Yesterday, the Court of Justice of the European Union issued the long-awaited decision in Schrems II (Case C-311/18) in which it invalidated the EU-US Privacy Shield data transfer mechanism. The Court’s decision was based on ongoing concerns that the American surveillance programs, as initially revealed by Edward Snowden, undermine the guaranteed privacy rights of EU-based individuals under Europe’s General Data Protection Regulation.
Among the takeaways of the decision:
• Privacy Shield Invalidated; immediate effect on Privacy Shield certifications is unknown, although some grace period is expected.
• Immediate disruption in international data transfers where prior basis for such transfers has been invalidated.
• Use of Standard Contractual Clauses remains valid, for now. However, the Court expressly requires importers and exporters relying on SCCs to verify the legal systems and adequate safeguards in place in the receiving organization’s country.
• Expect to see increase use in Binding Corporate Rules (BCRs), though these can only go so far as they are used for intra-organizational or joint company transfers.
• Expect to see increase use of Data Processing Agreements as organizations rely on contractual basis for consent.
• Organizations must evaluate other bases for transfer, to include consent.
While the use of Standard Contractual Clauses (SCCs) is allowable, for now, their long-term fate has been called into question by the decision. Following release of the Schrems II decision, the Irish Data Protection Commission, issued a statement: “[…] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” It adds that the issue “will require further and careful examination, not least because assessments will need to be made on a case by case basis.”
Of note, the Schrems II decision does not concern so called ‘necessary’ data transfers. Rather, this decision involves the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons). Accordingly, the impact of the decision may be that more and more companies switch to regional data processing companies for European users.
One thing is clear: the impact of the Schrems II decision will have a significant impact on organizations which rely on the Privacy Shield for international data transfers. These organizations will need to quickly evaluate data transfer activities and determine whether alternative transfer bases exist.
Octillo works with clients to evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules. Octillo's attorneys include dedicated information privacy professionals (CIPP/US) and (CIPP/EU), as certified by the International Association of Privacy Professionals.
The Schrems II decision is found here:
*Attorney Advertising: Prior results do not guarantee a similar outcome.