Share

5 min read

Writen by Stefanija Rikaloska

Posted on: November 29, 2021

What is Schrems II and how does it affect your international data transfer

On July 16, 2020 the Court of Justice of the European Union [CJEU] issued its judgement in the Data Protection Commissioner vs. Facebook Ireland Limited, Maximilian Schrems (C-311.18) – the Schrems II case.

In this landmark decision, the CJEU declared the European Commission’s Privacy Shield – one of the most widely used primary data transfer mechanisms for the safe and free flow data between EU and US organizations – invalid with immediate effect on account of invasive US surveillance programmes. Furthermore, the Court stipulated stricter requirements for the transfer on personal data based on Standard Contractual Clauses [SCCs].

The case originated from the activist Maximilian Schrems’ call for the Irish Data Protection Commissioner to invalidate the SCC for Facebook’s use of transferring personal data to its headquarters in the US. The personal data, both in transit to and when stored in the US, it was argued, could be accessed by US intelligence agencies. This, according to Schrems, would be in violation of the GDPR and, more broadly, EU-law.

The CJEU found that European Commission’s adequacy determination for Privacy Shield is invalid for two main reasons.

First, the court found that U.S. surveillance programs, which the commission assessed in its Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights.

Second, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

This has a great impact on companies in the U.S. and well beyond.

The court reaffirmed the validity of SCCs but stated that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection can not be ensured.

This is where it gets tricky, particularly in the U.S. context.

In November 2020, the European Data Protection Board released a set of guidelines that give organisations advice on measures they can take to stay compliant when making data transfers. Amongst various recommendations, encryption stands out as a key measure that organisations can use.

With all this to consider, how can your businesses navigate the challenges arising from Schrems II?

  1. Make an inventory of all non-EU suppliers and sub-suppliers and partners (which involves data transfers outside of the EU/EEA). Review your records of processing that should include this information. Do not forget to investigate the sub-processors of your processors.
  2. Assess the laws of the country you are transferring personal data to.
  3. To be able to use transfer data using the SCC, you should document your risk assessment of the suppliers/recipients of data. Review if there are exceptions to the strict requirements of cross-border transfers for you, review the effectiveness using of technical controls and, where possible, construct additional safeguards and request those supplements to the SCCs in place. 
  4. Review any supplier relationships that involve data transfers to the US, is the supplier and its solution necessary or can you change solution and/or supplier?
  5. Public sector customers may require alternative infrastructure set-up due to the further restrictions of data transfers that apply for public sector classified personal data (as encryption and other technical controls may not enough according to case law to allow for continued use of such supplier and service).
  6. Evaluate hybrid cloud solutions. Review to what extent your organization can commit to cloud and infrastructure solutions provided by American-, global-, European- and Swedish cloud services suppliers, respectively. 
  7. Make plans to engage in prior consultation with the Data Protection Authority to get acceptance of your transfer impact assessment and alternative set-up. 
  8. Update any data processor agreements as applicable, and change processor if your analysis comes to that conclusion.
  9. Update any internal data protection policies to keep your organisation in line with this new situation.
  10. Update your external privacy notices to inform your visitors and customers of how you are meeting your responsibilities as controller/processor.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.

Contact Us

Recent blogs

Accountability Tracker

As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot

How to handle a Subject Access Request

We have said this previously but we are still seeing a huge number of Subject Access Requests [

Right to Erasure and how to handle it

Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR.  Also

Get Your Account Now

Setup in just 5 minutes. Enter your company details and choose the EU Representative services you need.

Give Us a Call

Not sure whether EU Representative applies to you or which option to choose? Call, email, chat to us anytime.

06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.