The invalidation of the criticised Privacy Shield was required.
The Schrems II judgment was anticipated, with the belief that it was long overdue. Strengthening the standard of data protection, data transfers, the proactive role of oversight authorities and the affirmation of data subject and data protection rights are at the core of the GDPR. However, the judgment was practical in its approach as it upheld the use of SCCs to represent the continuation of international data transfers rather than a radical departure from it.
Since the verdict in the summer of 2020, the Schrems II judgment has now significant implications that go well beyond regulation of data transfers to the US:
- Data controllers must conduct a detailed examination of the circumstances surrounding each transfer,
- Examine the adequacy of protection in the country to which the data will be transferred, and verify that there is an adequate level of protection in the country of import (Art. 45)
- Conduct a review of the parties processing the data
- Make use of the SCCs in effect for “mini adequacy decisions”
Based on the verdict the obligations that the Court now has placed on the data controllers to investigate the level of protection will be difficult for transfers to many countries (example China), where legislation dealing with law enforcement and the security services is either difficult to obtain or in many cases non-existent.
The overwhelming need for further guidance. The judgment will also put the oversight authorities (DPA) to take enforcement actions against companies that solely rely on the SCCs. The standard probably will also require other appropriate safeguards under Art. 46 (such as BCRs).
Data Controllers and privacy professionals must also balance data subjects’ fundamental personal rights and the organisations’ legitimate data processing objectives. Besides, they must also create a defensible business position by using new Additional Safeguards as necessary.
EDPB has released guidance so that Data Professionals can determine and understand which specific additional safeguards can help bring their organisation in line with Schrems II requirements. Also, clearly defined use cases described by the EDPB can reassure organisations what not to do and avoid penalties being imposed due to non-compliant data processing.
How to establish Supplementary Measures to comply after the privacy shield. The judgment will also make it more difficult to reach agreement on a possible adequacy decision for the UK post-Brexit.
At the Data Protection Day, on the 28th January 2021, we reviewed the Schrems II verdict with the following keynote speech by Jacob Eborn, Privacy Consulting Manager, CIPP/E, Onetrust.
The Schrems II Decision: What it Means for Privacy Programs. The EU Court of Justice has invalidated the US-EU Privacy Shield with an immediate impact on the data flows and business operations: Let’s get clarity around Standard Contractual Clauses (SCCs) and:
- Understand how the transfer mechanisms play a part in privacy programs.
- Gain insight into what the Schrems II decision means.
- Understand what the future might look like for EU-US personal data transfers.
Contact Julia Holmdahl jholmdahl@onetrust.com to get a copy of the Schrems II presentation from The Data Protection Day by Copenhagen Compliance and The EUGDPR Institute
Also, see another article in this newsletter and the guidance from The EDPB on Standard Contractual Clauses.