We provide you with 10 key items you need to know about the Scherms II case court decision. Since our mission is to provide pragmatic advise we have refrained from long legal analysis, instead we give you insights on the most important consequences. Please stay tuned, we will continue reporting on the case in this manner, by publishing more bite size articles on this topic in due course.
1. What is the essence of Schrems II case?
The European Court of Justice (CJEU) has invalidated Privacy Shield, which was one of the GDPR transfer mechanisms for sending data from EU to US. The court has also stated that Standard Contractual Clauses (another transfer mechanism, but broader in that it can be applied to any non-EEA country) remain valid, however transfers under this mechanism requires extra safeguards.
2. What’s the matter with personal data transfers to the US?
EU law requires that the importing country provides adequate protections. However due to national security laws (i.e. Patriot Act and in particular FISA requests) and lack of effective judicial remedies for EU data subjects (i.e. in the US certain remedies are based on nationality and are granted to US nationals only), US protection cannot be seen as adequate from EU perspective.
3. Does it mean there is a problem only with EU – US transfers?
No – the same adequacy is required of all countries who import EU personal data. This means that each country with wide reaching surveillance laws that impact privacy of EU personal data can be affected, except for the countries that enjoy an adequacy decision granted by EU Commission.
4. What is the catch with the SCCs?
The court has stated that companies and data protection authorities should assess on a case by case level whether the importing country provides adequate standard. This means that executing SCCs should be accompanied by application of additional measures that will effectively better protect EU personal data when transferred abroad.
5. What are the safeguards we could use alongside SCCs?
European Data Protection Board is presently working on providing guidance in this respect, and we advise to await their outcome. At the same time, the suggested solution is to analyze in country laws, to make your own assessment whether transferred data could be at risk of being subjected to surveillance based on security laws of importing country, as well as making sure EU nationals get access to effective judicial remedy (this temporary approach was affirmed by Helen Dixon representing the Irish DPA).
(The four essential guarantees to be taken into account when transferring data to third country are set out in WP237 by the former Art. 29 Group).
6. Does it still make sense to make an in-country law assessment for the US, if the court does not deem US laws adequate?
Yes, making a contextual analysis, focused on your sector, the type of data you intend to transfer, and precise location of the importer make sense and together with SCC can give you a lawful basis for transferring your data to the US. US create their laws and regulations on a sectoral basis, which means that certain sectors may be more at risk of being subject to NSA requests than others; similarly, when it comes to legal remedies allowed to EU data subjects, the situation can differ in different states.
7. Privacy Shield is dead, SCCs are difficult, should I consider other transfer mechanisms?
Unfortunately, the issues presented in the context of Privacy Shield and SCCs are just the same for any other relevant transfer mechanisms, so if you think that BCRs can solve all your worries, we have bad news, they are no silver bullet. In case of transfers that are necessary for the performance of the service, these can go ahead based on a GDPR derogation (look up art. 49).
8. Should I consider terminating EU-US transfers?
We do not advise, and also European data protection authorities (with one exception of the Berlin DPA) to date did not advise that EU-US data flows must stop. Transfers may carry on based on SCCs, however they should be accompanied by the in-country laws assessment (documented, here comes GDPR accountability rule) and possibly other safeguards advised by EDPB in due course.
9. How can I help my organisation manage this?
Do not react hastily, wait for further guidelines, and in the meantime do what you can. That is:
- Make sure that where you relied on Privacy Shield, you put in place SCCs and make a contextualized in-country law assessment;
- Make sure you know what data you transfer where – if your records of processing don’t give you visibility, work on bringing them up to speed, as without that you cannot navigate compliance with data transfers (and by the way you would be at risk of breaching another section of GDPR, art 30.).
10. What is the next step from the EU institutions?
On 20th July, European Data Protection Board issued a statement that they will publish guiding notes on what additional measures that will be needed to supplement SCCs could consist of. This publication is not only awaited by organizations, but also the data protection authorities who may defer their enforcement activities to such time that this guidance is out.