0370 270 6000

Schrems 2: Electric Déjà Vu?

17 July 2020

The CJEU gave judgment in the Schrems II case on Thursday 16 July 2020. The case examined the means by which personal data can lawfully be exported to the US from the EU. This article summarises the decision and aims to provide practical guidance for organisations which transfer personal data to the US.

The GDPR contains a general prohibition on transferring personal data outside the EEA unless particular safeguards are in place. Two of the most commonly relied upon safeguards are that transfers to the US could be made to companies certified under Privacy Shield or that transfers could be made if both parties entered into a contract containing EU approved Standard Contractual Clauses (SCCs). In the Schrems 2 case, the CJEU considered whether each of these safeguards were fit for purpose. What began as a complaint about Facebook transferring personal data from the EU to the US, grew to become a review of the safeguards relied upon by numerous organisations for EU-US transfers.

The CJEU ruled that Privacy Shield is not fit for purpose and is invalid as a mechanism for EU-US transfers, effective immediately. It found that US laws permitting government agencies access to EU citizen personal data invalidated the protections provided by Privacy Shield.

The CJEU also examined the validity of the SCCs. It ruled that the SCCs remain a valid safeguard for transferring personal data outside the EEA, however, it added that the SCCs alone do not guarantee an adequate level of privacy for the personal data. Organisations who wish to export the personal data must review whether the protections included in the SCCs will be effective in the importing country, taking particular account of whether individuals can enforce their data rights and seek effective remedies.

History repeating?

If this is all sounding oddly familiar then don’t worry, you aren’t suffering from electronic data-transfer déjà vu. In essence, this has all happened before, back in 2015. Before Privacy Shield was introduced, transfers to the US could be made under the Privacy Shield predecessor, called Safe Harbour. Safe Harbour was ruled invalid by the CJEU in the original Schrems case, mainly due to the mass surveillance that US authorities had to the data.

So what can we learn from the fallout from Schrems 1? Well, the regulators initially allowed a grace period (roughly 3 months) for organisations to replace the Safe Harbour mechanism. It took around 9 months for Privacy Shield to appear as a replacement, so the immediate response for many organisations was to implement the SCCs.

What should organisations be doing?

There are question marks over whether the SCCs will be adequate for EU-US transfers given the Schrems 2 ruling. If US agency access was fatal to use of Privacy Shield, will it also be fatal to use of the SCCs now data exporters must consider whether local law overrides the protections afforded by the SCCs? Similar concerns were raised of the SCCs after Schrems 1 but SCCs continued to be an acceptable transfer mechanism. While SCCs may not be guaranteed to allow for compliant EU-US transfers, the Privacy Shield has been confirmed as invalid and therefore if organisations are to continue to make EU-US transfers, the SCCs look like the best option currently in play. Organisations are also free to include additional contractual and technical safeguards on top of the SCCs and these should be considered where possible.

We expect further guidance to be issued by regulators (the ICO in the UK and the European Data Protection Board) in due course. Until then we recommend identifying all EU-US transfers of personal data in your organisation and taking steps to implement and strengthen SCCs or look for workable EU-based alternatives.

Focus on...

Legal updates

Data reform in the UK

Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.

View

Legal updates

Are Local authority companies subject to the Freedom of Information Act 2000?

In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.

View

Legal updates

Digital Markets Act and Data Platforms - FRANDs for life?

The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.

View

Legal updates

More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"

Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up