On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered a groundbreaking ruling in the case known as Schrems II. This decision has profound implications for data transfers between the European Union and the United States. Below is an overview of the key points and implications of this ruling:
Key Points of the Schrems II Ruling
- Invalidation of the Privacy Shield Framework
- The CJEU invalidated the EU-US Privacy Shield, a widely used mechanism for transatlantic data transfers.
- The court ruled that the Privacy Shield does not provide adequate protection for EU citizens’ data under EU law, primarily due to concerns about US surveillance practices.
- Standard Contractual Clauses (SCCs) Remain Valid
- Unlike the Privacy Shield, SCCs were upheld as a valid mechanism for data transfers.
- However, the court emphasized that companies must ensure that data protections are equivalent to those in the EU when using SCCs.
- Increased Obligations for Data Exporters
- Companies exporting data to third countries using SCCs must conduct a case-by-case analysis.
- Data exporters must verify that the recipient country’s laws do not undermine the effectiveness of the SCCs’ protections.
- Role of Data Protection Authorities (DPAs)
- DPAs are required to suspend or prohibit data transfers if they believe SCCs cannot ensure adequate protection.
- This ruling empowers DPAs to take a more active role in overseeing data transfers to third countries.
- Impact on US Surveillance Laws
- The court expressed concerns about US surveillance laws, particularly Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333.
- These laws were found to lack sufficient safeguards to protect the personal data of EU citizens.
Implications for Businesses
- Immediate Reassessment of Data Transfer Mechanisms
- Businesses that relied on the Privacy Shield must now find alternative mechanisms to transfer data legally.
- Many companies will need to adopt SCCs or other approved methods.
- Enhanced Due Diligence Requirements
- Companies using SCCs must thoroughly assess the legal landscape of the data recipient country.
- This includes evaluating whether local laws might conflict with SCC protections and potentially halting transfers if they do.
- Potential for Increased Regulatory Scrutiny
- DPAs across the EU are expected to increase scrutiny of data transfers to the US and other third countries.
- Businesses must be prepared for potential audits and enforcement actions.
- Heightened Legal Uncertainty
- The ruling introduces significant legal uncertainty for businesses engaged in international data transfers.
- Companies must stay informed about ongoing regulatory developments and potential new frameworks.
- Urgency for New Data Transfer Solutions
- The invalidation of the Privacy Shield underscores the need for new, robust data transfer solutions that comply with EU privacy standards.
- Policymakers on both sides of the Atlantic may need to negotiate a successor to the Privacy Shield.
So What Happens Now After Schrems 2?
The Schrems II ruling represents a pivotal moment in the landscape of international data transfers. Companies must swiftly adapt to the new legal requirements and ensure robust data protection measures are in place. As the regulatory environment evolves, staying informed and compliant will be crucial for businesses operating across borders.
Update: As of the IAPP conference they had a panel of DPF personnel and they said to date they have not had any fines for non-compliance.