What is Schrems II and how does it affect your international data transfer

On July 16, 2020 the Court of Justice of the European Union [CJEU] issued its judgement in the Data Protection Commissioner vs. Facebook Ireland Limited, Maximilian Schrems (C-311.18) – the Schrems II case.

In this landmark decision, the CJEU declared the European Commission’s Privacy Shield – one of the most widely used primary data transfer mechanisms for the safe and free flow data between EU and US organizations – invalid with immediate effect on account of invasive US surveillance programmes. Furthermore, the Court stipulated stricter requirements for the transfer on personal data based on Standard Contractual Clauses [SCCs].

The case originated from the activist Maximilian Schrems’ call for the Irish Data Protection Commissioner to invalidate the SCC for Facebook’s use of transferring personal data to its headquarters in the US. The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU-law.

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons.

First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights.

Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

This has a great impact on companies in the U.S. and well beyond.

The court reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection can not be ensured.

This is where it gets tricky, particularly in the U.S. context.

In November 2020, the European Data Protection Board released a set of guidelines that give organisations advice on measures they can take to stay compliant when making data transfers. Amongst various recommendations, encryption stands out as a key measure that organisations can use.

With all this to consider, how can your businesses navigate the challenges arising from Schrems II?

1. Make an inventory of all non-EU suppliers and sub-suppliers and partners (which involves data transfers outside of the EU/EEA). Review your records of processing that should include this information. Do not forget to investigate the sub-processors of your processors.
2. Assess the laws of the country you are transferring personal data to.
3. To be able to use transfer data using the SCC, you should document your risk assessment of the suppliers/recipients of data. Review if there are exceptions to the strict requirements of cross-border transfers for you, review the effectiveness using of technical controls and, where possible, construct additional safeguards and request those supplements to the SCCs in place. 
4. Review any supplier relationships that involve data transfers to the US, is the supplier and its solution necessary or can you change solution and/or supplier?
5. Public sector customers may require alternative infrastructure set-up due to the further restrictions of data transfers that apply for public sector classified personal data (as encryption and other technical controls may not enough according to case law to allow for continued use of such supplier and service).
6. Evaluate hybrid cloud solutions. Review to what extent your organization can commit to cloud and infrastructure solutions provided by American-, global-, European- and Swedish cloud services suppliers, respectively. 
7. Make plans to engage in prior consultation with the Data Protection Authority to get acceptance of your transfer impact assessment and alternative set-up. 
8. Update any data processor agreements as applicable, and change processor if your analysis comes to that conclusion.
9. Update any internal data protection policies to keep your organisation in line with this new situation.
10. Update your external privacy notices to inform your visitors and customers of how you are meeting your responsibilities as controller/processor.