RegSol Blog

Cross Border Data Transfers: Schrems II Judgement Day- David vs Goliath

August 2020

For those of you that have been following the epic battle between Max Schrems, the Austrian privacy activist and lawyer who is in our view “David” against the “Goliath” that is Facebook,  (within the context of the United States Surveillance Framework), judgement came on the 16th of July. 

This is concerning a complaint brought by Mr Schrems to the Irish Data Protection Commissioner who referred the matter to the European Court of Justice. The matter relates to the transfers of Schrems’ personal data by Facebook Ireland to Facebook Inc. into the US. If you use google analytics, gsuite, Microsoft, twitter, linkedin, etc, chances are EU data subjects’ personal data is flowing to servers in the US under the US Privacy shield and are affected by this. 

In a nutshell the ECJ has declared:  

  • EU-U.S. Privacy Shield invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should we do now?

  • U.S. and EU companies that relied on the Privacy Shield should consider alternate methods of cross-border data transfer, such as the SCCs or binding corporate rules, or the applicability of the Article 49 derogations. 
  • Immediately re-evaluate data transfers with third parties into third countries under SCCs. Review your record of processing and risk assessments. Monitor further guidance from the EU Commission, the European Data Protection Board (EPDB) and the Data Protection Commission. If you were relying on the Privacy Shield, you need to find other ways to permit data transfers into the United States or should consider locating data processing operations, such as servers, to the European Union. Other methods of cross-border data transfer include the SCC or establishing Binding Corporate Rules (Art. 47 GDPR). 
Problems for the future?

We foresee issues with enforcement. When looking at the United States, should a dispute arise, even if parties agree on a jurisdiction of the courts in the EU, the US is not a signatory to the Hague convention and so can we ever confidently say an EU data subject’s data is protected in the US?

Click HERE to view the judgement.

By Judy de Castro - Regulatory Consultant