The EU-US Privacy Shield is invalid, and there is ambiguity with regards to standard contract clauses, because they’re still valid…sometimes. So let’s clear that up.
The Schrems II ruling we’ve all heard so much about has led to confusion and no shortage of panic. In this short article we want to succinctly explain what the ruling was, what it means, and most importantly, what you as an organisation have to do.
The Privacy Shield had been in place since 2015, usurping previous legislation known as Safe Harbor, and thus both pieces of legislation have been challenged and stricken down by original complaints made by privacy activist and lawyer, Max Schrems (and why you will often see this case referred to as Schrems II).
Why has the EU-US Privacy Shield been ruled invalid?
There simply isn’t sufficient protection to prevent state surveillance, and also, the courts do not have the power to hold entities accountable for ensuring key data protection measures are in place.
Complications in international data transfers stem simply from two or more different legislations needing to come to an agreement, so that personal data is not put at undue risk in accordance with legislation from both ‘parties’, in this case, the EU and the US, and it was intended that the Privacy Shield would bridge any gap between the two.
“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”.
The argument in Schrems II is that the US offers more power to the state under the guise of national security and clearly, this has been an insurmountable problem, contradicting the EU standards for an individual’s right to privacy as set out in the EU Charter of Fundamental Rights, and thus the Privacy Shield, that was intended to mitigate these differences, is invalid.
Schrems II & Standard Contractual Clauses
Standard contractual clauses, a mechanism under Chapter 5 of GDPR, have been judged to be valid, meaning that if you’re transferring data from the EU to US under this mechanism, then you’re compliant.
However, this isn’t the complete story, whilst standard contractual clauses have been ruled to be valid, they must be reviewed on a case by case basis.
Věra Jourova, Vice-President of The European Commission said in her speech:
“The Court of Justice declared the Privacy Shield decision invalid but also confirmed that the Standard Contractual Clauses remain a valid tool for the transfer of personal data to processors established in the third countries. This means that the transatlantic data flows can continue based on the broad toolbox for international transfers provided by the GDPR,”
So there are two key points we can take from the ruling:
- The EU-US Privacy Shield is invalid.
- Standard Contractual Clauses ARE valid, but have to be reviewed on a case by case basis.
What does Schrems II mean for my organisation?
You should be taking steps immediately following the ruling:
- Assess how you’ve addressed international data transfers with clients, customers & vendors etc.
- Find out whether or not you are actually transferring data and is there a legitimate reason to be doing so?
- Consider the country of destination, (this is where the ambiguity with SSC’s is) you must establish whether the country of destination has the appropriate safeguards that meet that which is required by the EU.
- There will be no official grace period, once the ruling was made, companies must abide by it. However, it’s likely the authorities won’t immediately be hitting companies with fines as it would be completely unfair to change a rule overnight and expect companies to immediately be able to swift changes.
Q. I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do
A. Transfers based on this network are now illegal, should you want or need to continue transferring data to the US, you should review your existing supply chain and contracts to identify where you are relying on the Privacy Shield or SCCs. You will then need to make alternative arrangements with service providers.
Q. I am using Binding Corporate Rules (BCRs) with an organisation in the U.S., what should I do?
A. The Privacy Shield was ruled invalid due to the infringements of the U.S. government on the privacy of individuals, this also affects BCRs, you must take into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards. If the security of the transfer cannot be ensured after this consideration, then the transfer must be suspended, or stopped altogether.
Q. Can I rely on one of the derogations of Article 49 GDPR to transfer data to the U.S.?
A. Yes, providing providing provisions set forth in the article are met. Tranfers may be necessary for three reasons:
When transfers are based on consent, it is explicit, specific to this particular transfer, and informed.
- Performance of a contract between the data subject and the controller
Personal data may only be transferred when the transfer is occasional. It would have to be established on a case-by-case basis whether data transfers would be determined as “occasional” or “non-occasional”.
- Important reasons of public interest
The essential requirement for the applicability of this derogation is the finding of an important public interest and not the nature of the organisation.
Q. Can I continue to use SCCs or BCRs to transfer data to another third country than the U.S.?
A. You must assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If it is deemed inadequate, and no supplementary measures can ensure the appropriate level of protection, then the transfer must be stopped.
Q. What kind of supplementary measures can I introduce if I am using SCCs or BCRs to transfer data to third countries?
A. Measures would have to be provided on a case-by-case basis, but the EDPB has not yet provided guidance on what specific measures could be used, we’ll update as new information develops.
The situation can be a little confusing, and you may still have questions, but you needn’t worry, we go into this topic in greater depth in our webinar: Schrems II & The Privacy Shield, you can register for the webinar here. If you’re unable to make the live webinar, you can still receive the recording to watch at your leisure!