The long-awaited decision in the case of Schrems II is in — and it’s not what was expected. On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework. This framework, which has been in effect since 2016, provided a legal basis for transferring personal data from the EU to the US for processing. Thousands of US companies rely on the privacy shield certification to demonstrate compliance with EU data protection requirements.
The court’s decision caught US companies by surprise since the case was brought as a challenge to the use of Standard Contractual Clauses (SCCs), not as a challenge to the adequacy of the privacy shield framework. Specifically, the case challenged Facebook Ireland’s use of SCCs for transferring personal data from the EU to Facebook, Inc. in the US. The expectation was that the court would rule on the validity of SCCs, which it did, upholding the use of SCCs. But the privacy shield ruling was a surprise.
The court completely struck down the EU-US Privacy Shield program, just at it had struck down the program’s predecessor, the US-EU Safe Harbor Program, back in 2015 in Schrems I.
US companies that have relied on the privacy shield program for years must now shift to alternative mechanisms, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), to legally continue to import personal data from the EU.
Standard Contractual Clauses
SCCs have been widely used by US companies since the demise of the old US-EU Safe Harbor program. They require a company to contractually promise to comply with EU law and to submit to the supervision of an EU privacy supervisory agency. While the CJEU’s judgement confirmed the validity of using the SCCs, it added two requirements:
- The contractual parties must verify on a case-by-case basis whether the law of the data importer (e.g., US law) ensures adequate protection for personal data as required by EU law.
- The EU data protection authorities (DPAs) must suspend or prohibit transfer of personal data to the data importer’s country if the DPA concludes that the SCCs are not being complied with or cannot be complied with in that country.
Binding Corporate Rules
BCRs are data protection policies that enable multinational companies to legally transfer personal data of EU citizens between different divisions in different countries. The BCRs must first be certified by an EU supervisory authority, such as the Irish Data Protection Authority, and must receive an opinion by the European Data Protection Board (EDPB) before they can be used as a legal basis for data transfer. The process for drafting and obtaining approval of BCRs is provided in Article 47 of the General Data Protection Regulation (GDPR).
Other alternative mechanisms exist for legally protecting data transfers. For example, derogations in the General Data Protection Regulation (GDPR) permit some companies to transfer data required to fulfill a contract.
Hopefully the European Data Protection Board (EDPB) and Data Protection Authorities (DPAs) will issue guidance to help the thousands of US companies participating in the Privacy Shield program and provide a grace period for enforcement. But the time is now for affected companies to start migrating to a new mechanism for legally transferring data from the EU. For US companies that are using SCCs, contracts with EU companies will likely need to be reviewed considering the CJEU’s comments on the SCCs.
To learn how you can leverage your investment in ServiceNow to help manage your contracts and vendor relationships, please reach out to our GRC team at firstname.lastname@example.org. You can also checkout some of our other privacy and compliance blogs below:
- How to Make Sure Your Website is CCPA Compliant
- Individual Privacy Rights: Why They Matter
- Preparing for Consumer Privacy Laws from California to Maine
- CCPA Enforcement Starts July 1, 2020 Are You Ready? Are You Aware of Recent Changes?
- California Consumer Privacy Act (CCPA): How to Leverage Your Investment in ServiceNow to Comply with the CCPA
Read the CJEU’s full judgment in the Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems case.
Disclaimer: The author is a technologist, not a lawyer, so the content of this article represents the authors research and understanding of the consequences of the CJEU’s decision in the Schrems II case. Be sure to check with your legal team for legal advice relating to how this decision impacts your organization.
About the Author
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Covestic
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Covestic customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications, and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. Connect with Mike on LinkedIn.
 Max Schrems is an Austrian privacy advocate.