Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.
On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.
The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
This article is for you if you’re a:
For those returning, here's the latest update on the ruling (published on: 12 November, 2020):
See further down for what steps you need to take to ensure you have a handle on the situation. 👇
For the newcomer, here’s a short summary of the ruling:
And here are some of the terms and (credible) sources you should be familiar with, referenced throughout the article:
Generally, make sure you only rely on credible sources whenever you work with the GDPR (or any other law, for that matter.
If you would like hands-on help to manage the situation, please send us a request. Note that our response time is slightly longer than usual due to this situation.
The origins of the so-called “Schrems” cases date back to 2013 and the Austrian national and (then) law student Max Schrems. He initially lodged a complaint with the Irish Data Protection Commissioner about Facebook’s transfer of his personal data to the USA.
The first case, simply referred to as “Schrems”, led to the invalidation of the Safe Harbor framework in 2015. This “second round”, where the Privacy Shield framework was invalidated, is referred to as “Schrems II”.
The cases revolve around the transfers of Max Schrems’ personal data from the EEA to third countries that, in Mr. Schrems’ opinion, don’t offer adequate protection of these personal data, as per European data protection and human rights laws.
Also see the sources and further resources at the end of this article.
Since the Schrems cases relate to Facebook’s transfer of Schrems’ personal data from the EEA to the US, US laws are under scrutiny, specifically 50 USC §1881a and the E.O. 12333.
The United States Code (“USC”) is a consolidation and codification by subject matter of the general and permanent laws of the United States.
An executive order is a directive signed by the President of the United States, to manage operations of the federal government. E.O. 12333 was first signed in 1981 by former President Ronald Reagan, for the “effective conduct of United States intelligence activities and the protection of constitutional rights”.
(Another recent, known executive order is President Trump’s E.O. 13942 on TikTok.)
50 USC §1881a refers to a law in the US pertaining to national defense, and chapter 36, of which §1881a is part, refers to foreign intelligence and surveillance regarding certain persons outside of the US.
In our opinion, nearly all data processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage).
It’s our understanding that this could include companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.
In sum – both the 50 USC §1881a and the E.O. 12333 are legal instruments the US government leverage to protect their national interests and prevent acts such as sabotage and terrorism.
We will keep continuously up to date on all recommendations and guidelines from relevant European (credible) sources going forward. Please subscribe to our newsletter to get notified of any changes.
The sources we rely on are primarily the websites of the European Commission, the European Data Protection Board (EDPB) and the data protection authorities in the UK (the ICO), Denmark and Norway. We will share all relevant updates in English, on this page going forward.
First and foremost, you should ensure you comply with the GDPR overall, including that you:
Read more in our GDPR compliance checklist for SaaS, tech and other online businesses. Note that this is written for small businesses. (And it will be helpful even if you’re not a tech business.)
You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers.
We don't recommend anyone to take any drastic steps while the situation is unclear - just make sure that you, at a minimum, carefully review your data flows, data processors and transfer tools (like SCCs), and conduct a thorough risk assessment.
Also, there is a handy flowchart from the EDPB illustrating the steps outline above:
The EDPB published a FAQ on 24 July:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
The ICO referred to this FAQ in their statement on 27 July and advised:
… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.
We recommend you document all your considerations and conclusions, so you’ll be able to demonstrate your compliance to data protection authorities, if necessary.
(This section only applies to you if you’re a US (or third country) based data processor with customers in the EEA (EU member states + the EEA countries))
First and foremost, you need to determine if 50 U.S. Code § 1881a and/or Executive Order 12333 apply to you. We recommend you involve reputable, legal counsel for this assessment. It can become very costly to rely on incorrect advice.
If you would like hands-on help to manage the situation, please send us a request. Although we don’t provide any legal advice, we can help you manage the situation and provide correct information to your customers.
GDPR explained so you actually understand it - tailored for professional online business owners! Submit the form to get notified as soon as we release our professional website checklist (including the GDPR stuff!).
You won't be added to our general marketing list and your personal data is processed only for sending you the checklist when it's ready, as well as one follow-up email to ask if you found it useful. Opt out at any time. Privacy notice