0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Schrems 2: Electric Déjà Vu?

17 July 2020

The CJEU gave judgment in the Schrems II case on Thursday 16 July 2020. The case examined the means by which personal data can lawfully be exported to the US from the EU. This article summarises the decision and aims to provide practical guidance for organisations which transfer personal data to the US.

The GDPR contains a general prohibition on transferring personal data outside the EEA unless particular safeguards are in place. Two of the most commonly relied upon safeguards are that transfers to the US could be made to companies certified under Privacy Shield or that transfers could be made if both parties entered into a contract containing EU approved Standard Contractual Clauses (SCCs). In the Schrems 2 case, the CJEU considered whether each of these safeguards were fit for purpose. What began as a complaint about Facebook transferring personal data from the EU to the US, grew to become a review of the safeguards relied upon by numerous organisations for EU-US transfers.

The CJEU ruled that Privacy Shield is not fit for purpose and is invalid as a mechanism for EU-US transfers, effective immediately. It found that US laws permitting government agencies access to EU citizen personal data invalidated the protections provided by Privacy Shield.

The CJEU also examined the validity of the SCCs. It ruled that the SCCs remain a valid safeguard for transferring personal data outside the EEA, however, it added that the SCCs alone do not guarantee an adequate level of privacy for the personal data. Organisations who wish to export the personal data must review whether the protections included in the SCCs will be effective in the importing country, taking particular account of whether individuals can enforce their data rights and seek effective remedies.

History repeating?

If this is all sounding oddly familiar then don’t worry, you aren’t suffering from electronic data-transfer déjà vu. In essence, this has all happened before, back in 2015. Before Privacy Shield was introduced, transfers to the US could be made under the Privacy Shield predecessor, called Safe Harbour. Safe Harbour was ruled invalid by the CJEU in the original Schrems case, mainly due to the mass surveillance that US authorities had to the data.

So what can we learn from the fallout from Schrems 1? Well, the regulators initially allowed a grace period (roughly 3 months) for organisations to replace the Safe Harbour mechanism. It took around 9 months for Privacy Shield to appear as a replacement, so the immediate response for many organisations was to implement the SCCs.

What should organisations be doing?

There are question marks over whether the SCCs will be adequate for EU-US transfers given the Schrems 2 ruling. If US agency access was fatal to use of Privacy Shield, will it also be fatal to use of the SCCs now data exporters must consider whether local law overrides the protections afforded by the SCCs? Similar concerns were raised of the SCCs after Schrems 1 but SCCs continued to be an acceptable transfer mechanism. While SCCs may not be guaranteed to allow for compliant EU-US transfers, the Privacy Shield has been confirmed as invalid and therefore if organisations are to continue to make EU-US transfers, the SCCs look like the best option currently in play. Organisations are also free to include additional contractual and technical safeguards on top of the SCCs and these should be considered where possible.

We expect further guidance to be issued by regulators (the ICO in the UK and the European Data Protection Board) in due course. Until then we recommend identifying all EU-US transfers of personal data in your organisation and taking steps to implement and strengthen SCCs or look for workable EU-based alternatives.

focus on...

Brexit resources

Brexit overview: your use of data and Brexit

Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.

View brexit resources

Legal updates

Corporate transparency and register reform: Government response now published

In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.

View

In-House Lawyers - 12 June 2020

On demand webinar, focusing on practical solutions to utilise from home in agreements and dealings with business, data and digital law and how covid-19 has changed legal privilege.

View

Webinars

COVID-19 for Local Authorities, Arms Length Bodies and Government

Join our COVID-19 for Local Authorities, Arms Length Bodies and Government webinar.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up