Support Centre
Schrems II
Back

Schrems II

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the judgment could mean, and will be continuing to update this page to bring together all the resources needed.

How Does OneTrust Help with Schrems II Challenges?

The Schrems II ruling poses a new set of challenges, as organizations must now find alternative transfer mechanisms. But don’t worry, OneTrust is here to help! With our new free Schrems II Solutions, controllers can leverage OneTrust Vendor Risk Management, Vendorpedia Exchange, Data Mapping, and DataGuidance to identify and validate data transfers.

OneTrust’s Schrems II Solutions support organizations operationalize a range of changes, including:

  • OneTrust Data Mapping: Identify data transfers and the mechanisms they rely upon
  • OneTrust Vendor Risk Management: Assess vendors that rely on SCCs with pre-built validation templates and manage contract updates as well as vendor on-boarding and off-boarding
  • OneTrust Vendorpedia Exchange: Leverage pre-completed vendor assessments and chasing services
  • OneTrust DataGuidance Regulatory Research: Stay up to date on the latest Schrems II guidance

Processors can also find the support that they need to operationalize the Schrems II decision. OneTrust Schrems II Solutions help processors implement holistic privacy programs, allowing them to track the relevant guidance and implement compensating controls for GDPR equivalency.

Key documents

  • Access the Judgment here
  • Access the CJEU press release here
  • Access the first NOYB statement here
  • FAQs and model requests issued by NOYB here
  • FAQs issued by the European Data Protection Board here

Key resources from OneTrust DataGuidance

Webinars

Live reaction to the key landmark decision on the future of international data transfers

We hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.

Panelists included:

  • William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
  • Caroline Louveaux - Chief Privacy Officer, MasterCard
  • Lee Parker - Director Data Privacy EU+, Biogen
  • Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
  • Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
  • Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
  • David Longford - Global Offering Manager, OneTrust DataGuidance

Access the webinar here and the Key takeaways here.

Is the US 'Essentially Equivalent' with the EU?: Schrems II Legal Analysis

Join us for a webinar as we react to the ruling and discuss what it means in correlation to privacy programs and other global regulations.

Access the webinar here and the Key takeaways here.

Privacy Shield
SCCS
BCRS, OTHER MECHANISMS, GENERAL

This hub is designed to highlight key guidance and practical measures. For more general comments, press releases, and opinions from supervisory authorities on the CJEU Decision see here.

1. EDPB (EU)

The European Data Protection Board ('EDPB') issued an initial press release, frequently asked questions ('FAQs'), and has established a task force for the purposes of developing further guidance as well as a complaints task force.

The initial press release welcomed the CJEU Decision, and highlighted that US-Privacy Shield had been invalidated as well as the responsibilities of exporter and importers in using standard contractual clauses ('SCCs'). These concerns were then elaborated in the FAQs, which provided more detailed guidance while leaving certain practical concerns to be resolved. The task force has since been created and charged with producing guidance to resolve these issues.

Key takeaways:

  • Emphasis on responsibilities of exporters and importers to assess ongoing adequate protection of personal data
  • Other transfer mechanisms, such as binding corporate rules ('BCRs'), should meet the same level of protection
  • Transfers to third countries other than US should also meet the same level of protection
  • Supplementary measures can be used but have yet to be clearly defined
  • FAQs provide a general basis for several scenarios, however, more detailed guidance is expected from the EDPB

 

2. LfDI Baden-Württemberg (Germany)

The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 24 August 2020, its a guide on international data transfers in light of the CJEU Decision, before releasing an updated version of the guide on 7 September 2020 (only available in German here).

The Guide includes both a checklist of steps to take following Schrems II as well as recommended amendments for SCCs. The Guide is particularly notable for providing the first specific supplementary measures to be added to SCCs in the form of these recommended amendments. In addition, LfDI Baden-Württemberg outlined that it's enforcement approach would emphasise whether or not there is a reasonable alternative to transferring data to the US.

Key takeaways:

  • Recommended amendments to SCCs
  • Checklist of steps including assessing third country's legal framework
  • Emphasis on the responsibilities of exporters and importers

 

3. LfDI Rhineland-Palatinate (Germany)

The Rhineland-Palatinate data protection authority ('LfDI Rhineland-Palatinate') issued, on 16 July 2020, a statement ('the Statement') and frequently asked questions ('FAQs') on the CJEU Decision.

