On 16 July 2020, the European Union’s highest court, the Court of Justice of the European Union (CJEU) delivered the much anticipated decision in the Max Schrems Case (Schrems 2). The court was asked by Ireland’s High Court to decide on key mechanisms for international transfers of personal data from the EU to the United States. The underlying cases arose out of Austrian privacy activist Max Schrems’ complaint against Facebook and Ireland’s Data Protection Commission over interpretation of key data protection provisions. Max Schrems objected to US surveillance of foreign nationals which conflicted with the General Data Protection Regulation (GDPR). The court decided that US surveillance laws and practices stand in opposition to the GDPR’s fundamental human rights protection of EU citizens. As a result, personal data transfers are non-compliant to EU law and need special attention, assessment, reviews and additional safeguards to make these compliant. The case has been called constitutional and cannot be appealed.
The Court of Justice of the European Union found that the EU/US Privacy Shield data protection adequacy decision agreed in 2016 is invalid. Personal data transfers based on this mechanism must cease. EU citizens have no real judicial remedy or equivalent protections in the US under Privacy Shield. The Swiss/US Privacy Shield remains in force but the Swiss Data Protection Authority is reviewing its position. Privacy Shield continues to operate internally in the USA based on federal enforcement mechanisms, US laws and the role of domestic regulators.
Standard Contractual Clauses (SCCs)
The European Commission’s Data Protection Standard Contractual Clauses remain lawful and enforceable. However, the court has insisted that Data Exporters (in the EU) and Data Importers (in foreign countries) must carry out more detailed checks to ensure that foreign laws and data governance rules are compatible with GDPR. Data Importers must inform Data Exporters if they are unable to comply with EU data protection law. Data Exporters must refuse to transfer personal data where specific personal data transfers are incompatible. EU Data Protection Authorities are also encouraged to intervene and review Standard Contractual Clauses and be prepared to withhold or withdraw authorisations for international personal data transfers. On 4 June 2021, the European Commission published its final updated Standard Contractual Clauses that comply with GDPR and the Schrems 2 case. On 21 March 2022, the UK published its new international data transfer regime.
Responses and Actions
- Companies and organisations should assess their exposure to Privacy Shield, work towards stopping these personal data transfers and investigate substitute arrangements. There is no grace period for compliance.
- Wait for and act on concrete guidance from each relevant EU Member State’s Data Protection Authority, the European Data Protection Board (EDPB) and the European Commission.
- Wait for the European Commission’s new GDPR-approved Standard Contractual Clauses (June 2021) and implement these by December 2022.
- Begin to review high value and high risk contracts that contain Standard Contractual Clauses (SCCs) that allow transfers to the USA.
- Review Binding Corporate Rules (BCRs) to see if personal data transfer protections from the EU to the USA need to be strengthened or varied.
Schrems II European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) Joint Opinion 2/2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries
For Further Assistance, contact PrivacySolved:
Telephone (London): +44 207 175 9771
Telephone (Dublin): +353 1 960 9370