In the ground-breaking judgement of DPC v Facebook Ireland & Schrems, also known as Schrems 2.0, the Court of Justice of the EU declared the European Commission’s EU-US Privacy Shield Decision invalid, making the majority of EU-US data transfers in violation of EU Privacy law. The reason? US mass surveillance making the level of protection of personal data to the US not “adequate” to that in the EU. While the CJEU upheld the use of Standard Contractual Clauses (‘SCCs’), Privacy Shields most obvious alternative, it clarified some extensive considerations that organisations and authorities should assess when they use these model clauses.
Since then, a lot has happened, but uncertainty remains. Now that the dust has settled somewhat, this blog post aims to clear up some of the uncertainties through an overview of relevant events.
What is happening?
Current events can be summed up in a couple of key episodes:
- The CJEU case itself
- Frequently Asked Questions on the judgment by the EDPB
- Guidance by national supervisors
- Reactions to the lack of enforcement action by supervisors, for example by nyob, the organisation of Mr. Schrems
- An European Parliament Committee on Civil Liberties, Justice and Home Affairs meeting (2 and 3 September)
- Guidance on the use of SCCs by the EDPB (soon)
What is clear is that the Court invalidated the Privacy Shield. That practically means that organisations relying on it need to switch to another ground for transferring personal data to the US, or stop it completely.
In it’s FAQ, the EDPB answered that question by ruling out a ‘grace period’. Therefore: immediately.
And to which ground?
BCRs remain possible, but only for transfers within a group. One of the most obvious transfer grounds therefore are SCCs, but a lot remains unclear as to how this is done in practice.
As the CJEU judgement emphasised the task of national supervisors of suspending or prohibiting data transfers based on SCCs, based on the level of data protection in the recipient country, the ball is now in their court.
Some supervisors, like that of the German state of Baden-Württemberg, have published their own practical steps to, in their eyes, comply with the judgement and let data flows continue.
Others’, like the Dutch AP, refer to the European Data Protection Board (‘EDPB’), which is examining the practical consequences of the ruling and what possible follow-up steps can be taken.
In the meantime, individuals and organisations like that of Mr. Schrems are expected to file complaints on the use of organisations that transfer data to the US. Possibly, private action will take an upturn as well.
On the 3rd of September, 2020, an European Parliament Committee on Civil Liberties, Justice and Home Affairs (including EC Commissioner for Justice Reynders) meeting will discuss the judgement and its implications, which might give away some clues on what’s to happen next.
In the short to medium term future, the EDPB will provide guidance on additional measures that organizations can include in model contracts. In the meantime, please consult guidance by your national supervisor.
Many European organisations share data with organisations outside the EU, or rather the EEA, with data often being transferred to the US. Most of these organisations, 60% of them, relied on the Privacy Shield as a data transfer mechanism to the US. However, on July 16, 2020, the Court of Justice of the European Union invalidated the Privacy Shield, making the transfer of personal data to more than 5,500 US organisations (including the most used software tools) be in violation of the EU privacy law, the GDPR. The reason for invalidation: the law and practice of access to personal data by US intelligence services means that the protection of personal data by EU standards does not have an adequate level of protection.
The Court also added conditions to SCCs (approved model contracts to ensure safe processing outside the EU). Data exporters should take into account the law and practice of the country to which the data will be transferred, in particular regarding government access to this data. 88% of organisations sharing data outside the EU rely on these model contracts. SCCs are also the most obvious alternative to transfers to the United States. However, the further use of the model contracts seems practically infeasible due to the now added conditions. The ruling therefore not only has major consequences for data transfers from the EU to the US, but also complicates international data traffic in general. It is therefore crucial to gain an overview of the state of affairs in your organisation and to ensure that you can continue to comply with the GDPR.
When the predecessor of the Privacy Shield (Safe Harbor) was declared invalid, the privacy regulators instituted a tolerance period. Organisations were then given time to adapt to the new situation. The EDPB, the European umbrella organization for privacy supervisors, has stated that there will be no tolerance period in this case, and the Dutch Data Protection Authority does not mention a tolerance period either in its response to the Schrems ruling. As such, there is a need to act quickly.
The following step-by-step plan can help to get a grip on the situation.
- Pay attention to the guidelines and statements of the supervisory authorities. For example, the website of the Dutch Data Protection Authority, the EDPB and the European Commission.
- Find out which organisations receive personal data from your organisation. This should be in your (mandatory) processing register, for example, in PrivacyPerfect. Please note that parties used can also pass on the data to other parties. You should have agreements about this in your data processing agreement.
- Find out if data is being transferred to countries outside the EU and what transfer mechanism is used for this. In particular, consider:
a, organisations participating in Privacy Shield;
b, organisations using SCCs;
c, US organizations in general.
- In the case of SCCs: find out whether the receiving party can meet the (additional) conditions mentioned in the Schrems ruling. It is very likely that these conditions will not be met in the case of possible government access to data, as is the case with US organisations.
- Limit the transfer of personal data to countries outside the EU, choose storage in the EU and / or take other appropriate safeguards to protect the data when transferring. Many (non-EU) service providers nowadays allow data to be stored in the EU. Please be aware of whether the data is processed outside the EU after all, for example because a helpdesk in a third country monitors the system.
- Change the service provider in case of uncertainty. PrivacyPerfect is a Dutch organisation that only uses reliable parties for its service, and stores user data in the Netherlands.
- Adjust your privacy statement to the new situation and inform those involved where necessary.
This article does not constitute legal advice.
PrivacyPerfect, is one of the first high-end privacy compliance software providers on the market.