Schrems II judgment/ruling (Privacy Shield invalidation) and required steps

Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.

On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.

The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).

This article is for you if you’re a:

• US provider processing the personal data of anyone in the EU/EEA, or
• Controller in the EU/EEA using such providers in any third country as data processors

Latest update and short summary of the ruling (June 2021)

💡 For those returning, here are the latest, relevant updates:

• The EDPB published the final Recommendations on supplementary measures, on 18 June (press release). Make sure that you update your prior efforts with any changes. PS: Some people point out that the EDPB now allows for a risk-based approach, but don't celebrate too early - there are strict criteria for relying on this and you need to put down quite a bit of work to get there. Make sure you really understand the recommendations, first.
• On 4 June, the European Commission announced two sets of new standard contractual clauses; one for the use between controllers and processors, and one for transferring personal data to third countries (non-EEA countries). You have ~18 months to transition to new clauses, so start planning now. (NB! For some, the deadline is 27 September, however, so make sure you really understand the timeline here.) A key change is that the requirements for a data processing agreement (cf. Article 28 GDPR), are now included in the clauses, simplifying your documentation. For a deeper dive into the new SCCs, check out this article by Bird & Bird.

Key updates from November, 2020:

• The EDPB published two key documents: 1) Recommendations on supplementary measures (on hearing until 21 December) and 2) EU Essential Guarantees for surveillance measures.

See further down for what steps you need to take to ensure you have a handle on the situation. 👇

For the newcomer, here’s a short summary of the ruling:

• The “Schrems” cases stems from the Austrian lawyer Max Schrems and his initial Facebook complaint to the Irish Data Protection Commissioner in 2013
• Since then he founded the organization noyb, working to expose and legally pursue commercial privacy and data protection violations
• His efforts have so far resulted in the first Schrems case, effectively invalidating the Safe Harbor framework in 2015, and now the Privacy Shield framework in July 2020 (“Schrems II”)
• These rulings make it challenging to transfer personal data from the EU/EEA to third countries, including the USA
• As of today, in August 2020, it is highly uncertain how this will be managed on a practical level
• However, the EU and the US are in dialogue on how to proceed
• If you are a US provider processing the data of people in the EU/EEA, you need to treat this situation as critical and urgent
• If you are a controller in the EU/EEA, you need to do the same, and take necessary actions immediately to protect your business
• You should stay continually up to date going forward – pay special attention to the advice from the European Data Protection Board and the ICO (the UK’s data protection authority)
• Make sure you subscribe to our news updates and/or get hands-on help
  

And here are some of the terms and (credible) sources you should be familiar with, referenced throughout the article:

• The General Data Protection Regulation, GDPR, the European data protection and privacy law
• The European Union (EU) and the EEA countries Iceland, Liechtenstein and Norway, collectively the “EEA” henceforth
• A “third country” is any country outside of the EEA (such as the US)
• The GDPR Chapter 5 on transfers of personal data to third countries and safeguards for such international transfers, like:
• Adequacy decisions
• Standard Contractual Clauses (SCC)
• Binding Corporate Rules (BCR)
• Data Processing Agreement/Addendum (DPA), a contract between a controller and a data processor
• The European Data Protection Board (EDPB), composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS)
• The Information Commissioner's Office (ICO), the UK’s data protection authority

Generally, make sure you only rely on credible sources whenever you work with the GDPR (or any other law, for that matter.

If you would like hands-on help to manage the situation, please send us a request. Note that our response time is slightly longer than usual due to this situation.

What is the “Schrems II judgment/ruling”?

The origins of the so-called “Schrems” cases date back to 2013 and the Austrian national and (then) law student Max Schrems. He initially lodged a complaint with the Irish Data Protection Commissioner about Facebook’s transfer of his personal data to the USA.

The first case, simply referred to as “Schrems”, led to the invalidation of the Safe Harbor framework in 2015. This “second round”, where the Privacy Shield framework was invalidated, is referred to as “Schrems II”.

The cases revolve around the transfers of Max Schrems’ personal data from the EEA to third countries that, in Mr. Schrems’ opinion, don’t offer adequate protection of these personal data, as per European data protection and human rights laws.

Also see the sources and further resources at the end of this article.

What are the 50 U.S. Code §1881a (“Section 702”/“FISA 702) and the Executive Order 12333 (E.O. 12333)?

Since the Schrems cases relate to Facebook’s transfer of Schrems’ personal data from the EEA to the US, US laws are under scrutiny, specifically 50 USC §1881a and the E.O. 12333.

The United States Code (“USC”) is a consolidation and codification by subject matter of the general and permanent laws of the United States.

An executive order is a directive signed by the President of the United States, to manage operations of the federal government. E.O. 12333 was first signed in 1981 by former President Ronald Reagan, for the “effective conduct of United States intelligence activities and the protection of constitutional rights”.

(Another recent, known executive order is President Trump’s E.O. 13942 on TikTok.)

50 USC §1881a refers to a law in the US pertaining to national defense, and chapter 36, of which §1881a is part, refers to foreign intelligence and surveillance regarding certain persons outside of the US.

In our opinion, nearly all data processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage).

It’s our understanding that this could include companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.

Despite the ruling, US data processors such as Microsoft and Google insist that the transfer of personal data between the US and the EU, are still in line with the GDPR.

In sum – both the 50 USC §1881a and the E.O. 12333 are legal instruments the US government leverage to protect their national interests and prevent acts such as sabotage and terrorism.

