International: Schrems II: What you need to know
The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the CJEU declared the European Commission's EU-US Privacy Shield Decision invalid, and, whilst, the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), it provided clarity around the considerations that organisations and authorities should bear in mind if utilised as the transfer mechanism of choice. OneTrust DataGuidance is committed to bringing you the latest information and regulatory know-how on what the Judgment could mean, and will be continuing to update this page to bring together all the resources needed.
This Insight collates the latest links and resources regarding the Schrems II Case to help your business understand and navigate its implications.
- Access the Judgment here
- Access the CJEU press release here
- Access the first NOYB statement here
- FAQs and model requests issued by NOYB here
- FAQs issued by the European Data Protection Board here
- European Commission and U.S. Department of Commerce joint statement on new enhanced Privacy Shield here and here
- FAQs issued by the Interactive Advertising Bureau ('IAB') Europe here
- EDPB forms Schrems II complaints and guidance taskforces here
- FDPIC finds Swiss-US Privacy Shield inadequate here
- Council of Europe Chair and Data Protection Commissioner issue joint statement and discuss relevance of Convention 108+ for assessments here
- Guide by the LfDI Baden-Württemberg here
- DoC Deputy Assistant Secretary statement and white paper on Schrems II here
- EDPS strategy for EU institutions to comply with Schrems II here
- NOYB statement updating on 101 complaints and welcoming EDPB task force here
- French Conseil d'Etat rules that Health Data Hub should not be suspended here
- EDPS newsletter on data transfers to third countries here
- EDPB recommendations on surveillance here
- EDPB recommendations on supplementary transfer measures here
Key resources from OneTrust DataGuidance
- Schrems II FAQs designed to provide answers and key resources following the judgment
- For further jurisdiction-specific resources and Guidance Notes on data transfers, access our Data Transfers Comparison
- Access our news coverage here
- Access our webinar and key takeaways from the Advocate General's opinion in the Schrems II Case here
- Eduardo Ustaran, Partner at Hogan Lovells, provides his thoughts in this article, 'Choppy waters'
- Dr. Carlo Piltz, Partner at reuschlaw Legal Consultants, analyses considerations for organisations in this article, 'What will companies have to consider in future when transferring data internationally?'
- Odia Kagan, Partner at Fox Rothschild LLP, looks at what Schrems II means for exporters and importers of personal data from the EU to third countries
David S. Greber, Principal at Offit Kurman, P.A., examines the impact for US organisations in this article, 'Privacy earthquake - GDPR compliance for US companies post-Schrems II'
Claire François, Counsel at Hunton Andrews Kurth LLP, discusses 'Practical steps post-Schrems II - Reconciling theory with reality'
Dr. Carlo Plitz and Philipp Quiel, Partner and Senior Associate respectively at reuschlaw Legal Consultants, clarifies 'Schrems II: Post-Schrems II guidance on data transfers from the LfDI Baden-Württemberg'
Alec Christie and Andrea Mitchell, Partner and Senior Associate respectively at Mills Oakley, addresses Australia: Schrems II and the challenges for equivalence under the GDPR
Tim Bell, Founder and Managering Director of DataRep, analyses impact on the EU Data Protection Representative role in International: GDPR, Brexit, Schrems II, and the Representative - why tthey impact companies outside and inside the UK
Odia Kagan outlines potential solutions to hosting health data in the US in France: Conseil d'Etat decision on Health Data Hub
Dalit Ben-Israel and Efrat Artzi, Partner and Senior Associate respectively at Naschitz, Brandes, Amir & Co., highlight changes to data transfer requirements in the State of Israel in Schrems II: The Israeli perspective
EU-EEA DPA comments on Schrems II
Key comments from data protection authorities are summarised or quoted below with links to the original source material.
