0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

Schrems 2: Electric Déjà Vu?

17 July 2020

The CJEU gave judgment in the Schrems II case on Thursday 16 July 2020. The case examined the means by which personal data can lawfully be exported to the US from the EU. This article summarises the decision and aims to provide practical guidance for organisations which transfer personal data to the US.

The GDPR contains a general prohibition on transferring personal data outside the EEA unless particular safeguards are in place. Two of the most commonly relied upon safeguards are that transfers to the US could be made to companies certified under Privacy Shield or that transfers could be made if both parties entered into a contract containing EU approved Standard Contractual Clauses (SCCs). In the Schrems 2 case, the CJEU considered whether each of these safeguards were fit for purpose. What began as a complaint about Facebook transferring personal data from the EU to the US, grew to become a review of the safeguards relied upon by numerous organisations for EU-US transfers.

The CJEU ruled that Privacy Shield is not fit for purpose and is invalid as a mechanism for EU-US transfers, effective immediately. It found that US laws permitting government agencies access to EU citizen personal data invalidated the protections provided by Privacy Shield.

The CJEU also examined the validity of the SCCs. It ruled that the SCCs remain a valid safeguard for transferring personal data outside the EEA, however, it added that the SCCs alone do not guarantee an adequate level of privacy for the personal data. Organisations who wish to export the personal data must review whether the protections included in the SCCs will be effective in the importing country, taking particular account of whether individuals can enforce their data rights and seek effective remedies.

History repeating?

If this is all sounding oddly familiar then don’t worry, you aren’t suffering from electronic data-transfer déjà vu. In essence, this has all happened before, back in 2015. Before Privacy Shield was introduced, transfers to the US could be made under the Privacy Shield predecessor, called Safe Harbour. Safe Harbour was ruled invalid by the CJEU in the original Schrems case, mainly due to the mass surveillance that US authorities had to the data.

So what can we learn from the fallout from Schrems 1? Well, the regulators initially allowed a grace period (roughly 3 months) for organisations to replace the Safe Harbour mechanism. It took around 9 months for Privacy Shield to appear as a replacement, so the immediate response for many organisations was to implement the SCCs.

What should organisations be doing?

There are question marks over whether the SCCs will be adequate for EU-US transfers given the Schrems 2 ruling. If US agency access was fatal to use of Privacy Shield, will it also be fatal to use of the SCCs now data exporters must consider whether local law overrides the protections afforded by the SCCs? Similar concerns were raised of the SCCs after Schrems 1 but SCCs continued to be an acceptable transfer mechanism. While SCCs may not be guaranteed to allow for compliant EU-US transfers, the Privacy Shield has been confirmed as invalid and therefore if organisations are to continue to make EU-US transfers, the SCCs look like the best option currently in play. Organisations are also free to include additional contractual and technical safeguards on top of the SCCs and these should be considered where possible.

We expect further guidance to be issued by regulators (the ICO in the UK and the European Data Protection Board) in due course. Until then we recommend identifying all EU-US transfers of personal data in your organisation and taking steps to implement and strengthen SCCs or look for workable EU-based alternatives.

Focus on...

Legal updates

Lloyd v Google – what next?

The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.

View

Claims club

Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.

View

Legal updates

High Court grants local authority injunction to prevent breach of confidence

This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.

View

Brexit resources

Brexit - now what for data protection law?

UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.

View brexit resources

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up