Current guidelines you should be aware of (and follow)

We will keep continuously up to date on all recommendations and guidelines from relevant European (credible) sources going forward. Please subscribe to our newsletter to get notified of any changes.

The sources we rely on are primarily the websites of the European Commission, the European Data Protection Board (EDPB) and the data protection authorities in the UK (the ICO), Denmark and Norway. We will share all relevant updates in English, on this page going forward.

I’m a European based controller, what do I need to do?

First and foremost, you should ensure you comply with the GDPR overall, including that you:

• Understand what the GDPR is and means for your business
• Have your GDPR foundation in place (especially your records of processing activities, data processing agreements, safeguards for any international transfers and data protection risk assessment)
• Keep compliant on an ongoing basis

Read more in our GDPR compliance checklist for SaaS, tech and other online businesses. Note that this is written for small businesses. (And it will be helpful even if you’re not a tech business.)

Next, you need to take these concrete steps:

1. Review your records of processing activities (personal data inventory) and personal data flows to determine which data processors are, or store personal data they process on your behalf, in a third country (non-EEA country)
2. Identify the safeguard(s) for such international transfer (adequacy decision, Privacy Shield, SCC, BCR). Where the data processor only relies on Privacy Shield, find out if they have others safeguards in place. If they don’t, they should be working on getting an alternative safeguard in place as soon as possible (get it confirmed). Unless they have other safeguards in place, this processing is now unlawful
3. Conduct privacy/data protection due diligence and risk assessments for all international transfers, including:
   • Validate that the data processor is compliant with the GDPR
   • Validate that no national laws (the data processor is required to comply with) impinge on the equivalent level of protection as afforded in the EEA (like e.g. FISA 702)
4. Make your preliminary conclusion:
   
   • If the data processor has sufficient technical and organizational security measures, and no national laws conflict with the GDPR, or the data processor isn't required to comply with these - then you can continue using them ✅
   • If the data processor lacks sufficient security measures, or they're required to comply with laws that conflict with the GDPR - go to the next step:
5. Identify and implement supplementary measures to close the gap in the level of protection - but note that if these measures cannot mitigate the impingement, then you're required to suspend/end ongoing the transfers (or not start any planned transfers)
6. Ensure you evaluate and re-assess as needed on an ongoing basis

You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers.

We don't recommend anyone to take any drastic steps while the situation is unclear - just make sure that you, at a minimum, carefully review your data flows, data processors and transfer tools (like SCCs), and conduct a thorough risk assessment.

Also, there is a handy flowchart from the EDPB illustrating the steps outline above:

Prior updates

The EDPB published a FAQ on 24 July:

Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.

The ICO referred to this FAQ in their statement on 27 July and advised:

… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.

We recommend you document all your considerations and conclusions, so you’ll be able to demonstrate your compliance to data protection authorities, if necessary.

I’m a US based data processor, what do I need to do?

(This section only applies to you if you’re a US (or third country) based data processor with customers in the EEA (EU member states + the EEA countries))

First and foremost, you need to determine if 50 U.S. Code § 1881a and/or Executive Order 12333 apply to you. We recommend you involve reputable, legal counsel for this assessment. It can become very costly to rely on incorrect advice.

Immediate recommended actions:

1. Make sure your management team are familiar with the situation
2. Involve proper legal counsel
3. If you’re reading this, it’s because you have determined that the GDPR applies to your business – so you need to ensure that you’re actually GDPR compliant (and for even a small business, here are some of the things you need to have in place)
4. If you’re a data processor, ensure you comply with all requirements as per Article 28 (including for your data processing agreement) and Article 30-2 (records of all categories of processing activities you carry out on behalf of controllers)
5. Ensure you have other safeguards than the Privacy Shield, in place, otherwise start working on managing this
6. Ensure key employees are informed, including your customer support team, and create guidelines for how to respond to any requests regarding the ruling and/or Privacy Shield
7. Be prepared to manage several requests for information from customers in the EEA
8. Follow closely the EUC, EDPB and the ICO’s guidelines going forward (and stay updated through our newsletter)
9. And, if you haven't already, assess if you're required to appoint a EU Data Representative as per Article 27 and also a Data Protection Officer as per Article 37 (if you need help with the assessments and/or recommendations for reputable representatives, please contact us)
10. Determine if you should get outside help to support you on dealing with the ruling, customer support information, website updates and overall compliance - and no matter whom you get to help you, ensure that they're highly skilled in the GDPR and other relevant privacy and data protection laws

If you would like hands-on help to manage the situation, please send us a request. Although we don’t provide any legal advice, we can help you manage the situation and provide correct information to your customers.

Sources/resources

• The EDPB's final Recommendations on supplementary measures (18 June 2021)
• The European Commission revised standard contractual clauses (4 June 2021)
• The ICO's latest update (13 November 2020)
• The European Commission draft for revised standard contractual clauses (12 November 2020)
• The EDPB's Recommendations on supplementary measures and EU Essential Guarantees for surveillance measures (11 November 2020)
• Joint Press Statement from the European Commissioner for Justice and the U.S. Secretary of Commerce on discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework (10 August 2020)
• The ICO's updated statement (27 July 2020)
• The European Data Protection Board FAQ on the judgment (24 July 2020)
• The European Data Protection Board Statement on the judgment (17 July 2020)
• The ICO's initial statement (16 July 2020)
• Court of Justice of the European Union press release site where you can download a copy of the judgment (16 July 2020)
• Max Schrems' privacy organization noyb with resources and FAQ's for both users and companies
• The European Commission rules on international data transfers
• The European Commission standard contractual clauses (SCC) for data transfers between EU and non-EU countries