The EU Court's Schrems II judgment ruled Privacy Shield to be invalid in July 2020. As Privacy Shield was one of the most commonly used safeguards for personal data transfers outside EU/EEA, organizations need to figure out a new GDPR safeguard to cover such transfers.
Background to the judgment
- European organizations transferring personal data outside the EU/EEA need a GDPR prescribed safeguard for the transfer.
- Two of the most commonly used safeguards are Privacy Shield and Standard Contractual Clauses (SCCs).
- The Schrems II judgment concerns the validity of these two safeguards.
- Privacy Shield is a framework solely for US companies, whereas the SCCs can be used to cover transfers of data anywhere outside the EU/EEA.
Schrems II judgment rules out the Privacy Shield
The EU Court ruled Privacy Shield to be invalid on the grounds that it did not provide adequate protection of data subjects' rights. This part of the judgment is clear: if you are using Privacy Shield to cover your data transfers, you need to replace it with another GDPR-compliant safeguard.
If you are using the Standard Contractual Clauses, the judgment gives you a bit more food for thought. While the SCCs remain valid in principle, the Court states that the exporting organization must assess whether data subjects' rights are adequately protected in the transfer. Adequate protection means roughly essentially the same level of protection as in the EU. This assessment should cover the recipient country's legal system concerning access by public authorities of that country to the data transferred.
If exporting organization is of the opinion that the country does not provide an essentially equivalent level of protection, it should consider putting in place additional measures to ensure the protection of data subjects' rights. The European Data Protection Board (EDPB) is currently looking into what these other measures could be.
What can I do?
While waiting for further guidance from Europe, you can, and you should:
Check whether your organization is transferring personal data outside the EU/EEA.
Typical situations where personal data is transferred:
- Use of cloud services. Typically services using components provided by big US service providers include personal data transfer outside the EU/EEA.
- Intra-group data processing. Centralized IT systems in global organizations typically require transfers of, for example, HR or customer data.
Check which transfer safeguard is being used.
- If a transfer is only covered by the Privacy Shield, it needs to be replaced with another GDPR safeguard. Contact your service provider to enquire what measures they have taken to substitute the Privacy Shield.
- If SCCs are used, you should assess whether data subjects' rights are adequately protected in the transfer. This assessment needs to cover both the recipient country's authorities' legal access to the data and the protection offered by the standard contractual clauses. Contact your service provider to enquire whether they have yet made such as assessment.
Does your company have the detection capabilities and processes needed to respond to a data breach and report it? Check our whitepaper, GDPR and reporting obligation in data security breach.