Schrems II

What is Schrems II?

Schrems II is a ruling by the European Court of Justice (ECJ) on July 16, 2020, regarding the transfer of personal data from the European Union (EU) to the United States. In its decision, the ECJ specified the requirements for companies and organizations to evaluate whether they may transfer personal data to third countries, in particular to the U.S., and whether they must take additional safeguards to ensure the data subjects' data protection rights.

At the same time, the ECJ's Schrems II ruling reinforces the importance of standard contractual clauses under Art. 46(2)c GDPR. According to the Schrems II ruling, the use of EU standard data protection clauses is a fundamental instrument to ensure compliance with European data protection requirements when personal data is transferred to a third country.

Who is Maximilian Schrems?

Maximilian Schrems came to prominence a year after graduating from the University of Vienna Law School when he complained about Facebook's handling of personal data. Schrems is a privacy activist and the founder and executive director of NOYB - European Center for Digital Rights. The NGO campaigns for the enforcement of data protection within the European Union. Their criticism eventually led to a preliminary ruling by the Irish High Court and the first "Schrems" ruling by the European Court of Justice, which invalidated the Safe Harbor agreement on October 6, 2015.

The European Commission had already put the Safe Harbor Agreement into force at the end of July 2000 in consultation with the U.S. Department of Commerce. By 2015, some 5,500 U.S. companies had joined this agreement to document their compliance with the data protection provisions of the Data Protection Directive 95/46/EC, the predecessor to the GDPR. Companies in the U.S. participating in the Safe Harbor agreement were deemed to have an adequate level of data protection by the European Commission's Safe Harbor decision, and the transfer of personal data from Europe to the U.S. thus became legally possible.

After the failure of Safe Harbor, informal agreements between the EU and the United States led to a new agreement, the EU-US Privacy Shield, in July 2016. But it was criticized from the beginning. Schrems was one of the most prominent critics, emphasizing that the EU-US Privacy Shield did not represent a significant improvement over the Safe Harbor agreement at its core. Eventually, the European Parliament also found significant flaws in the agreement. This led to the "Schrems II ruling" on July 16, 2020, in which the ECJ declared it invalid, as Safe Harbor had been before.

What are the implications of Schrems II?

The ruling is based on the General Data Protection Regulation (GDPR) principle that personal data may only be transferred to countries that provide an adequate level of data protection. The Schrems II ruling of the European Court of Justice therefore has significant implications for international data flows between the European Union and third countries, in particular the USA.

EU data protection authorities have clarified that transfers of personal data to countries outside the EU must now be subject to careful scrutiny to ensure that adequate data protection is provided. In particular, companies must ensure that recipients of data in third countries provide adequate safeguards for the protection of personal data, such as binding internal data protection rules (Binding Corporate Rules) or standard contractual clauses.

In this context, it is not the general level of data protection in the recipient country that must be assessed, but the specific level of protection for the data transferred.

To be evaluated are therefore:

• The specific transmission path of the data: Risks to the level of protection can arise from government surveillance, for example. In the case of data transmission to the USA via overseas cable, monitoring by US intelligence services could take place.
• The risks posed by the storage of the data at a specific recipient: differences may arise, for example, as a result of industry-specific legislation that forces certain recipients to cooperate with intelligence services, although other data importers need not be affected by this legislation.
• The use of alternatives (such as EU-based service providers) that do not require international data transfer.

If this assessment shows that the level of protection is not comparable to the European level, additional measures must be taken to guarantee the protection of the data prior to the data transfer. In the event that adequate safeguards are not in place, companies must suspend or restrict the transfer of personal data to third countries.

What do companies need to do?

As a result of the "Schrems II Ruling," companies and public bodies must take stock of whether and when personal data is transferred to a third country. If service providers or contractors are employed in a third country, they must be informed about the ECJ ruling.

Companies should check whether or not an adequacy decision pursuant to Art. 45 GDPR exists for the respective third country. Existing standard contractual clauses must be checked to determine whether or not they are adequate for the respective third country. Since the required level of protection based on standard contractual clauses is now only rarely sufficient, data controllers must provide further safeguards, for example through encryption, anonymization or pseudonymization. If, despite these measures, data transfer is still not permitted, the last resort is data transfer under Art. 49 GDPR.

Glasskube supports you in complying with the GDPR in accordance with the Schrems II ruling. Contact us!