In particular, the FAQs highlight that the use of SCCs to transfer data to the US is under review and questions whether any supplementary measures or amendments to SCCs could address concerns related to US security laws (i.e. surveillance laws that enable supervisory authorities to access personal data). The FAQs also emphasise that an assessment can be made as to which US laws may be applicable depending on the type of data transferred and how such an assessment may inform whether SCCs are valid.

The FAQs stress responsibilities for exporters and importers to conduct third country assessments as well as ongoing areas of uncertainty in regard to what the CJEU Decision will mean in practical terms for SCCs and other mechanisms. Where transfers are no longer valid and cannot be legitimised under any of the mechanisms provided for in the GDPR, the FAQs suggest that data should be reclaimed and destroyed.

Key takeaways:

  • Suggests data that has been transferred without a legitimate basis should be reclaimed / destroyed
  • Highlights exporter and importer responsibilities for conducting third party assessments
  • Outlines areas of continued uncertainty

Third Country Assessment

Schrems II - Third Country Assessment

    Applicable Law
  • Human rights law
  • Authority access law
  • Legal bases for access
  • Other limits on access
    Authority Functions
  • Authorities
  • Oversight mechanisms
  • Legal remedies data subjects
  • Legal remedies organisations
    title
  • Overseas subjects
  • International commitments
  • Further information
  • Australia - Federal
  • Brazil
  • China
  • India
  • Mexico
  • Russian Federation
  • UK
  • USA Federal

To view this Comparison and more, request your free 7-day trial of the full OneTrust DataGuidance platform

Try Free

Mechanisms for Data Transfers under the GDPR:

The European Commission describes adequacy decisions as follows:

'The European Commission has the power to determine, on the basis of Article 45 of General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • a proposal from the European Commission;
  • an opinion of the European Data Protection Board;
  • an approval from representatives of EU countries; and
  • the adoption of the decision by the European Commission.

At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the regulation.

The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.'

The following jurisdictions have thus far been recognised as providing adequate protection for personal data (i.e. are party to an adequacy decision):

  • Andorra
  • Argentina
  • Canada (commercial organisations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Japan (private sector)
  • Jersey
  • New Zealand
  • Switzerland (under review)
  • Uruguay

Adequacy talks with South Korea are also currently ongoing.

For further information see the EU Adequacy Tab in the Data Transfers Portal.

Appropriate safeguards include standard contractual clauses ('SCCs') adopted by the Commission and SCCs adopted by a supervisory authority and approved by the Commission (Article 46(2)(c) and (d) of the GDPR). These SCCs may be included in a contract with another party as a means of providing protection for personal data. While the CJEU Decision ruled that SCCs were valid, it also noted that they do not on their own necessarily provide an adequate level of protection. This means that an assessment of the transfer should be made and that supplementary measures may need to be utilised alongside standard SCCs in order to ensure there is adequate ongoing protection.

The assessment is the responsibility of the exporter and importer and should determine whether the third country provides adequate protection. Since the CJEU Decision emphasised surveillance laws and public authority access to personal data in the US, guidance on assessments has tended to similarly highlight public authority access to data. Supplementary measures may involve amendments to the standard SCCs, or technical/organisational security measures such as encryption, however further guidance on this matter is expected from the EDPB and supervisory authorities.

Prior to the CJEU Decision, the Commission issued the following decisions on EU controller to non-EU or EEA controller and EU controller to non-EU or EEA processor SCCs:

The Commission outlined, in its Communication to the European Parliament and the Council of the European Union on Data Protection as a Pillar of Citizens' Empowerment and the EU's Approach to the Digital Transition - Two Years of Application of the GDPR, that it had been working on SCCs between controllers and processors, building on the ongoing work on the modernisation of the SCCs for international transfers.

It is expected that supervisory authorities will issue guidance on SCCs in the short to medium term.

Binding corporate rules ('BCRs') are considered an appropriate safeguard under Article 46 of the GDPR.

