Unpacking Schrems II: Analysis, Updates & Next Steps
Explore the implications of the Schrems II decision on transatlantic data transfers. Understand the impact on GDPR, Privacy Shield, and Standard Contractual Clauses. Learn about best practices moving forward in light of regulatory updates from European and US authorities.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Unpacking Schrems II: Analysis, Updates & Next Steps Sara DePaul Associate General Counsel & Senior Director, Technology Policy sdepaul@siia.net
Roadmap for today Transatlantic Data Transfers and How We Got to Schrems II Analysis of the Schrems II Decision Updates from European & US Regulators Best Practices for Moving Forward
But first, why do you need to know this? Personal Data Subject to GDPR Transferring of Data Outside the EU Need to Know Schrems II Web Scraping
GDPR and Data Transfers to Third Countries Chapter 5 governs transfers, with Art. 44 stating the Chapter is to be applied in order to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined. Article 46 Transfers Subject to Appropriate Safeguards: Standard Contractual Clauses (Valid, but subject to Schrems II holding) Article 45 Transfers Based on Adequacy Decisions: Privacy Shield (now invalidated) Article 49 Derogations for Specific Situations: Generally not available for transfer of large sets of data
How did we get here? CJEU invalidates Safe Harbor with Schrems I decision; Max Schrems Files Amended Complaint October 2015 Edward Snowden Disclosures, followed by Schrems I Complaint June 2013 CJEU releases Schrems II decision July 2020 EU Data Protection Directive October 1995 Privacy Shield is adopted July 2016 EU-US Safe Harbor Framework July 2000 Schrems I referred to CJEU June 2014 GDPR is adopted April 2016 Schrems II referred to CJEU October 2017
What did the CJEU decide in Schrems II? The Privacy Shield was an adequacy decision by the European Commission under GDPR, Art. 45 Any company using this as a transfer mechanism must find a new transfer mechanism immediately Privacy Shield is INVALID The CJEU found that while SCCs are valid in general, they do not automatically ensure the adequacy required by the GDPR Instead, the adequacy of the SCCs must be determined on a case-by-case basis prior to transfer Standard Contractual Clauses are Valid, BUT .
What are the US and EU Officials Saying About Privacy Shield? U.S. U.S. Federal Trade Commission European Data Protection Board Department of Commerce Continues to expect companies to comply with their ongoing Privacy Shield obligations Committed to working with the EU No grace period for the Privacy Shield Will continue to administer the Privacy Shield program, including submissions for certification and re- certification Companies should continue to follow robust privacy principles and review their privacy policies to ensure they are described accurately Participants are not relieved of their obligations to comply with the Privacy Shield Participants may withdraw but must meet ongoing obligations with respect to data collected under Privacy Shield
What about SCCs? Irish DPC: questioned the validity of SCCs for transatlantic transfers in light of the CJEU ruling Berlin DPA: called for data controllers storing data in the US to transfer data back to the EU, saying data cannot be transferred to the US until the legal framework at issue is changed French DPA: carrying out an analysis to determine the consequences of transfers from the EU to US
But the most important statements came from the EDPB FAQs If you are using SCCs with a data importer in the U.S., the EDPB notes: that the CJEU found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data on the basis of SCCs will depend on: the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you can put in place. [t]he supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee. If you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data.
What did the EDPB say about other transfer mechanisms? For BCRs, the CJEU s assessment that the Privacy Shield is invalid due to insufficiency of U.S. law to provide adequate protection applies in the context of BCRs as well because U.S. law will also have primacy over this tool. Thus, like with SCCs, whether you can transfer data using BCRs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you can put in place. These supplementary measures, along with BCRs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. Law does not impinge on the adequate level of protection they guarantee. The EDPB is assessing the impact on other Article 46 transfer mechanisms The EDPB notes that it is still possible to transfer data from the EEA to the U.S. on the basis of derogations foreseen in Article 49 GDPR provided the conditions set forth in the Article apply.
What is missing from all of this? Any Guidance on What Constitutes A Supplementary Measure that Can Safeguard the Data
Begin by assessing your transfers If you are using Privacy Shield, you must stop and find a new transfer mechanism. (But remember, be mindful of statements from U.S. regulators that you have ongoing obligations with data received under the Privacy Shield Framework) If you are using or switching to SCCs, be mindful that this is going to be a changing landscape. Some early actions you can take, including: Assessing and memorializing the risk that data you receive via this mechanism would be subject to the law enforcement access at issue in Schrems II (Sec. 702 FISA & EO 12333). For many companies the risk will be minimal to nonexistent. Consider if there are supplementary measures you can take while waiting for clear guidance, such as encryption (both when data is at rest and in transfer) or data minimization? If you are using or switching to BCRs, you may want to take the same steps as for SCCs in light of the EDPB FAQ. If you are switching to derogations, be mindful of prior EDPB guidance on these mechanisms. Consent, for instance, means consent under the GDPR (explicit, informed, and voluntary)
Remember, this is about evaluating risk Without clear guidance on supplementary measures for SCCs and BCRs (or even a potentially wider impact on other transfer mechanisms), the only risk free solution is to store your data in the EU But this is not a workable solution for the vast majority of businesses As a result and until more guidance is forthcoming, your best course of action is to evaluate risk and make business decisions that mitigate the risk to the extent you can
Thank you! Thank you!