Following the decision of the Court of Justice of the European Union (EU) in case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (known as “Schrems II”), companies in the United States can no longer rely on the Privacy Shield, the framework developed by the US Department of Commerce, and the European Commission and Swiss Administration to promote transatlantic commerce while protecting personal data.

Schrems II Invalidated the Privacy Shield and Creates Uncertainty

Schrems II concluded that the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States.  Further, in a subsequent decision, the Swiss Federal Data Protection and Information Commissioner concluded that the data protection of the Privacy Shield does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to their Federal Act on Data Protection.

Schrems II also created some uncertainty with respect to the use of standard contractual clauses for transfers of personal data from the EU to the US.  Companies transferring personal data from the EU to the United States may choose to rely on these clauses with the caveat that companies are responsible for determining whether the law of the United States ensures adequate protection as afforded in EU law, including by providing, where necessary, additional safeguards.¹ The court in Schrems II made clear that this analysis was to be completed by the data exporter and data importer to ensure an essentially equivalent level of protection as provided by EU law.

EU Guidance on Processing Data

Following Schrems II, many organizations and data practitioners did not know how to proceed with transfers of data from the EU to the US in a manner that would comply with EU requirements. Fortunately, there has finally been some direction on these issues from a number of EU organizations.  All of this provides valuable insight for organizations ready to proceed with transferring data to the US.

European Data Protection Supervisor

The European Data Protection Supervisor was the first agency to issue guidance on the issue entitled “Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ ruling”.²  While this guidance is specifically directed at compliance by European Union institutions, bodies, offices, and agencies (“EUIs”), it is helpful to understand its action plan for compliance, including best practices for the mapping of any data that may be transferred from the US.

For any on-going processing operations and transfers, EUIs are to complete data mapping exercises to identify data transfers to third countries.  This exercise is to review each of the following:

• Data processing operations
• Data transfer destination
• Recipients of data
• Transfer tools used
• Types of personal data transferred
• Categories of Data subjects affected
• Information on onward transfer

Data processors in the U.S. are considered a “high-risk transfer,” especially for large scale processing operations or processing of personal or sensitive data.³  In addition, new processing operations involving transfers of personal data to the US are strongly discouraged.  This high level of risk should be a consideration in implementing supplementary measures for transfers into the US, as detailed further below.

European Data Protection Board

The European Data Protection Board issued recommendations as to supplementary measures for controllers and data processors, acting as exporters.⁴ A six-step process is set forth in detail that includes the following:

1. Know your transfers by data mapping.
2. Verify the transfer tool your transfer relies on amongst those identified under Chapter V of the EU General Data Protection Regulation (“GDPR”).
3. Assess whether there is any law or practice of the third country that may impinge on the effectiveness of the safeguards of the transfer tool being relied upon.
4. Identify and adopt supplementary measures to bring the level of protection of the data transferred to the EU standard.
5. Take any formal procedural steps the adoption of the supplementary measure may require under the GDPR.
6. Re-evaluate at appropriate intervals the level of protection afforded to the data being transferred.

This advice includes data mapping as recommended by the European Data Protection Supervisor for EUIs.  More importantly, it provides examples of supplementary measures that can be put in place.

European Commission

The European Commission has prepared a draft set of revised standard contractual clauses (“SCCs”) for transfers of personal data to non-EU countries.⁵  These new SCCs are anticipated to be adopted in the first quarter of 2021.  Some of the provisions included in the SCCs reflect the supplementary measures identified in the European Data Protection Board recommendations.

Organizations will have a one-year period of time to implement the SCCs.  In addition, standard contractual clauses in existing contracts may be relied upon during this time period so long as supplementary measures are implemented in addition to these contract requirements.

What Do Businesses Need to Do Now?

Businesses that process personal data or rely on data processors for data transfers from the EU should review in detail each of the items identified in the mapping exercise recommended by the European Data Protection Supervisor for EUIs.  Upon completion of such a review, these items should be reviewed in detail with the European Data Protection Board recommendations for supplementary measures. Then, any standard contractual clauses that may be included in your contract documents should be compared to the newly-revised SCCs, and you should be prepared to transition to these new SCCs following their adoption.  It is important to remember that SCCs by themselves are not enough.  Contracts will need to be updated to incorporate the SCCs and supplementary procedures must be implemented for any business to be in compliance with the EU requirements.

Why Does This Matter For Businesses

• Any transfer of personal information from the EU to the US will be subject to strict scrutiny.
• Schrems II makes clear that standard contractual clauses are no longer sufficient for compliance.  Further, it is clear by the proposed European Commission decision that additional safeguards are required to protect personal data.
• Data privacy attorneys can consult on GDPR requirements following the completion of any mapping exercise.
• Keep in mind that if your organization is listed on the Privacy Shield List under the Privacy Shield program administered by the U.S. Department of Commerce’s International Trade Administration, you are still subject to all requirements of the program regardless of the Schrems II decision.

Contact us for additional guidance on your organization’s needs.

¹ See Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II, White Paper, September 2020.
² See Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ ruling, 29 October 2020.
³ See Strategy for Union institutions, offices, bodies and agencies to comply with the ‘Schrems II’ ruling, 29 October 2020, Section 4.1.
⁴ See Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on 10 November 2020.
⁵ See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.