Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 The Far-Reaching Schrems II Judgment Changes the Rules on Global Data Privacy

The Far-Reaching Schrems II Judgment Changes the Rules on Global Data Privacy

Aug 5, 2020

What You Need to Know
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its long-awaited judgment in the Schrems II case (case C-311/18). The Schrems II judgment impacts transatlantic personal data transfers under the EU’s General Data Protection Regulation (GDPR) in two key ways:

  1. The judgement invalidates the EU-US Privacy Shield  ̶  a framework that over 5,300 European and American companies have relied upon to transfer EU personal data stateside since 2016. 
  2. The judgement affirms, albeit with compliance caveats, the use of Standard Contractual Clauses (SCCs) as a valid international data transfer mechanism under the GDPR. 

The Upshot
While the decision upholds the validity of SCCs, it requires companies seeking to export personal data from the EU to conduct case-by-case analyses to determine whether foreign protections are sufficient to satisfy EU standards. When they do not, companies must provide additional safeguards or refrain from transferring the personal data. 

The Background

The Schrems II controversy began when data privacy champion, Max Schrems, asked Facebook Ireland to disclose the grounds on which it had relied to transfer Facebook users’ EU personal data from the EU to the U.S. Facebook Ireland responded that it was reliant on a data transfer agreement with its U.S.-based parent company, Facebook, Inc. This data transfer agreement incorporated SCCs, along with other terms and conditions governing the processing of Facebook users’ personal data.

Mr. Schrems, dissatisfied with Facebook Ireland’s response, lodged a complaint with Ireland’s Data Protection Commission (DPC). He alleged that SCCs do not protect EU personal data to the same extent as EU data protection law. This allegation stemmed from a fear that since SCCs do not bind public authorities in the country of transfer, and U.S. law does not openly restrict government interference with individual privacy rights, personal data transferred to the U.S. would be subject to unfettered access and use by the U.S. government. 

After reviewing Mr. Schrem’s complaint, the DPC brought proceedings before the Irish Hight Court. The Irish High Court sought a preliminary ruling from the CJEU on several questions the DPC presented. The questions related to the validity of data transfers under both SCCs and the Privacy Shield. 

CJEU’s Judgment on Privacy Shield

The CJEU invalidated the E.U.-US Privacy Shield on three grounds. The first ground was that U.S. law does not sufficiently limit U.S. authorities’ access and use of transferred personal data in a way that satisfies the GDPR’s proportionality principle. The second ground was that U.S. surveillance activities involving EU personal data are not subject to an access test based on U.S. authorities’ strict need for such data. The third ground was that the Privacy Shield Ombudsperson  ̶  the body the U.S. government established to field complaints from EU individuals about U.S. authorities accessing their personal data in connection with surveillance activities  ̶  did not guarantee complainants the substantive rights required under EU law. 

CJEU’s Judgment on SCCs

The CJEU ruled that while SCCs remain a valid mechanism for data transfers, in principle, it is no longer sufficient to put SCCs in place and assume that, if they are followed, the parties to the SCCs are safe. Rather, the judgment requires any organization seeking to export personal data out of the EU using SCCs to perform due diligence on both the jurisdiction and the entity to which it seeks to transfer the personal data. The purpose of this due diligence is to determine whether the law of the destination country, together with the measures of the importing organization, guarantee an adequate level of personal data protection under EU law. 

If at the conclusion of the exporting organization’s due diligence process there does not appear to be an adequate level of protection for the personal data in question, the CJEU indicated that the exporting organization may supplement the protections afforded under SCCs with additional measures. However, the CJEU did not specify what those measures are. 

Schrems II Enforcement is Still a Work in Progress: Stay Tuned

Though invalidated, the ITA continues to administer the EU-U.S. Privacy Shield Framework. And the International Trade Administration (ITA) is in talks with the European Commission on a new EU-U.S. data transfer framework, though some are doubtful that these talks will yield an acceptable replacement framework.

As far as SCCs are concerned, there remain questions as to the types of acceptable supplemental measures exporting organizations may utilize when their data transfer due diligence results in potential protection inadequacies. Perhaps Data Protection Authorities  ̶  the local data privacy enforcement bodies in each EU member state  ̶  will begin to clarify acceptable forms of supplemental measures for their respective jurisdictions in the weeks to come.  

About the Author

Dino E. Medina, Esq.

Dino E. Medina, Esq.

In his role as General Counsel for CDS, Mr. Medina is responsible for the overall legal affairs of the company, including drafting and negotiating a wide variety of commercial contracts, advising executive management on corporate strategic initiatives and employment matters, managing litigations, and directing CDS’ compliance and risk management posture in all areas of the business.

Women in eDiscovery: San Diego Chapter Technology Bootcamp

CDS is a proud sponsor of Women in eDiscovery's upcoming San Diego Chapter Technology Bootcamp, taking place on Wednesday, April 17, at Sheppard Mullin Richter & Hampton LLP in San Diego, CA.

Find out more

Relativity AI Bootcamp: Atlanta

Relativity is kicking off a third season of AI Bootcamps on April 23-24 in Atlanta, where CDS’ Director of Advanced Analytics & Data Privacy Danny Diette will be a featured panelist.

Find out more

Sign Up for Our Newsletter