What is the Schrems II?

The European Court of Justice issued the Schrems II judgment on July 16, 2020, with significant implications for the use of US cloud services. Customers of US cloud service providers must now independently verify the recipient country's data protection laws, document its risk assessment, and consult with its customers. This article will explain what the Schrems II decision means for your company. New resources for your Transfer Impact Assessment have been added.

Background of Schrems II

The case arose from activist Maximilian Schrems' request that the Irish Data Protection Commissioner invalidate the SCC for Facebook's use of transferring personal data to its headquarters in the United States. It was argued that personal data could be accessed by US intelligence agencies while in transit to and stored in the US. According to Schrems, this would violate the GDPR and, more broadly, EU law.

The GDPR's main rule is that transfers outside the EU and EEA are prohibited unless an adequate safeguard is used. First and foremost, there are the EU Commission's adequacy decisions, in which the EU Commission concludes that a country's data protection laws are essentially equal to the GDPR after thorough evolution of national laws. Then, prior to Schrems II, the mechanisms for secure transfers outside the EU/EEA: Privacy Shield, EU Standard Contracting Clauses, and Binding Corporate Rules. In Article 49 derogations, there are also options for exemptions from the general principle that a recipient country must have an adequate level of protection.

Privacy Shield invalidated due to shortcomings in US laws

Several flaws in US laws impeded personal data protection and violated the GDPR. In essence, the Court emphasized the broad surveillance capabilities provided by US national security laws (specifically, US Foreign Intelligence Surveillance Act (FISA) Section 702, Executive Order 12333, and Presidential Policy Directive 28). These laws govern US authorities' access to and use of personal data imported from the EU into the US, but they lack the safeguards necessary to adequately protect EU data subjects who may become the subject of national security investigations.

In particular, the Court determined that data subject rights were not actionable in court against US authorities. The Privacy Shield had considered a safeguard in the form of an Ombudsman. Nonetheless, the role lacked the authority to make decisions that would be binding on US intelligence services.

Further complications using SCC for US services 

Keep in mind that this ruling has little impact on most companies that use the SCC to legitimize cross-border data transfers made via their own non-US communications systems.

Assess whether the recipient organization is subject to FISA section 702 and Executive Order 12333, which typically apply when the recipient is a communication service provider, for any US transfers.

Add additional safeguards to the SCCs (referred to as SCCs plus), in which the exporter and importer regulate any remaining risks associated with the data transfer. It will be critical to include in the agreement for US transfers, for example, how government requests for access to personal data must be handled to ensure that your organization has adequate control. Technical controls to limit the use of data could also be implemented.

Will there be a grace period for Schrems II judgement?

The Privacy Shield's invalidity was immediate. The Privacy Shield was null and void as of July 16, 2020, and should not be used. Currently (November 23, 2020), there is no proactive enforcement from regulators. Regulators appear to be taking a conservative approach, allowing organizations to adapt their processes and infrastructure. The guidance from the EU Commission and the European Data Protection Board on how to act after Schrems II is especially anticipated, as it will provide more clarity.

Notably, the activist group behind this decision (noyb) sued 101 European companies (including market-leading Nordic and Swedish companies) in the autumn, seeking enforcement of their use of Google Analytics and Facebook Connect integrations on their websites.

Can we continue to use Binding Corporate Rules to transfer data to the United States?

The Schrems II decision may have an impact on transfers based on binding corporate rules (BCR). The recipient country's legislation outside the EU/EEA must be examined to determine whether it provides equivalent privacy protection as the GDPR.

It is the organization's responsibility to export data to the United States or another third country for a Transfer Risk Assessment. An analysis of the data flow, supplier access to the data, recipient country legislation, if additional safeguards are applicable to the SCCs, and alternatives to the supplier are all documented in such an assessment.

When national supervisory authorities approve binding corporate rules, the BCRs are reviewed to ensure that they meet the GDPR requirements. The BCRs outline how a specific company group adheres to fundamental data protection principles such as purpose limitation, data minimisation, data subjects' rights, and complaint handling. It is the responsibility of the company group to ensure that national legislation in the recipient countries complies with the GDPR.

The approval of a national supervisory authority does not imply that all transfers will be approved automatically. The national supervisory authority does not assess whether the recipient country's legislation complies with the GDPR's requirements.