All you need to know about the Schrems II Judgment (Privacy Shield invalidation)

Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.

On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.

The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).

This article is for you if you’re a:

• US provider processing the personal data of anyone in the EU/EEA, or
• Controller in the EU/EEA using such providers in any third country as data processors

Here’s a short summary:

• The “Schrems” cases stems from the Austrian lawyer Max Schrems and his initial Facebook complaint to the Irish Data Protection Commissioner in 2013
• Since then he founded the organization noyb, working to expose and legally pursue commercial privacy and data protection violations
• His efforts have so far resulted in the first Schrems case, effectively invalidating the Safe Harbor framework in 2015, and now the Privacy Shield framework in July 2020 (“Schrems II”)
• These rulings make it challenging to transfer personal data from the EU/EEA to third countries, including the USA
• As of today, in August 2020, it is highly uncertain how this will be managed on a practical level
• However, the EU and the US are in dialogue on how to proceed
• If you are a US provider processing the data of people in the EU/EEA, you need to treat this situation as critical and urgent
• If you are a controller in the EU/EEA, you need to do the same, and take necessary actions immediately to protect your business
• You should stay continually up to date going forward – pay special attention to the advice from the European Data Protection Board and the ICO (the UK’s data protection authority)
• Make sure you subscribe to our news updates and/or get hands-on help
  

And here are some of the terms and (credible) sources you should be familiar with, referenced throughout the article:

• The General Data Protection Regulation, GDPR, the European data protection and privacy law
• The European Union (EU) and the EEA countries Iceland, Liechtenstein and Norway, collectively the “EEA” henceforth
• A “third country” is any country outside of the EEA (such as the US)
• The GDPR Chapter 5 on transfers of personal data to third countries and safeguards for such international transfers, like:
• Adequacy decisions
• Standard Contractual Clauses (SCC)
• Binding Corporate Rules (BCR)
• Data Processing Agreement/Addendum (DPA), a contract between a controller and a data processor
• The European Data Protection Board (EDPB), composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS)
• The Information Commissioner's Office (ICO), the UK’s data protection authority

Generally, make sure you only rely on credible sources whenever you work with the GDPR (or any other law, for that matter.

If you would like hands-on help to manage the situation, please send us a request. Note that our response time is slightly longer than usual due to this situation.

What is the “Schrems II judgment/ruling”?

The origins of the so-called “Schrems” cases date back to 2013 and the Austrian national and (then) law student Max Schrems. He initially lodged a complaint with the Irish Data Protection Commissioner about Facebook’s transfer of his personal data to the USA.

The first case, simply referred to as “Schrems”, led to the invalidation of the Safe Harbor framework in 2015. This “second round”, where the Privacy Shield framework was invalidated, is referred to as “Schrems II”.

The cases revolve around the transfers of Max Schrems’ personal data from the EEA to third countries that, in Mr. Schrems’ opinion, don’t offer adequate protection of these personal data, as per European data protection and human rights laws.

Also see the sources and further resources at the end of this article.

What are the 50 U.S. Code §1881a (“Section 702”/“FISA 702) and the Executive Order 12333 (E.O. 12333)?

Since the Schrems cases relate to Facebook’s transfer of Schrems’ personal data from the EEA to the US, US laws are under scrutiny, specifically 50 USC §1881a and the E.O. 12333.

The United States Code (“USC”) is a consolidation and codification by subject matter of the general and permanent laws of the United States.

An executive order is a directive signed by the President of the United States, to manage operations of the federal government. E.O. 12333 was first signed in 1981 by former President Ronald Reagan, for the “effective conduct of United States intelligence activities and the protection of constitutional rights”.

(Another recent, known executive order is President Trump’s E.O. 13942 on TikTok.)

50 USC §1881a refers to a law in the US pertaining to national defense, and chapter 36, of which §1881a is part, refers to foreign intelligence and surveillance regarding certain persons outside of the US.

In our opinion, nearly all data processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage).

It’s our understanding that this could include companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Demio, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.

Despite the ruling, US data processors such as Microsoft and Google insist that the transfer of personal data between the US and the EU, are still in line with the GDPR.

In sum – both the 50 USC §1881a and the E.O. 12333 are legal instruments the US government leverage to protect their national interests and prevent acts such as sabotage and terrorism.

Current guidelines you should be aware of (and follow)

We will keep continuously up to date on all recommendations and guidelines from relevant European (credible) sources going forward. Please subscribe to our newsletter to get notified of any changes.

