One year ago, on July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II). At issue were data transfers between the EU and the U.S.
In a decisive blow to normal operating procedures for thousands of U.S. businesses, the Schrems II court upended two mechanisms that most companies relied on to transfer data – the EU-U.S. Privacy Shield and standard contractual clauses (SCCs). The Privacy Shield was determined inadequate for data privacy protection and invalidated, effective immediately. While the court upheld the validity of SCCs, it now requires each transfer be evaluated on a case by case basis to ensure adequate protection. If lacking, the court found, “additional safeguards” could be required; however, no clarification was offered to indicate which supplemental measures sufficiently protect a subject’s data.
The consequences of Schrems II were immediate, massive, and confounding. Over the past year, some guidance has issued with respect to SCCs, but a resolution to the Privacy Shield remains to be seen.
Status of the Privacy Shield
One year out, no replacement to the Privacy Shield exists, yet the U.S. and the EU have publicly committed to working together to come up with a resolution. In a move that signaled the new administration’s prioritization of privacy issues, President Biden appointed Christopher Hoff to oversee negotiations for a replacement, effective the day of Biden’s inauguration in January 2021.
Status of SCCs
Significant guidance has issued in the wake of Schrems II with regard to SCCs, including the publication of guidelines issued by the European Data Protection Board (EDPB) and draft replacement SCCs issued by the European Commission.
In November 2020 and June 2021, the European Data Protection Board (EDPB) released guidelines advising organizations on Schrems II compliance, elucidating six specific concepts that require consideration for data transfers. They include:
- Know your transfers
- Identify the transfer tool that your transfer relies on
- Assess whether the Article 46 GDPR transfer tool on which you are relying is effective in light of all circumstances of the transfer
- Identify and adopt supplemental measures
- Take formal procedural steps
- Re-Evaluate at appropriate intervals
Know your transfers
To successfully transfer data, the exporter must understand the flow of data. The first step is to identify, record, and map all transfers.
Identify the transfer tool that your transfer relies on
Next, data exporters identify the tools relied upon to transfer data. Use of appropriate mechanisms include adequate SCCs, BCRs, codes of conduct, certifications mechanisms, or ad hoc contractual clauses. If the data is being transferred to one of twelve countries covered by an adequacy decision sanctioned by the European Commission, no additional inquiry is required. If the transfer is occurring with a country like the U.S. where data protection has been deemed inadequate, additional safeguards are necessary.
Assess whether the relied upon transfer tool is effective in light of all circumstances of the transfer
Transfer tools must ensure that the level of protection guaranteed by the GDPR is not undermined. The EDPB explained the need “to assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.”
A data exporter must therefore assess whether and what laws of the importing country apply to the data being transferred. When laws require disclosure of data to government agencies such as criminal law enforcement, regulatory supervision, and national security agencies, the data exporter must utilize relevant EDPB guidance to determine whether these laws can be regarded as justifiable interference.
A framework offered by the EDPB clarifies what should be considered when evaluating foreign laws. Major points include:
- The rules of the importing country should be clear, precise and accessible.
- If the importing country’s objectives are legitimate, necessity and proportionality must also be demonstrated.
- The importing country should have an independent mechanism overseeing data transfers
- Effective remedies must be available to the data subject.
Identify and adopt supplemental measures
If the assessment determines that the third country's laws do not effectively safeguard user data, then, in collaboration with the data importer, supplementary measures must be implemented to ensure a level of protection essentially equivalent to that guaranteed within the EU.
These supplementary measures may have a contractual, technical, or organizational nature. The guidance recommends having these measures be additive and interdisciplinary to ensure adequate data protection. If the identified deficiencies cannot be remedied, the transfers must be stopped.
Take formal procedural steps
When supplemental measures are in place, the EDPB requires the organization to document the changes and encourages it to seek authorization from the supervisory authority.
Re-evaluate at appropriate intervals
Once data transfers comply with the Schrems II decision, the exporter has an ongoing obligation to monitor the countries involved in the data transfer and re-evaluate the level of adequacy based on any developments.
New Draft SCCs
In June 2021, the European Commission published new SCCs governing international data transfers and exchanges. This marked the first update to SCCs in more than 10 years. The new SCCs reflect the evolution of privacy laws in the interim, including the General Data Protection Regulation (GDPR) and the Schrems II decision.
The new SCCs took effect on June 27, 2021. The old SCCs can be used for new data transfers through September 27, 2021, but existing contracts for data transfers that rely on the old SCCs must adopt the new SCCs by December 27, 2022.
Current Status of Schrems II Implementation
In the year after the decision was handed down, the aftermath of Schrems II has been onerous and frustrating to U.S. companies. In the context of unprecedented conditions caused by COVID-19, including increased use of cloud platforms as many employees work from home, the implications of the decision have become more complex. However, considering the enormous task of maintaining EU data protection standards in a global economy, the issuance of new SCCs and a demonstrated commitment to replace the Privacy Shield indicate impressive progress.
- Where are we now? The Schrems II Decision, One Year Later
- Are You Exposed? Top Three Considerations for your Organization’s Data Privacy Program
- 10 Questions About Patent Prosecution That Every Inside Counsel Should Be Able To Answer for Their Inventors
- Assignor Estoppel: When Can A Party Challenge A Patent They Sold?
- Federal Circuit Invalidation of Targeted Advertising Claims Reaffirms Patent Subject Matter Eligibility Precedent but Recent Petition for Rehearing Looms
- Trademark Modernization Act of 2020 Provides New Tools for Removing Deadwood Trademark Registrations from the Trademark Register
- Advice from Ben Franklin on Choosing Patent Terms
- EagleView Techs., Inc. v. Xactware Solutions: A Cautionary Tale
- Using Opinions of Counsel as a Budgeting Tool
- In Celebration of Earth Day: How Trademark Law Helps The Environment
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- June 2019
- April 2019
- February 2019
- January 2019
- October 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- August 2017
- July 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017