July 27, 2020

Schrems II Decision: Privacy Shield Invalid for EU-US Transfers

The EU’s Court of Justice (CJEU)declared the EU-US Privacy Shield Framework, which governs data transfers, invalid in its ruling on the Schrems II case.

The thinking behind this ruling is that the Privacy Shield framework does not offer the required degree of protection for the transfer of personal information from the EU to the US. 

Nonetheless, the CJEU maintained that the Standard Contractual Clauses (SCCs) that oversee the movement of personal data between the EU and other countries are still valid. 

If you depend on the SCCs to transfer data out of the EU, you are required to meet various requirements to guarantee compliance with the GDPR, ePrivacy Directive, and other European data protection regulations. 

This ruling is expected to have major consequences for over 5,000 companies that have been reliant on the EU-US Privacy Shield framework to transfer data including social media giants such as Facebook and Twitter. 

What is the Schrems II Case?


The GDPR restricts the transfer of personal data outside the EU unless the European Commission is satisfied that;

  • The importing jurisdiction offers an ‘adequate’ degree of data protection
  • The party transferring personal data in or out of the EU is dedicated to putting in place the necessary protections to safeguard personal information in line with the General Data Protection Regulation (GDPR). 

In 2016, the European Commission certified the US as ‘adequate’, although, in accordance with the Privacy Shield framework. 

What this meant is that companies that accepted, implemented, and met the requirements of the Privacy Shield data protection mechanism could transfer personal information from the EU to the US freely. 

For companies that are unable to comply with Privacy Shield, the alternative was through the Standard Contractual Clauses (SCCs). 

Origins of the Case

Maximillian Schrems, an Austrian citizen, filed a complaint with the Irish Data Protection commissioner seeking to stop the transfer of personal information from the EU to the US under the Safe Harbor Framework. 

In October 2015, the CJEU upheld the European Commission’s ruling in favor of Schrems, that the Safe Harbor Framework was invalid due to personal data protection inadequacy. 

The Privacy Shield was introduced in August 2016 in place of the Safe Harbor Framework. 

Over the years, this mechanism, together with the SCCs have governed the transfer of personal data. 

Therefore, the Schrems II case refers to a second complaint filed by Max Schrems challenging the adequacy of the Privacy Shield framework in protecting the data of EU residents according to GDPR standards. 

You can find more detailed information about the Schrems II case on the EDPB website here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

What are Standard Contractual Clauses (SCCs)? 

The European Commission has provided guidelines that give enough guarantees of data protection for personal information that is transferred from the EU to other jurisdictions. 

The clauses have contractual responsibilities for those sending data out of the EU as well as those receiving personal information from the European Economic Area (EEA). 

Furthermore, they guarantee rights for the data subjects whose information is transferred because SCCs allow consumers to exercise their rights against either the recipients or exporters of their personal data. 

So far, the European Commission has defined two sets of Standard Contractual Clauses that govern data transfers from an EU controller to a non-EU or EEA controller.

A detailed description of each set is available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

Therefore, if you send personal data of EU residents to countries or jurisdictions that do not have a sufficient level of data protection, SCCs offer a way to legitimize these transfers to processors outside the EEA.  

What are the Key Facts of the Schrems II Decision? 

The CJEU’s decision overturned the European Commission’s judgment in 2016 which found the Privacy Shield ‘adequate’ to safeguard the personal information of EU citizens transferred to the US. 

Specifically, the European Court of Justice determined the Privacy Shield is inadequate because;

  • US laws give intelligence bodies broad authorization to access the personal data of EU residents, which fails to satisfy the principle of proportionality
  • EU residents do not have an avenue for legal compensation under US law for infringements of their fundamental rights. 
  • The European Commission did not demonstrate in its 2016 decision that Privacy Shield Ombudperson was neither adequately independent from the Executive arm of government nor possessed the authority to embrace decisions that are binding on those intelligence services. 
  • US surveillance programs are not limited to what is strictly necessary

How does the Schrems II Decision affect the Standard Contractual Clauses (SCCs)? 

The Schrems II decision maintained that SCCs remain a valid way of transferring user information from the EU. 

Nonetheless, the court directed that it is your duty as a data controller to evaluate the level of data protection provided by the country to which you transfer personal data. 

You are required to;

  • Confirm whether the data protection regulations of the recipient jurisdictions are ‘inadequate’ to protect the information of data subjects in cooperation with data processors. In case you identify weaknesses, you are required to address these failings, which include; guaranteeing enforceable rights for data subjects and access to effective legal redress avenues. 
  • Suspend or stop transferring data from the EU to the US in cases where you fail to implement additional measures to ensure sufficient protections

What are the Key Takeaways for Businesses from the Schrems II Decision? 

The impact of this ruling is expected to have significant effects on companies compared to the invalidation of the Safe Harbour Framework. 

  • If your company currently depends on the Privacy Shield alone to move data out of the EU, you must either; stop the transfers or implement a GDPR-compliant way to oversee the transfers. SCCs and Binding Corporate Rules (BCRs) offer viable alternatives although extra measures are necessary to ensure compliance with the General Data Protection Regulation. 
  • You need to review the clauses you have with third-parties regarding data transfers to identify those affected by the invalidation of the Privacy Shield Framework and be prepared to update data processing agreements after the SCCs are updated by the European Commission. 
  • You need to determine the jurisdictions to whom you rely on SCCs to transfer data and identify those that may have local regulations that do not recognize them. 
  • You need to embrace proactivity in dealing with the current uncertainty and ensure you can respond fast to Data Protection Authorities’ (DPAs) statements and concerns since the CJEU made these bodies responsible for assessing the adequacy of the recipients’ legal system
  • You must take immediate action to remove references to compliance with Privacy Shield in your privacy notice 
  • If you have been relying on both the Privacy Shield and SCCs in anticipation of this decision, the impact of this ruling may be a lot less compared to businesses that rely on the Privacy Shield alone. 

What Next? 

While US companies will be the most affected by this decision, the impact will vary since some companies can still continue transferring data from the EU under the SCCs.

The key change is that you will have to first satisfy EU Data Protection Authorities (DPAs) that the privacy of the personal information of EU residents is guaranteed in the US. 

If you rely on SCCs, you must examine the level of data protection in the recipient jurisdiction first. 

Similarly, data importers will have a duty to notify you about any issues that may compromise the privacy of the personal information being transferred.

To transfer data under the SCCs, you must ensure that you are GDPR compliant. Secure Privacy gives you a complete automated solution for full compliance with the EU’s data protection regulation.  

UPDATE: Read about the New Data Transfer Agreement Between EU and US.