Support Centre

International: Schrems II: What you need to know

The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the Judgment could mean, and will be continuing to update this page to bring together all the resources needed.

carloscastilla / Essentials collection / istockphoto.com

This Insight collates the latest links and resources regarding the Schrems II Case to help your business understand and navigate its implications.

Key documents

  • Access the Judgment here
  • Access the CJEU press release here
  • Access the first NOYB statement here
  • FAQs and model requests issued by NOYB here
  • FAQs issued by the European Data Protection Board here

Key resources from OneTrust DataGuidance

EU-EEA DPA comments on Schrems II

Key comments from data protection authorities are summarised or quoted below with links to the original source material.

Access additional coverage here.

DPA On Privacy Shield On SCC On International Transfers Source
EDPB "The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S." "The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness." "If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of." Press release 17 July 2020 & FAQs 23 July 2020
EDPS "The EDPS trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court." "The EDPS notes that the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries." "The protection of personal data requires actionable rights for everyone, including before independent courts. It is more than a 'European' fundamental right – it is a fundamental right widely recognised around the globe." Statement 17 July 2020
Estonia Suggests data controllers will need to review US transfers, including assessing SCC or alternative mechanisms under GDPR. Emphasises the responsibility of those transferring data to assess whether SCC are able to guarantee adequate protection both now and in the future. Notes that transfers should be suspended and alternative safeguards found in any case where adequate protection cannot be guaranteed. Press release and Guidance, 17 July 2020 (only available in Estonian here and here)
Germany - Berlin Berlin Commissioner, Maja Smoltcyk, suggests data controllers based in Berlin storing personal data in the US to transfer the same to Europe and data should not be transferred to the US until that legal framework is reformed.  Smoltcyk further outlines that the conclusion of SCC likely not to be enough to enable data transfers. Smoltcyk highlights potential similar concerns to be raised in regard to jurisdictions such as China, India, and Russia. Press release 17 July 2020 (only available in German here)
Germany - DSK The DSK states that the CJEU invalidated the Privacy Shield and that data transfers to the USA based on the Privacy Shield are inadmissible based on the CJEU's decision that the US law does not provide protection that is in essence equal to EU law.

SCCs may in principle continue to be used, however they require a preliminary protection assessment and in case of data transfers to the USA SSCs without further protective measures are insufficient.

The DSK noted that data transfers based on the Privacy Shield must cease immediately. Moreover, the DSK held that next to SCCs, the CJEU's findings also have an impact on binding corporate rules ('BCRs') and additional protective measures also need to be taken if the data subject rights are not protected to the same level in a third country.

Statement (only available in German here) 28 July 2020

Germany - Federal The Federal Commissioner, Professor Ulrich Kelber, noted the potential need for particular protective measures for transfers to the US. Kelber emphasised supervisory authorities roles in assessing individual transfers. Kelber generally noted that the decision supports a clearer framework for international transfers. Press release 16 July 2020 (only available in German here)
Germany - Hamburg Decision welcomed, emphasises that US has not fundamentally changed thinking since annulment of Safe Harbor. Suggests SCC are equally unsuitable as Privacy Shield and highlights increased responsibilities of supervisory authorities assessing SCC. Highlights broad impact of decision and questions whether transfers can be permitted to third countries that do not provide adequate protection. Press release 16 July 2020 (only available in German here)
Germany - Rhineland-Palatinate Notes that decision strengthens data subject rights, and emphasises work for organisations to reassess practices. Stresses audit obligations of companies. Highlights importance of whether laws in third countries may contravene European data protection law. Press release 16 July 2020 (only available in German here) and FAQs (only available in German here)
Germany - Thuringia The TLfDI data protection officer, Dr Lutz Hasse, welcomed CJEU decision, highlighting the potential lack of proportionality in US data flow monitoring. Hasse questioned whether SCC will remain viable and how assessments by data exporters and recipients will work. Not applicable. Press release 17 July 2020 (only available in German here)
Ireland "Today’s judgment [...] firmly endors[es] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States." "in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis." Not applicable. Press release 16 July 2020
Liechtenstein Highlights that alternative mechanisms than Privacy Shield, including SCC, must be used until a new agreement is made with the US. Emphasises that SCC may be used for transfers to the US, and provided minimal further references to assessments. Not applicable. Press release and updated Guidance 17 July 2020 (only available in German here and here)
Netherlands Notes that the European Commission should consider a new regime for transfers to the US. Suggests that, under the CJEU judgment, SCCs remain a valid means for data transfers to the US. Not applicable. Press release 20 July 2020 (only available in Dutch here)
Norway

Highlights concerns raised around US intelligence services and data subject rights.

Notes that it is essentially the responsibility of the data exporter and recipient to assess whether adequate protection under SCC will be respected in recipient jurisdiction. Not applicable. Press release 16 July 2020 (only available in Norwegian here)
Poland Highlights that transfers to US under Privacy Shield should have stopped from the decision's release on 16 July 2020. Emphasises that data controller assessments of SCCs should consider not only contractual provisions but potential access to data from third country authorities. Generally indicates that where there is not a sufficient level of protection within a third country's legislative framework, other means may be available to provide adequate protection. Press release 20 July 2020 (only available in Polish here)
Romania Generally notes CJEU concerns regarding US intelligence services and confidentiality of transferred data. Explicitly identifies that alternative mechanisms for transfers to the US include SCCs, BCRs, and codes of conduct. Not applicable. Press release 20 July 2020 (only available in Romanian here)
Slovenia Emphasises that organisations transferring data to US should find alternative mechanisms. Notes alternative mechanisms for transfers to US under GDPR include SCC and BCR. Not applicable. Press release 16 July 2020 (only available in Slovenian here)
Spain Describes decision as a new turning point for data transfers to the US. Notes the validity of SCC in general terms. Emphasises the need for a harmonised EU approach and consistent application of the decision. Press release 22 July 2020 (only available in Spanish here)
UK [From the UK Government] "disappointed that the EU's adequacy decision for US Privacy Shield has been invalidated" UK Government is "pleased that this important mechanism [SCC] for transferring data internationally remains in place and is considering any further implications that may arise from the judgment in respect of this." "Coronavirus ('COVID-19') has demonstrated the importance of international data transfers. The recent crisis has shown how data transfers keep economies moving and societies functioning" UK Government Press release 17 July 2020

Webinars 

Live reaction to the key landmark decision on the future of international data transfers

We hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.

Panelists included:

  • William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
  • Caroline Louveaux - Chief Privacy Officer, MasterCard
  • Lee Parker - Director Data Privacy EU+, Biogen
  • Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
  • Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
  • Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
  • David Longford - Global Offering Manager, OneTrust DataGuidance

Access the webinar here and the Key takeaways here.

Is the US 'Essentially Equivalent' with the EU?: Schrems II Legal Analysis

Join us for a webinar as we react to the ruling and discuss what it means in correlation to privacy programs and other global regulations.

Access the webinar here and the Key takeaways here.