Schrems II judgment/ruling (Privacy Shield invalidation) and required steps
Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.
On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.
The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
This article is for you if you’re a:
- US provider (processor) processing the personal data of anyone in the EU/EEA, or/and
- A controller for such personal data, using third country processor(s)
Latest update and short summary of the ruling (April 2022)
💡 For those returning, here are the latest, relevant updates:
- 🔥 The European Commission and the US announced on 25 March 2022 that they agree in principle on a new Trans-Atlantic Data Privacy Framework, which will address the concerns raised by the CJEU in the Schrems II ruling. While privacy professionals, Max Schrems and NOYB are highly sceptical and we don't know any details of the actual legal documents yet (as per April 2022), this agreement will likely give businesses in both the EEA and the US some room to breathe. See also the EUC Fact sheet, the White House Fact sheet and a LinkedIn post by NoTies Consulting's CEO Rie Aleksandra Walle, where she shares some thoughts with VIXIO Regulatory Intelligence.
- The EDPB published the final Recommendations on supplementary measures, on 18 June 2021 (press release). Make sure that you update your prior efforts with any changes. PS: Some people point out that the EDPB now allows for a risk-based approach, but don't celebrate too early - there are strict criteria for relying on this and you need to put down quite a bit of work to get there. Make sure you really understand the recommendations, first.
- On 4 June 2021, the European Commission announced two sets of new standard contractual clauses; one for the use between controllers and processors, and one for transferring personal data to third countries (non-EEA countries). You have ~18 months to transition to new clauses, so start planning now. (NB! For some, the deadline is 27 September, however, so make sure you really understand the timeline here.) A key change is that the requirements for a data processing agreement (cf. Article 28 GDPR), are now included in the clauses, simplifying your documentation. For a deeper dive into the new SCCs, check out this article by Bird & Bird.
Key updates from November, 2020:
See further down for what steps you need to take to ensure you have a handle on the situation. 👇 For the newcomer, here’s a short summary of the ruling:
- The “Schrems” cases stems from the Austrian lawyer Max Schrems and his initial Facebook complaint to the Irish Data Protection Commissioner in 2013
- Since then he founded the organization noyb, working to expose and legally pursue commercial privacy and data protection violations
- His efforts have so far resulted in the first Schrems case, invalidating the Safe Harbor framework in 2015, and now the Privacy Shield framework in July 2020 (“Schrems II”)
- These rulings make it challenging to transfer personal data from the EU/EEA to third countries, including the USA
- As of today, in August 2020, it is highly uncertain how this will be managed on a practical level
- However, the EU and the US are in dialogue on how to proceed
- If you are a US provider processing the data of people in the EU/EEA, you need to treat this situation as critical and urgent
- If you are a controller in the EU/EEA, you need to do the same, and take necessary actions immediately to protect your business
- You should stay continually up to date going forward – pay special attention to the advice from the European Data Protection Board and the ICO (the UK’s data protection authority)
- Make sure you subscribe to our news updates and/or get hands-on help
And here are some of the terms and (credible) sources you should be familiar with, referenced throughout the article:
- The General Data Protection Regulation, GDPR, the European data protection and privacy law
- The European Union (EU) and the EEA countries Iceland, Liechtenstein and Norway, collectively the “EEA” henceforth
- A “third country” is any country outside of the EEA (such as the US)
- The GDPR Chapter 5 on transfers of personal data to third countries and safeguards for such international transfers, like:
- Adequacy decisions
- Standard Contractual Clauses (SCC)
- Binding Corporate Rules (BCR)
- Data Processing Agreement/Addendum (DPA), a contract between a controller and a data processor
- The European Data Protection Board (EDPB), composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS)
- The Information Commissioner's Office (ICO), the UK’s data protection authority
Generally, make sure you only rely on credible sources whenever you work with the GDPR (or any other law, for that matter.
If you would like hands-on help to manage the situation, please send us a request. Note that our response time is slightly longer than usual due to this situation.
What is the “Schrems II judgment/ruling”?
The origins of the so-called “Schrems” cases date back to 2013 and the Austrian national and (then) law student Max Schrems. He initially lodged a complaint with the Irish Data Protection Commissioner about Facebook’s transfer of his personal data to the USA.
The first case, simply referred to as “Schrems”, led to the invalidation of the Safe Harbor framework in 2015. This “second round”, where the Privacy Shield framework was invalidated, is referred to as “Schrems II”.
The cases revolve around the transfers of Max Schrems’ personal data from the EEA to third countries that, in Mr. Schrems’ opinion, don’t offer adequate protection of these personal data, as per European data protection and human rights laws.
Also see the sources and further resources at the end of this article.
What are the 50 U.S. Code §1881a (“Section 702”/“FISA 702) and the Executive Order 12333 (E.O. 12333)?
Since the Schrems cases relate to Facebook’s transfer of Schrems’ personal data from the EEA to the US, US laws are under scrutiny, specifically 50 USC §1881a and the E.O. 12333.
The United States Code (“USC”) is a consolidation and codification by subject matter of the general and permanent laws of the United States.
An executive order is a directive signed by the President of the United States, to manage operations of the federal government. E.O. 12333 was first signed in 1981 by former President Ronald Reagan, for the “effective conduct of United States intelligence activities and the protection of constitutional rights”.
(Another recent, known executive order is President Trump’s E.O. 13942 on TikTok.)
50 USC §1881a refers to a law in the US pertaining to national defense, and chapter 36, of which §1881a is part, refers to foreign intelligence and surveillance regarding certain persons outside of the US.
In our opinion, nearly all data processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage).
It’s our understanding that this could include companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.
Despite the ruling, US data processors such as Microsoft and Google insist that the transfer of personal data between the US and the EU, are still in line with the GDPR.
In sum – both the 50 USC §1881a and the E.O. 12333 are legal instruments the US government leverage to protect their national interests and prevent acts such as sabotage and terrorism.
Current guidelines you should be aware of (and follow)
We will keep continuously up to date on all recommendations and guidelines from relevant European (credible) sources going forward. Please subscribe to our newsletter to get notified of any changes.
The sources we rely on are primarily the websites of the European Commission, the European Data Protection Board (EDPB) and the data protection authorities in the UK (the ICO), Denmark and Norway. We will share all relevant updates in English, on this page going forward.
I process EEA-based personal data as a controller, what do I need to do?
First and foremost, you should ensure you comply with the GDPR overall, including that you:
- Understand what the GDPR is and means for your business/organization
- Have your GDPR foundation in place (especially your records of processing activities, data processing agreements, tools and safeguards for any international transfers and data protection risk assessment)
- Keep compliant on an ongoing basis
Read more in our GDPR compliance checklist for SaaS, tech and other online businesses. Note that this is written for small businesses. (And it will be helpful even if you’re not a tech business - or a business at all.)
Next, you need to take these concrete steps:
- Review your records of processing activities (personal data inventory) and personal data flows to determine which processors are, or store personal data they process on your behalf, in a third country (non-EEA country)
- Identify the transfer tool(s) for such international transfer (adequacy decision, Privacy Shield, SCC, BCR). Where the data processor only relies on Privacy Shield, find out if they have others safeguards in place. If they don’t, they should be working on getting an alternative safeguard in place as soon as possible (get it confirmed). Unless they have other safeguards in place, this processing is now unlawful
- Conduct privacy/data protection due diligence and risk assessments for all international transfers, including:
- Validate that the processor is compliant with the GDPR
- Validate that no national laws (the processor is required to comply with) impinge on the equivalent level of protection as afforded in the EEA (like e.g. FISA 702)
- Make your preliminary conclusion:
- If the processor has sufficient technical and organizational security measures, and no national laws conflict with the GDPR, or the processor isn't required to comply with these - then you can continue using them ✅
- If the processor lacks sufficient security measures, or they're required to comply with laws that conflict with the GDPR - go to the next step:
- Identify and implement supplementary measures to close the gap in the level of protection - but note that if these measures cannot mitigate the impingement, then you're required to suspend/end ongoing the transfers (or not start any planned transfers)
- Ensure you evaluate and re-assess as needed on an ongoing basis
You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers.
Also, there is a handy flowchart from the EDPB illustrating the steps outline above:
We recommend you document all your considerations and conclusions, so you’ll be able to demonstrate your compliance to data protection authorities, if necessary.
I’m a US based processor, what do I need to do?
(This section only applies to you if you’re a US (or third country) based processor with customers in the EEA (EU member states + the EEA countries))
First and foremost, you need to determine if 50 U.S. Code § 1881a and/or Executive Order 12333 apply to you. We recommend you involve reputable, legal counsel for this assessment. It can become very costly to rely on incorrect advice.
Immediate recommended actions:
- Make sure your management team are familiar with the situation
- Involve proper legal counsel
- If you’re reading this, it’s because you have determined that the GDPR applies to your business – so you need to ensure that you’re actually GDPR compliant (and for even a small business, here are some of the things you need to have in place)
- If you’re a processor, ensure you comply with all requirements as per Article 28 (including for your data processing agreement) and Article 30-2 (records of all categories of processing activities you carry out on behalf of controllers)
- Ensure you have other safeguards than the Privacy Shield, in place, otherwise start working on managing this
- Ensure key employees are informed, including your customer support team, and create guidelines for how to respond to any requests regarding the ruling and/or Privacy Shield
- Be prepared to manage several requests for information from customers in the EEA
- Follow closely the EUC, EDPB and the ICO’s guidelines going forward (and stay updated through our newsletter)
- And, if you haven't already, assess if you're required to appoint a EU Data Representative as per Article 27 and also a Data Protection Officer as per Article 37 (if you need help with the assessments and/or recommendations for reputable representatives, please contact us)
- Determine if you should get outside help to support you on dealing with the ruling, customer support information, website updates and overall compliance - and no matter whom you get to help you, ensure that they're highly skilled in the GDPR and other relevant privacy and data protection laws
If you would like hands-on help to manage the situation, please send us a request. Although we don’t provide any legal advice, we can help you manage the situation and provide correct information to your customers.