On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its ‘Schrems II’ judgement, declaring the EU-US Privacy Shield framework as invalid.

The US Department of Commerce drew up the Privacy Shield’s frameworks and principles governing the collection, use and retention of personal data transferred out of the EU. Until the ‘Schrems II’ judgement was issued on 16 July 2020, the Privacy Shield framework was the GDPR-compliant standard for transferring data from the EU to the US.

In making this judgement, the CJEU found that the Privacy Shield provided an insufficient level of data protection in the US and that data transfers using this framework were now unlawful. The main issue with data protection in the US is that US authorities have excessive powers for accessing data without any judicial oversight. This breached GDPR rules and the Charter of Fundamental Rights of the European Union.

Data processing activities affected by this ruling need to cease immediately or find another legal basis for transfer, otherwise administrative penalties will apply.


We recommend that you take the following action in light of this ruling:

Agreeing EU Standard Contractual Clauses (SCC) with third-country providers is an alternative legal basis for transferring data. This may only provide limited relief as the ‘Schrems II’ judgement stated that SCCs are only valid legal grounds for transferring data to third countries if the same level of data protection can be maintained. We also recommend that you invite your service providers in non-EU countries to fill in questionnaires (link at the end) so that you – the data controller – can meet this obligation.

1.Identify all of your service providers who are located in the US and check whether they relied solely on their Privacy Shield certificate to guarantee the adequate level of data protection for data transfers to the US, or whether EU SCCs had been agreed in contracts. Check whether the Privacy Shield is mentioned in your privacy notices and record of processing activities; update these as necessary.

 

2. Check whether certain data can be omitted from the transfer or whether a method such as encryption can be used to prevent the provider from accessing the data.

 

3. If your data transfers rely solely on the Privacy Shield framework, determine whether you can cease working with the service provider in question and terminate your contractual relationship. The CJEU judgement gives companies the option of terminating contracts without notice if necessary in these circumstances.

 

4. If you are unable or unwilling to cease working with the service provider, get in touch with your point of contact at the company. Refer them to the CJEU judgement that rendered the Privacy Shield framework invalid and ask whether you can conclude EU SCCs with them as soon as possible. To this end, use a questionnaire (link below) to evaluate the level of data protection in the third country.

 

5. If your service provider is not prepared to agree to EU SCCs, or if such an arrangement is impossible due to the inadequate level of data protection in that third country, you should cease using the provider wherever possible. Your only remaining option is to fall back on the exceptions for specific situations set out in Article 49 GDPR:
 

  • The data subject has consented

  • The transfer is necessary for the performance of the contract

  • The transfer is necessary for important reasons of public interest

  • The transfer is necessary for the establishment, exercise or defence of legal claims

  • The transfer is necessary to protect the vital interests of the data subject

  • The transfer is made from a register which is intended to provide information to the public or any person with a legitimate interest

 

You are also welcome to contact us if you need help determining whether one of the exceptions apply in your particular case.

The actions that we recommend here should be taken immediately in the current circumstances. Since the CJEU judgement was made recently, we need to wait for further regulatory developments in the coming weeks. Both individual IT service providers and the EU Commission are working to find a solution. We will, of course, keep you up to date, and you can contact us any time with your queries.
For more information, please visit: https://noyb.eu/de and https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf


 
Questionnaires:
•    Questionnaire template for US data importers if you are continuing to rely on Standard Contractual Clauses
•    Questionnaire template for service providers with US ties that process data in the EU/EEC
 

 

More news