BCRs are approved by the competent supervisory authority in accordance with the consistency mechanism set out in Article 63 of the GDPR, provided that they (Article 47(1) of the GDPR):

  • are legally binding and apply to and are enforced by every member concerned in the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees;
  • expressly confer enforceable rights on data subjects with regard to the processing of their personal data; and
  • fulfil the requirements laid down in Article 47(2) of the GDPR.

Processes for approving BCRs can be time consuming, however they have proved to be a popular mechanism for large multinational organisations and are becoming more common around the world.

Article 47(2) of the GDPR establishes information a BCR must specify, see EU - GDPR - Data Transfers.

The CJEU Decision, however, impacts BCRs in a similar manner to SCCs. BCRs are required to meet the same threshold for the ongoing adequate protection of personal data as SCCs. Therefore, the EDPB has noted that jurisdiction assessments and supplementary measures may be required for BCRs in the same fashion as they are for SCCs.

For further general BCR information see the following procedural documents endorsed by the EDPB:

The Commission provides an overview list of certain companies for which the EU BCR cooperation procedures is closed, last updated on 25 May 2018, and the EDPB provides a register of selected BCRs since 2019.

Article 40 of the GDPR sets out provisions for codes of conduct. Codes of conduct are voluntary tools developed by associations or other representative bodies that cover certain data protection issues and tend to apply within sectors. International data transfers is one of the topics that a code of conduct as recognised under the GDPR can cover. Codes of conduct must be approved by a supervisory authority, and supervisory authorities are also tasked with generally encouraging the use of codes of conduct.

There are several requirements for the information contained in a code of conduct, including that a mechnism is established for monitoring compliance. Article 41 of the GDPR details how a body may be accredited by a supervisory authority to monitor compliance with a code conduct. Organisations do not need to be subject to the GDPR in order to be an adherent to a code of conduct.

A code of conduct for international data transfers will need to ensure that relevant provisions on cross-border transfers, such as ongoing adequate protection of personal data, are complied with. Similarly to BCRs, the CJEU Decision impacts codes of conduct used for cross-border transfers as it sets a new threshold for what should be considered in assessing adequate protection.

For further information on codes of conduct, see the General Data Protection Regulation Portal.

Article 42 of the GDPR establishes processes for certification. Certification functions in a similar manner to codes of conduct, in that it too is a voluntary system that is monitored or regulated through an accredited body and is used by organisations as a means of demonstrating compliance. Article 43 of the GDPR sets out provisions for accreditation of certification bodies. Certification must be renewed at least every 3 years, and all certification mechanisms and data protection seals and marks are collected in a register by the European Data Protection Board ('EDPB'). Supervisory authorities within Member States as well as the EDPB have been steadily issuing guidance, opionions, and decisions on certification (see here).

Similarly to BCRs and codes of conduct, the CJEU Decision impacts certification mechanisms by setting a new threshold for cross-border data transfers.

For further information on certification mechanisms see:

Article 49 of the GDPR establishes that in the absence of an adequacy decision, or of appropriate safeguards pursuant to Article 46, including BCRs, SCCs, codes of conduct or certification, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; 
  • the transfer is necessary for important reasons of public interest; 
  • the transfer is necessary for the establishment, exercise or defence of legal claims; 
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. 

The EDPB has noted that, 'derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. Due to this fact and in accordance with the principles inherent in European law, the derogations must be interpreted restrictively so that the exception does not become the rule.'

The EDPB also stresses that the derogations under Article 49 are for specific situations and should be 'occasional' and 'not repetitive'. As such, Article 49 derogations should not be utilised as a mechanism for recurring international data transfers.

In regard to consent, the EDPB has further specified that consent must be:

In relation to other derogations, the EDPB emphasises the importance of a 'necessity test' and the complexities of assessing whether a transfer can be considered necessary. In general terms, the EDPB strongly encourages the use of other mechanisms than Article 49 derogations wherever possible.

Following the CJEU Decision, several EU Member State supervisory authorities noted that transfers to the US, or to other third countries deemed not to provide adequate protection, were still possible under Article 49 derogations, at least on a temporary basis. However, these authorities also tend to note that Article 49 should not be relied upon for repeating or regular transfers.

For further information on Article 49, see the EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679.