It has been over a year since the Court of Justice of the European Union (CJEU) issued its decision in the closely watched Data Protection Commission v. Facebook Ireland, Schrems case. This long-awaited watershed ruling—commonly referred to as Schrems II—has made a significant impact when it comes to the future of international data flows. The Schrems II ruling also impacts the use of data transfer mechanisms between the United States and the European Union.
What Is Schrems II?
Per the Schrems II decision, the CJEU has ruled that international data flows under the General Data Protection Regulation (GDPR)—the European Union's comprehensive data protection regime—can continue based on the EU Standard Contractual Clauses (SCC), if they are properly monitored. In general, the view is that the SCC provides appropriate safeguards for international transfers of personal data.
However, as part of the ruling, the CJEU declared the EU-U.S. Privacy Shield Framework to be invalid. Per the CJEU's opinion, the Privacy Shield Framework failed to provide acceptable limits to make sure that EU personal data could not be accessed and used by U.S. authorities based on U.S. domestic law. In particular, the CJEU noted that the ombudsperson mechanism failed to provide substantially equivalent guarantees as those required by EU law. Further, the independence of the ombudsperson was questionable and noted a lack of authority to make binding decisions on U.S. intelligence services. In its decision, the CJEU wrote that "the ombudsperson mechanism to which the Privacy Shield Decision refers does not provide any cause of action before a body which offers the persons whose data is transferred to the United States guarantees essentially equivalent to those required by Article 47 of the Charter."
Following this, the European Data Protection Board after Schrems II adopted new recommendations for measures to supplement transfer tools that ensure personal data outside the European Economic Area are protected. The EDPB guidelines after Schrems II also included recommendations for European Essential Guarantees for surveillance measures.
Understanding the Ramifications
The impact of the invalidation of the EU–U.S. Privacy Shield Framework is seismic. Consider that at the time of the Schrems II decision, there were over 5,000 U.S. companies that relied on the Framework to conduct trade in compliance with the EU's data protection rules. As those companies can no longer rely upon the Privacy Shield, they must transition to a new way to operate to remain compliant with these latest rule changes.
For instance, as it related to standard contractual clauses, the CJEU said that EU-established data controllers need to consider both the international data transfer agreements based on the SCCs agreed between them—as well as the data importer established in the third country. Before any transfer takes place, the relevant aspects of the data importer's legal system—chiefly the access of public authorities to the data transferred—must be also considered. Ultimately, if there cannot be a guarantee of the necessary level of protection, then the usage of data controllers will be necessary to terminate the data transfers.
For companies that relied on Privacy Shield, it is critical to pay attention to the legal developments that have arisen in the United States and the EU from the Schrems II decision. For example, this past March, both U.S. Secretary of Commerce Gina Raimondo and EU Commissioner for Justice Didier Reynders said that the U.S. and EU would ramp up negotiations for a compliant EU-U.S. Privacy Shield Framework. While the Privacy Shield is currently no longer valid, companies should recall that existing commitments to the Privacy Shield remain enforceable by the U.S. Federal Trade Commission. This means that it is important for companies to be aware of and in compliance with these clauses while also adopting standards that meet the requirements of GDPR. Moreover, it is important that this information be analyzed in a timely and cost-effective manner as there is over a $7 Trillion trans-Atlantic relationship between the U.S. and E.U.
At eBrevia, we have been keeping up with the impact of the Schrems II decision and understand the importance of being compliant as the world navigates this new legal landscape. We empower users with the ability to quickly and efficiently compare SCC clauses amongst their documents using our provision compare feature to ensure that compliance standards, as required by GDPR, are being upheld across their contracts. eBrevia can also extract relevant data privacy language using AI-powered contract analysis to assist those companies who both need to determine what additional provisions they need to amend onto existing agreements as well as identify those existing commitments that they are required to comply with under the Privacy Shield Framework.
We know that in a post-Schrems II world there have been —and continue to be—many changes. That is why we are committed to continuing to help businesses extract their data privacy language. By doing this, we can leverage our experience and resources to provide businesses with the critical insight that is necessary to remain compliant with ever-evolving data regulations. The Schrems II decision has had a ripple effect throughout the world—and right now it is important for businesses to remain diligent regarding these new legal developments.
In summation, the Schrems II decision is expected to loom large over international commerce. Here are some of the key points of which your business should be aware:
- The EU-U.S. Privacy Shield Framework as it existed prior to 2020 is no longer valid.
- However, the FTC can still enforce existing commitments to the Privacy Shield.
- Companies must continue to be aware of and in compliance with these clauses and adopt standards that meet the requirements of GDPR.
- eBrevia can help your company compare SCC clauses throughout their documentation quickly and efficiently.