Access additional coverage here.
|DPA||On Privacy Shield||On SCC||On International Transfers||Source|
|EDPB||"The Court has invalidated the Privacy Shield Decision without maintaining its effects, because the U.S. law assessed by the Court does not provide an essentially equivalent level of protection as in the EU. This assessment has to be taken into account for any transfer to the U.S."||"The Court highlighted that it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice. If this is not the case, you should assess whether you can provide supplementary measures to ensure an essentially equivalent level of protection as provided in the EEA, and if the law of the third country will not impinge on these supplementary measures so as to prevent their effectiveness."||"If the result of this assessment is that the country of the importer does not provide an essentially equivalent level of protection, the exporter may have to consider putting in place additional measures to those included in the SCCs. The EDPB is looking further into what these additional measures could consist of."||Press release 17 July 2020 & FAQs 23 July 2020|
|EDPS||"The EDPS trusts that the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court."||"The EDPS notes that the Court, while in principle confirming the validity of Standard Contractual Clauses (SCC), provided welcomed clarifications regarding the responsibilities of controllers and European DPAs to take into account the risks linked to the access to personal data by the public authorities of third countries."||"The protection of personal data requires actionable rights for everyone, including before independent courts. It is more than a 'European' fundamental right – it is a fundamental right widely recognised around the globe."||Statement 17 July 2020|
|Estonia||Suggests data controllers will need to review US transfers, including assessing SCC or alternative mechanisms under GDPR.||Emphasises the responsibility of those transferring data to assess whether SCC are able to guarantee adequate protection both now and in the future.||Notes that transfers should be suspended and alternative safeguards found in any case where adequate protection cannot be guaranteed.||Press release and Guidance, 17 July 2020 (only available in Estonian here and here)|
|Germany - Baden-Württemberg||Notes that the judgment affects all public bodies or companies transferring data to the US, especially if they previously based transfers on the Privacy Shield. Continuing transfers may result in fines and compensation for damages.||Recommends data controllers contact the recipients of data in regard to amendments to SCCs, which include Annex Clause 4(f), Annex Clause 5(d)(i), Annex Clause 5(d), and Annex Clause 5(d).||Includes checklist for companies to ensure data transfers comply with the judgment in relation to, among others, checking if SCCs approved by the Commission can be used and verifying that SCCs are in use.||Press releases and Guide, 24 August 2020 (only available in German here, here and here)|
|Germany - Berlin||Berlin Commissioner, Maja Smoltcyk, suggests data controllers based in Berlin storing personal data in the US to transfer the same to Europe and data should not be transferred to the US until that legal framework is reformed.||Smoltcyk further outlines that the conclusion of SCC likely not to be enough to enable data transfers.||Smoltcyk highlights potential similar concerns to be raised in regard to jurisdictions such as China, India, and Russia.||Press release 17 July 2020 (only available in German here)|
|Germany - DSK||The DSK states that the CJEU invalidated the Privacy Shield and that data transfers to the USA based on the Privacy Shield are inadmissible based on the CJEU's decision that the US law does not provide protection that is in essence equal to EU law.||
SCCs may in principle continue to be used, however they require a preliminary protection assessment and in case of data transfers to the USA SSCs without further protective measures are insufficient.
The DSK noted that data transfers based on the Privacy Shield must cease immediately. Moreover, the DSK held that next to SCCs, the CJEU's findings also have an impact on binding corporate rules ('BCRs') and additional protective measures also need to be taken if the data subject rights are not protected to the same level in a third country.
