The CJEU (Court of Justice of the European Union) Schrems II judgement of July 16th made a huge impact in the data protection world. Although not entirely unexpected, the consequences are serious. Now the dust has settled, let’s take a look at what Schrems II means in practice.
International Data Transfers
The judgement is about international transfers of personal data. An international data transfer is a very broad concept as it includes any type of data that leaves the territorial borders of the EU, eg. the usage of a cloud application, backups saved in the US by a subcontractor, remote support, etc.
Privacy Shield, an adequacy mechanism between the US and the EU for international transfer is personal data, is no longer valid. This means that any international transfer of personal data from the EU to the US based on this framework is illegal as from the 16th of July. For those that have been around the data protection block: a Safe harbor déja-vu. The Court made it clear that the current surveillance legislation in the US (US Cloud Act, FISA, PPD 128, E.O. 12333, etc) does not provide adequate safeguards to warrant an adequacy decision such as Privacy Shield.
Standard Contractual Clauses (SCC)
This part of the judgement has the most complex implications. The Court explained that it does not invalidate the mechanism in itself and as such SCCs can still be an instrument to transfer data to third countries. However, the same issues that invalidate Privacy Shield apply to SCC with US companies (i.e. legislation that infringes data subject rights) which in practice means that for pretty much all US organizations SCCs do not provide a mechanism for international data transfers between the EU and the US either.
So what now?
SCCs will be the mechanism to use, but they will need to be revised case by case. In the short term controllers need to evaluate whether or not their data transfer may be subject to the issues described in Schrems-II and will need to adjust their contracts accordingly to include additional measures to ensure adequate protection.