0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Schrems 2: Electric Déjà Vu?

17 July 2020

The CJEU gave judgment in the Schrems II case on Thursday 16 July 2020. The case examined the means by which personal data can lawfully be exported to the US from the EU. This article summarises the decision and aims to provide practical guidance for organisations which transfer personal data to the US.

The GDPR contains a general prohibition on transferring personal data outside the EEA unless particular safeguards are in place. Two of the most commonly relied upon safeguards are that transfers to the US could be made to companies certified under Privacy Shield or that transfers could be made if both parties entered into a contract containing EU approved Standard Contractual Clauses (SCCs). In the Schrems 2 case, the CJEU considered whether each of these safeguards were fit for purpose. What began as a complaint about Facebook transferring personal data from the EU to the US, grew to become a review of the safeguards relied upon by numerous organisations for EU-US transfers.

The CJEU ruled that Privacy Shield is not fit for purpose and is invalid as a mechanism for EU-US transfers, effective immediately. It found that US laws permitting government agencies access to EU citizen personal data invalidated the protections provided by Privacy Shield.

The CJEU also examined the validity of the SCCs. It ruled that the SCCs remain a valid safeguard for transferring personal data outside the EEA, however, it added that the SCCs alone do not guarantee an adequate level of privacy for the personal data. Organisations who wish to export the personal data must review whether the protections included in the SCCs will be effective in the importing country, taking particular account of whether individuals can enforce their data rights and seek effective remedies.

History repeating?

If this is all sounding oddly familiar then don’t worry, you aren’t suffering from electronic data-transfer déjà vu. In essence, this has all happened before, back in 2015. Before Privacy Shield was introduced, transfers to the US could be made under the Privacy Shield predecessor, called Safe Harbour. Safe Harbour was ruled invalid by the CJEU in the original Schrems case, mainly due to the mass surveillance that US authorities had to the data.

So what can we learn from the fallout from Schrems 1? Well, the regulators initially allowed a grace period (roughly 3 months) for organisations to replace the Safe Harbour mechanism. It took around 9 months for Privacy Shield to appear as a replacement, so the immediate response for many organisations was to implement the SCCs.

What should organisations be doing?

There are question marks over whether the SCCs will be adequate for EU-US transfers given the Schrems 2 ruling. If US agency access was fatal to use of Privacy Shield, will it also be fatal to use of the SCCs now data exporters must consider whether local law overrides the protections afforded by the SCCs? Similar concerns were raised of the SCCs after Schrems 1 but SCCs continued to be an acceptable transfer mechanism. While SCCs may not be guaranteed to allow for compliant EU-US transfers, the Privacy Shield has been confirmed as invalid and therefore if organisations are to continue to make EU-US transfers, the SCCs look like the best option currently in play. Organisations are also free to include additional contractual and technical safeguards on top of the SCCs and these should be considered where possible.

We expect further guidance to be issued by regulators (the ICO in the UK and the European Data Protection Board) in due course. Until then we recommend identifying all EU-US transfers of personal data in your organisation and taking steps to implement and strengthen SCCs or look for workable EU-based alternatives.

focus on...

In-House Lawyers - 12 June 2020

On demand webinar, focusing on practical solutions to utilise from home in agreements and dealings with business, data and digital law and how covid-19 has changed legal privilege.

View

Upcoming webinars

COVID-19 for Local Authorities, Arms Length Bodies and Government

Join our COVID-19 for Local Authorities, Arms Length Bodies and Government webinar.

View

Legal updates

Staff working from home? How do you keep data secure?

Data protection law requires every business that deals with personal data to ensure that they have “Technical and Organisational Measures ” in place to keep that data secure. Losing that data could seriously damage the company’s reputation and potentially land it with a fine from the ICO and with claims for compensation.

View

Legal updates

Data protection and Coronavirus

The ICO has recently released updated guidance for businesses who are grappling with concerns around data protection compliance during the ongoing Covid-19 (Coronavirus) pandemic

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up



Select which mailings you would like to receive from us.

Sign up