Schrems II and its significance for practice

We give an insight into the current situation regarding Schrems II.

On 16 July 2020 the Court of Justice of the European Union (“ECJ”) declared the EU-US Privacy Shield invalid and considerably increased the requirements for the use of EU standard contract clauses (Case C-311/18, “Schrems II”; find our initial press releases on this issue here [in German] and here). As a result, an important tool for international data transfers to the USA has been rendered obsolete. EU standard contractual clauses, previously used as a simple tool for data transfers to unsafe third countries, must now be examined in detail for each individual case. While the consequences of the Schrems II decision are not yet entirely foreseeable for use in practice, it has become obvious that this decision will result in a fundamental change in international data transfer.

What does that mean specifically?

• Companies are no longer allowed to use the EU-US Privacy Shield.
• EU standard contractual clauses may no longer be used on the basis of a template as before.
• Companies that continue to transfer personal data to third countries on the basis of the EU-US Privacy Shield or on the basis of non-adapted EU standard contractual clauses must expect to face bans and even fines from the supervisory authorities with immediate effect.

What are international data transfers and their challenges?

International data transfers (in the sense of data protection law) always occur where personal data is processed outside the EU/EEA. This may – more or less – be anything: sending e-mails, using cloud providers storing data in the USA, for example, or other procedures in which personal data is not processed exclusively in the EU/EEA.

This is already a major challenge: as a European company, you have to comply with the requirements of the General Data Protection Regulation (GDPR),which (frequently) places stricter requirements on data processing than the national laws in third countries (such as China, India, or the U.S.).

Prior to the Schrems II judgement, it was possible to transfer data to the USA by using the EU-US Privacy Shield certification. The voluntary compliance of the U.S. company with certain data protection principles (including transparency, safeguards, rights of data subjects) offered the presumption of an adequate level of data protection, thus making such a transfer possible. The certification was created after the ECJ’s “Safe Harbor” ruling (October 06, 2015, C-362/14; Schrems I). The Schrems I decision overturned the predecessor model of the EU-US Privacy Shield for international data transfers to the U.S.

Now, the EU-US Privacy Shield has been declared invalid by the CJEU on July 16, 2020. The ECJ ruled that U.S. law is not compatible with certain European fundamental rights, an incompatibility that cannot be eliminated by the EU-US Privacy Shield. In particular, access by public authorities to the content of electronic communications and a lack of legal protection for European citizens were cited as grounds for the decision.

What are the immediate effects of the decision?

Invalidity of the EU-US Privacy Shield

Due to the lack of a transitional regulation, the EU-US Privacy Shield has been invalid since July 16, 2020. Data processes based on the EU-US Privacy Shield must be stopped or a company must find and implement alternatives.

Critical review of other instruments for international data transfer

While there are, in principle, other ways to allow data transfer to third countries, they are only of limited value – as of now. Data exporters and importers must check in each individual case whether sufficient legal protection exists. When this is not the case (e.g., in the USA), additional protective measures must be taken (for which there are currently no guidelines from supervisory authorities). Even consent or a contractual basis may only be considered in exceptional cases. It should additionally be examined whether options for technical protection can be used, such as (stronger) encryption or data anonymization.

Outlook: What comes next?

The ECJ and the European data protection authorities require companies exporting data to an unsafe third country to review the legal systems there. For this purpose, the data importers, i.e., the respective contractual partners in such third countries, should be contacted.

Tips for use in practice

To document compliance with the requirements of the ECJ and the GDPR (Article 5 (2) GDPR), it is advisable to take at least the following steps expeditiously:

• Carry out a due diligence and in particular analyze own international data flows (in particular: Which data is transferred to which third country and for which purposes? How is this data protected in transit and at rest at the destination?).
• Contact service providers in (unsafe) third countries and determine their level of data protection with specific questions. Develop additional protection measures, supporting contractual addendums with technical measures.
• Check alternative providers and possible data localization within the EU/EEA or a safe third country (Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay).

We will gladly support you in these steps and are available for any additional questions you may have.