Schrems II and the Invalidating of Privacy Shield

We want to inform our clients about this recent CJEU ruling that invalidated the Privacy Shield mechanism.

The central question in the Schrems II case was can personal data from the EU be transferred to and stored in the US while guaranteed an adequate level of data protection as that under the GDPR?

Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and US was challenged based on the argument that US law cannot adequately ensure protection of EU personal data.

In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.

The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.

Next, the CJEU considered the Standard Contractual Clauses (SCCs) valid, another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.

However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.​

You can read the official press release on the ruling here.

What is the Schrems II case about?

Named after Austrian lawyer and data privacy activist Max Schrems, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.

The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.

The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.

These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).

Is EU personal data protected adequately after transfer to the US?

The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.

Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.

The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.

How can Vedinor help you?

If you need assistance in implementing this ruling into your business, you can contact us. Call us +358931546648 or schedule a free consultation to discuss your situation further.

Recommended Posts