The sources we rely on are primarily the websites of the European Commission, the European Data Protection Board (EDPB) and the data protection authorities in the UK (the ICO), Denmark and Norway. We will share all relevant updates in English, on this page going forward.

The most recent update on the Schrems II judgment is from 10 August, when the European Commissioner for Justice and the U.S. Secretary of Commerce published a joint press release.

Here, they indicate that they’re working on managing the situation and the potential of a “Privacy Shield 2.0”:

The U.S. Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the 16 July judgement of the Court of Justice of the European Union in the Schrems II case.

The EDPB and ICO have shared recent statements and guidelines as well, referenced in the next section.

I’m a European based controller, what do I need to do?

First and foremost, you should ensure you comply with the GDPR overall, including that you:

• Understand what the GDPR is and means for your business
• Have your GDPR foundation in place (especially your personal data inventory, data processing agreements, safeguards for any international transfers and data protection risk assessment)
• Keep compliant on an ongoing basis

Read more in our GDPR compliance checklist for SaaS, tech and other online businesses. Note that this is written for small businesses. (And it will be helpful even if you’re not a tech business.)

Next, you need to take some steps to manage the Schrems II judgment:

1. Review your personal data inventory to determine which data processors are, or store personal data they process on your behalf, in a third country
2. Identify the safeguard for such international transfer (adequacy decision, Privacy Shield, SCC, BCR)
3. Where the data processor only relies on Privacy Shield, find out if they have others safeguards in place. If they don’t, they should be working on getting an alternative safeguard in place as soon as possible (get it confirmed)
4. Conduct privacy/data protection risk assessments for all international transfers
5. You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers

We don't recommend anyone to take any drastic steps while the situation is unclear - just make sure you review your data flows and data processors, and conduct a risk assessment.

Below are the most recent updates from the EDPB and ICO. We have copied in the most relevant sections below.

The last update from the EDPB came in their FAQ of 24 July, and their guidance is:

Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.

The ICO refers to this FAQ in their statement on 27 July and advises:

… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.

In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.

We recommend you document all your considerations and conclusions, so you’ll be able to demonstrate your compliance to data protection authorities, if necessary.

I’m a US based data processor, what do I need to do?

(This section only applies to you if you’re a US (or third country) based data processor with customers in the EEA (EU member states + the EEA countries))

First and foremost, you need to determine if 50 U.S. Code § 1881a and/or Executive Order 12333 apply to you. We recommend you involve reputable, legal counsel for this assessment. It can become very costly to rely on incorrect advice.

Other recommended actions – for now:

1. Make sure your management team are familiar with the situation
2. Involve proper legal counsel
3. If you’re reading this, it’s because you have determined that the GDPR applies to your business – so you need to ensure that you’re actually GDPR compliant (and for even a small business, here are some of the things you need to have in place)
4. If you’re a data processor, ensure you comply with all requirements as per Article 28 (including for your data processing agreement) and Article 30-2 (records of all categories of processing activities you carry out on behalf of controllers)
5. Ensure you have other safeguards than the Privacy Shield, in place, otherwise start working on managing this
6. Ensure key employees are informed, including your customer support team, and create guidelines for how to respond to any requests regarding the ruling and/or Privacy Shield
7. Be prepared to manage several requests for information from customers in the EEA
8. Follow closely the EUC, EDPB and the ICO’s guidelines going forward (and stay updated through our newsletter)
9. And, if you haven't already, assess if you're required to appoint a EU Data Representative as per Article 27 and also a Data Protection Officer as per Article 37 (if you need help with the assessments and/or recommendations for reputable representatives, please contact us)

If you would like hands-on help to manage the situation, please send us a request. Although we don’t provide any legal advice, we can help you manage the situation and provide correct information to your customers.

Sources/resources

• Court of Justice of the European Union press release site where you can download a copy of the judgment
• Joint Press Statement from the European Commissioner for Justice and the U.S. Secretary of Commerce on discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework (10 August 2020)
• The ICOs updated statement (27 July 2020)
• The European Data Protection Board FAQ on the judgment (24 July 2020)
• The European Data Protection Board Statement on the judgment (17 July 2020)
• The ICOs initial statement (16 July 2020)
• Max Schrems' privacy organization noyb with resources and FAQ's for both users and companies
• The European Commission rules on international data transfers
• The European Commission Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries