Unlock AI Compliance: Master the new EU AI Act with our comprehensive guide.

Teilen Sie

5 min read

Writen by adm

Posted on: November 29, 2021

What is Schrems II and how does it affect your international data transfer

On July 16, 2020 the Court of Justice of the European Union [CJEU] issued its judgement in the Data Protection Commissioner vs. Facebook Ireland Limited, Maximilian Schrems (C-311.18) – the Schrems II case.

In this landmark decision, the CJEU declared the European Commission’s Privacy Shield – one of the most widely used primary data transfer mechanisms for the safe and free flow data between EU and US organizations – invalid with immediate effect on account of invasive US surveillance programmes. Furthermore, the Court stipulated stricter requirements for the transfer on personal data based on Standard Contractual Clauses [SCCs].

The case originated from the activist Maximilian Schrems’ call for the Irish Data Protection Commissioner to invalidate the SCC for Facebook’s use of transferring personal data to its headquarters in the US. The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU-law.

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons.

First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights.

Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

This has a great impact on companies in the U.S. and well beyond.

The court reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection can not be ensured.

This is where it gets tricky, particularly in the U.S. context.

In November 2020, the European Data Protection Board released a set of guidelines that give organisations advice on measures they can take to stay compliant when making data transfers. Amongst various recommendations, encryption stands out as a key measure that organisations can use.

With all this to consider, how can your businesses navigate the challenges arising from Schrems II?

  1. Make an inventory of all non-EU suppliers and sub-suppliers and partners (which involves data transfers outside of the EU/EEA). Review your records of processing that should include this information. Do not forget to investigate the sub-processors of your processors.
  2. Assess the laws of the country you are transferring personal data to.
  3. To be able to use transfer data using the SCC, you should document your risk assessment of the suppliers/recipients of data. Review if there are exceptions to the strict requirements of cross-border transfers for you, review the effectiveness using of technical controls and, where possible, construct additional safeguards and request those supplements to the SCCs in place. 
  4. Review any supplier relationships that involve data transfers to the US, is the supplier and its solution necessary or can you change solution and/or supplier?
  5. Public sector customers may require alternative infrastructure set-up due to the further restrictions of data transfers that apply for public sector classified personal data (as encryption and other technical controls may not enough according to case law to allow for continued use of such supplier and service).
  6. Evaluate hybrid cloud solutions. Review to what extent your organization can commit to cloud and infrastructure solutions provided by American-, global-, European- and Swedish cloud services suppliers, respectively. 
  7. Make plans to engage in prior consultation with the Data Protection Authority to get acceptance of your transfer impact assessment and alternative set-up. 
  8. Update any data processor agreements as applicable, and change processor if your analysis comes to that conclusion.
  9. Update any internal data protection policies to keep your organisation in line with this new situation.
  10. Update your external privacy notices to inform your visitors and customers of how you are meeting your responsibilities as controller/processor.

Kontakt

Ich hoffe, Sie finden dies nützlich. Wenn Sie einen EU-Vertreter benötigen, Fragen zur DSGVO haben oder eine SAR- oder Regulierungsanfrage erhalten haben und Hilfe benötigen, können Sie sich jederzeit an uns wenden. Wir helfen Ihnen immer gerne...
GDPR Lokales Team.

Kontakt

Recent blogs

Navigating the Contradictions: Automated Decision-Making and Regulatory Legislation in AI Systems

The Dilemma of Automated Decision-Making At the heart of AI systems lies the promise of aut

How to Implement the New AI Law in Your Company

The implementation of the AI Act marks a significant stride towards responsible and fair use of art

Article 14 Guide: Meeting Regulatory Requirements for Personal Data Not Directly Obtained from Data Subjects

Imagine a software-as-a-service (SaaS) company looking to grow its clientele by purchasing leads fr

Holen Sie sich jetzt Ihr Konto

Einrichtung in nur wenigen Minuten. Geben Sie Ihre Unternehmensdaten ein und wählen Sie die gewünschten Dienste aus.

Konto erstellen

Kontakt aufnehmen

Sie sind sich nicht sicher, welche Option Sie wählen sollen? Rufen Sie uns an, schicken Sie uns eine E-Mail oder chatten Sie mit uns
.

Kontakt
06 GDPR-INFO

Auf dem Laufenden bleiben

Hinterlassen Sie hier Ihre Daten und wir senden Ihnen Updates und Informationen zu allen Aspekten der DSGVO und des EU-Vertreters. Wir werden Sie nicht mit E-Mails bombardieren und Sie können uns jederzeit auffordern, damit aufzuhören.

Vollständiger Name ist erforderlich!

Eine geschäftliche E-Mail ist erforderlich!

Gesellschaft ist gefragt!

Bitte akzeptieren Sie die Allgemeinen Geschäftsbedingungen und die Datenschutzrichtlinie