The Court of Justice of the European Union (‘CJEU’) published, on 16 July 2020, its highly anticipated Judgment in the case known as ‘Schrems II’. This is the latest chapter in the Schrems case that also took down the former EU-US Safe Harbour scheme in 2015.
The main takeaways from the decision are as follows:
- The “Privacy Shield” data sharing mechanism between the EU and the US is invalid.
- Standard Contractual Clauses and Binding Corporate Rules remain valid, but do not automatically ensure adequacy. A case-by-case assessment is required prior the international data transfer.
- If there is no adequacy, the data exporter must suspend the transfer.
- Any EU Data Protection Supervisory Authority can request data exporters to stop transferring data to third countries if they consider that there are no sufficient safeguards to protect the data.
Following this decision, the European Data Protection Board issued additional guidance on supplementary measures for international data transfers, as well as on the essential safeguards to be taken into account when analysing third country surveillance rules:
- This guidance contains the steps to be followed for each international data transfer following the Schrems II Judgment, from identifying international data flows to applying safeguards and supplementary measures to remediate them.
- The four essential guarantees should be used to analyse local surveillance laws: clear rules, necessity and proportionality, independent oversight and effective remedies available to the individuals.
- The supplementary measures are presented as a non-exhaustive list of technical, organisational and contractual measures to be used together with the existing data transfer tools, such as Standard Contractual Clauses or Binding Corporate Rules.
The most critical data flows for organisations usually have an international component. As a result of this Judgment and the new guidance, organisations need an approach to understand their risk exposure, as well as legal framework and controls to ensure protection of personal data. Now organisations have to follow the following steps identify, assess and address the risks of their cross-border data transfers:
- Identify international data flows.
- Assess the risks and consider if the transfer should proceed
- Apply an appropriate data transfer mechanism (eg SCCs)
- Implement additional safeguards to protect the data
- Re-evaluate on a regular basis the level of protection of the data transferred