On Thursday, July 16, 2020 the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems II case, which invalidated the EU-US Privacy Shield and validated the use of Standard Contractual Clauses under the General Data Protection Regulation (GDPR). The decision has wide applicability beyond the more than 5000 businesses that relied on Privacy Shield, with implications for any US business engaging in cross-border data transfers of personal information involving the European Union.
Schrems II Privacy Decision Overview
The dispute was commenced by Maximillian Schrems, an Austrian national living in Austria who filed suit requesting that Facebook Ireland be prohibited from transferring his personal data to the United States on the grounds that the laws and practices in the US did not ensure adequate protection of personal data against the surveillance activities in which public authorities engaged. The case ultimately was referred to the CJEU for a preliminary ruling, which was published last week.
- The CJEU ruled that the adequacy of the protection afforded by the US Privacy Shield is invalid.
- The court validated use of Standard Contractual Clauses, with additional discussion about the responsibilities of businesses acting as data exporters to assess and meet the standards set by EU laws for their international data transfers.
- The decision makes clear that businesses bear the burden of conducting the relevant legal and factual analyses related to the use of SCCs for their international data transfers.
Which Businesses will be Impacted:
The decision has broad applicability not limited to organizations in the European Union, including:
- US businesses who engage in data transfers from the EU subject to GDPR
- Businesses located outside the EU with affiliates or who do business in the EU
The International Association of Privacy Professionals has established a page tracking DPA and Government guidance following the Schrems II ruling. The Information Commissioner’s Office in the UK posted a note on its International Transfers of Data Guidance page indicating that it is reviewing the Privacy Shield and SCCs guidance in the wake of the ruling, and that companies currently using Privacy Shield should continue to do so until new guidance becomes available, but to not start using Privacy Shield during this period.
Other official reactions to the decision are developing. The European Data Protection Board adopted an official statement welcoming the CJEU judgment, which it described as highlighting the “fundamental right to privacy in the context of the transfer of personal data to third countries” and stating that
“ the EU and the U.S. should achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the U.S. is essentially equivalent to that guaranteed within the EU, in line with the judgment.”
US Secretary of State Mike Pompeo indicated that he was “deeply disappointed” in the ruling. US Secretary of Commerce Wilbur Ross also expressed the deep disappointment of the US Department of Commerce that the EU appears to have invalidated the European Commission’s adequacy decision underlying the Privacy Shield, and that the Department of Commerce is “still studying the decision to fully understand it practical impacts.” The UK government indicated its disappointment that the US Privacy Shield was invalidated and that it is working with the UK ICO to provide updated guidance.
Impact of the Schrems II Decision for Businesses
The decision complicates the landscape for international transfers of personal information subject to the GDPR, particularly for businesses operating in countries not having an adequacy decision. Guidance from the various relevant government authorities is currently pending, and the compliance burden post-Schrems II may be significant.
For businesses who have relied on the Privacy Shield, the decision has immediate impact. It would be prudent for organizations to explore alternatives to the Privacy Shield in the wake of Schrems II, such as Standard Contractual Clauses and/or Binding Corporate Rules. Businesses also should prepare for the possibility of having to implement updates to their existing agreements using Standard Contractual Clauses if and when the new versions become available from the relevant authorities.
- Find the Court of Justice of the European Union (CJEU) Official Decision Press release here
- The International Association of Privacy Professionals
- See their page tracking DPA and Government guidance here
- UK Information Commissioner’s Office
- Find updates on its review of Privacy Shield and guidance for business currently using it here
- A strategic advisor knowledgeable in privacy
- Consider a consultation with a strategic partner versed in privacy who can advise your business on the significant and evolving impacts of this decision
We’re Here for You
We understand that this is a challenging time for the thousands of businesses impacted by this sweeping decision, and we will continue to monitor and provide updates as the situation develops and guidance becomes available. To discuss how your business can understand and most advantageously respond to this important ruling contact Nemphos Braue’s resident privacy lead, Erik M Feig, CIPP-E, CIPM, or reach out to him directly at 410-321-9470.