Statement (only available in German here) 28 July 2020
|Germany - Federal||The Federal Commissioner, Professor Ulrich Kelber, noted the potential need for particular protective measures for transfers to the US.||Kelber emphasised supervisory authorities roles in assessing individual transfers.||Kelber generally noted that the decision supports a clearer framework for international transfers.||Press release 16 July 2020 (only available in German here)|
|Germany - Hamburg||Decision welcomed, emphasises that US has not fundamentally changed thinking since annulment of Safe Harbor.||Suggests SCC are equally unsuitable as Privacy Shield and highlights increased responsibilities of supervisory authorities assessing SCC.||Highlights broad impact of decision and questions whether transfers can be permitted to third countries that do not provide adequate protection.||Press release 16 July 2020 (only available in German here)|
|Germany - Rhineland-Palatinate||Notes that decision strengthens data subject rights, and emphasises work for organisations to reassess practices.||Stresses audit obligations of companies.||Highlights importance of whether laws in third countries may contravene European data protection law.||Press release 16 July 2020 (only available in German here) and FAQs (only available in German here)|
|Germany - Thuringia||The TLfDI data protection officer, Dr Lutz Hasse, welcomed CJEU decision, highlighting the potential lack of proportionality in US data flow monitoring.||Hasse questioned whether SCC will remain viable and how assessments by data exporters and recipients will work.||Not applicable.||Press release 17 July 2020 (only available in German here)|
|Ireland||"Today’s judgment [...] firmly endors[es] the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States."||"in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable. This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis."||Not applicable.||Press release 16 July 2020|
|Italy||Highlights that the Privacy Shield has been invalidated.||Notes that SCCs remain valid.||Not applicable.||Press release (only available in Italian here)|
|Liechtenstein||Highlights that alternative mechanisms than Privacy Shield, including SCC, must be used until a new agreement is made with the US.||Emphasises that SCC may be used for transfers to the US, and provided minimal further references to assessments.||Not applicable.||Press release and updated Guidance 17 July 2020 (only available in German here and here)|
|Netherlands||Notes that the European Commission should consider a new regime for transfers to the US.||Suggests that, under the CJEU judgment, SCCs remain a valid means for data transfers to the US.||Not applicable.||Press release 20 July 2020 (only available in Dutch here)|
Highlights concerns raised around US intelligence services and data subject rights.
|Notes that it is essentially the responsibility of the data exporter and recipient to assess whether adequate protection under SCC will be respected in recipient jurisdiction.||Not applicable.||Press release 16 July 2020 (only available in Norwegian here)|
|Poland||Highlights that transfers to US under Privacy Shield should have stopped from the decision's release on 16 July 2020.||Emphasises that data controller assessments of SCCs should consider not only contractual provisions but potential access to data from third country authorities.||Generally indicates that where there is not a sufficient level of protection within a third country's legislative framework, other means may be available to provide adequate protection.||Press release 20 July 2020 (only available in Polish here)|
|Romania||Generally notes CJEU concerns regarding US intelligence services and confidentiality of transferred data.||Explicitly identifies that alternative mechanisms for transfers to the US include SCCs, BCRs, and codes of conduct.||Not applicable.||Press release 20 July 2020 (only available in Romanian here)|
|Serbia||Highlights that transfers made using Privacy Shield framework are now illegal.||Not applicable.||Generally notes that controllers and processors who relied on the Privacy Shield framework need to find alternative mechanisms for the transfer of data.||
Press release 11 August 2020 (only available in Serbian here)
|Slovenia||Emphasises that organisations transferring data to US should find alternative mechanisms.||Notes alternative mechanisms for transfers to US under GDPR include SCC and BCR.||Not applicable.||Press release 16 July 2020 (only available in Slovenian here)|
|Spain||Describes decision as a new turning point for data transfers to the US.||Notes the validity of SCC in general terms.||Emphasises the need for a harmonised EU approach and consistent application of the decision.||Press release 22 July 2020 (only available in Spanish here)|
|UK||[From the UK Government] "disappointed that the EU's adequacy decision for US Privacy Shield has been invalidated"||UK Government is "pleased that this important mechanism [SCC] for transferring data internationally remains in place and is considering any further implications that may arise from the judgment in respect of this."||"Coronavirus ('COVID-19') has demonstrated the importance of international data transfers. The recent crisis has shown how data transfers keep economies moving and societies functioning"||UK Government Press release 17 July 2020|
Live reaction to the key landmark decision on the future of international data transfers
We hosted an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact on your business and what the future may hold.
- William Long - Partner, Leader of the EU Data Protection Practice, Sidley Austin LLP
- Caroline Louveaux - Chief Privacy Officer, MasterCard
- Lee Parker - Director Data Privacy EU+, Biogen
- Lara Liss - Chief Privacy Officer, Walgreens Boots Alliance
- Monica Tomczak - Chief Privacy Officer, Prosus, Division of Naspers
- Alan Raul - Partner, Leader of Privacy and Cybersecurity Practice, Sidley Austin LLP
- David Longford - Global Offering Manager, OneTrust DataGuidance
Is the US 'Essentially Equivalent' with the EU?: Schrems II Legal Analysis
Join us for a webinar as we react to the ruling and discuss what it means in correlation to privacy programs and other global regulations.