving companies scrambling to continue these transfers without violating the requirements of the General Data Protection Regulation (GDPR). The following is a summary of the CJEU’s decision and steps that should be taken while the respective EU and U.S. agencies continue to work together to reach a solution satisfactory to European data protection authorities.

What did the court say?

Privacy Shield is invalid.
  • U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law on Fundamental Rights.
  • EU individuals do not have a right to effective legal remedies in the U.S. to ensure compliance with provisions of EU law when their data is used for national surveillance programs.
  • The authorities of the EU Member States have insufficient powers and means to take effective action in relation to individuals’ complaints based on allegedly unlawful processing in a third country.
Do you use Privacy Shield for transfers from the EU to the U.S.?
  • Standard Contractual Clauses (SCC) are inherently intended to provide contractual guarantees and thus cannot bind the public authorities of third countries.
  • Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCCs.
  • “Adequate protection” requires the third country to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.
  • If adequate protection cannot be ensured:
    • Companies must provide additional safeguards or end transfers.
    • Supervising authority is required to suspend or prohibit transfer to a third country.
    • Data already transferred needs to be returned or destroyed.
Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)? The GDPR applies to the transfer of personal data for commercial purposes from the EU to a third country, regardless of whether that data would be further processed by the authority of the third country for surveillance programs or national security reasons.

What should you do?

Do you use Privacy Shield for transfers from the EU to the U.S.?
  • As soon as possible, find an alternative legal basis to enable transfers of GDPR-protected data to the U.S. like SCCs, Binding Corporate Rulesapproved code of conduct, or derogations for specific situations.
  • If you have negotiated Article 28 Data Processing Addendums or agreements that require the parties to execute the SCCs if the Privacy Shield is declared invalid, begin the process of reaching out and getting those clauses in place.
Do you use SCC for transfers from the EU to the U.S. (or any other country without an adequate level of protection)?
  • Although the SCCs may be at risk for a similar determination by European regulators, for now they remain a valid transfer mechanism.
  • Review the data importer’s technical and security measures specified in the Appendix to the SCC and consider whether additional measures should be specified to strengthen security, like tokenization and encryption.

What has happened since the Schrems II decision?

November 10, 2020 The European Data Protection Board (EDPB) issued “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” setting out a framework for navigating transfers of data out of the European Economic Area (EEA). The EPDB also issued “essential guarantees” that must be respected in order to ensure that interference with individual’s privacy and data protection rights, through surveillance of transferred data, does not “go beyond what is necessary and proportionate in a democratic society.”
December 31, 2020 The EDPB updated its “Information note on data transfers under the GDPR to the U.K. after the transition period” from the entry into force of the EU-UK Trade and Cooperation Agreement until a decision about adequacy of the UK is adopted (June 30, 2021 at the latest). During the interim period, all transfers of personal data between stakeholders subject to GDPR and UK entities will not be considered transfers to a third country.
January 15, 2021 The EDPB and the European Data Protection Supervisor (EDPS) have adopted joint opinions on two sets of SCCs. One opinion on the SCCs for contracts between controllers and processors and one on the SCCs for the transfer of personal data to third countries. Once finalized, the International SCCs will replace the existing sets of SCCs, which were drafted under the Data Protection Directive.

What is the impact of this decision?

Unless your company is in one of the ten countries with an adequacy decision, Schrems II has had the unfortunate effect of leaving thousands of companies who rely exclusively on Privacy Shield for transfers of data into the U.S. in legal limbo. The Department of Commerce, which administered Privacy Shield, has said that it will work with European regulators to limit the negative consequences of the decision. However, given the current state of U.S. data surveillance laws, which permit government access to data in certain circumstances, it is unclear how the U.S. and the EU can move forward to establish rules to which both sides can agree.

Associated Industries and Practices: Mobility & Transportation | Automotive | Technology  |  Privacy & Data SecurityIntellectual Property | International Services