Everything you need to know about the Scherms II ruling and subsequent invalidation of the EU-US Privacy Shield for EU, US, and UK-based companies.
For more information on what the Scherms ll decision means for your business, whether you or your hosting provider are European or US-based, refer to What Does the Schrems ll Ruling Mean for Your Business?
The EU-US Privacy Shield
The EU-US Privacy Shield was a certificate that enabled participating US companies (deemed as having adequate privacy protection) to receive personal data easily and lawfully from EU-based citizens. This Privacy Shield (that in fact does still exist, but is no longer accepted by the European Commission) was the data transfer mechanism for US-based organizations to receive personal data from EU businesses for commercial purposes and transatlantic commerce with the same high-level personal data protection as General Data Protection Regulation (GDPR).
The Schrems II Decision
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Certification with immediate effect as it did not meet GDPR requirements. It could no longer be guaranteed that personal data would not be used for purposes other than those for which they were provided due to US intelligence and surveillance practices. The invalidation of the Privacy Shield is known as the Scherms II decision.
Standard Contractual Clauses: Still Valid With Recommendations
After the ruling, US and EU organizations looked to the European Data Protection Board to provide a new solution. Standard Contractual Clauses (SCCs), or terms and conditions that protect personal data transfers between EU and non-EU countries, were already in place before the fall of the Privacy Shield and are deemed still valid. With SCCs, the EU-based organizations themselves make sure that their data transfer to US organizations would meet a data protection level equivalent to GDPR.
On November 10, 2020, the European Data Protection Board (EDPB) issued its recommendations (or, more specifically, the “Supplement Transfer Tools” and “Essential Guarantees for Surveillance Measures”) and consultations for safe personal data transfer through the preexisting SCCs.
The EDPB provides a set of EU-approved safeguards that data exporters in the EU, and data importers in the US can implement for international data transfers. These recommendations provide a step-by-step guide to assess and protect global data flows supplementary to the SCC.
The EDPB Recommendations Explained
EU-based organizations (as exporters and controllers) are encouraged to work together with US-based organizations (as importers or processors) by the EDPB with the following recommendations:
- Map your data transfers: map all instances where personal data is being transferred to a third country. As a data exporter, know who you are transferring to.
- Identify your transfer mechanism: verify the transfer tool your transfer relies on (such as the recipient country has an adequacy decision, SCCs, binding corporate rules, etc.).
- Assess the recipient country’s legal systems: assess whether the law or practice of the third country (in this instance, US law) prevents the personal data transferred from being afforded an essentially equivalent level of protection.
- Regularly reevaluate and monitor whether there has been or will be any developments that may negatively affect personal data security.
- Adopt Supplementary Measures: If the third country’s law or practices do not provide essentially equivalent protection (like in the US for the Schrems II ruling), identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard safeguards.
Supplementary Safeguard Examples
As a data exporter and controller, you can enhance your data processing agreement with the US-based data importer by ensuring that appropriate measures are added to the SCCs. Examples include:
- Encryption with encryption keys
- Pseudonymization (“Technical Safeguards”)
- Transparency obligations to disclose law enforcement requests
- Measures to prevent access to personal data
- Enhanced audits for the data exporter (“Contractual Safeguards”)
- Implementation of internal policies for data transfers
- Access responsibilities
- Operating procedures for responding to government access requests
- Documentation of access requests and ensuring data minimization (“Organizational Safeguards“)
What About the UK and Brexit?
The Schrems II ruling and EDPB Recommendations may also apply to the UK as supplementary requirements in addition to the SCCs if, after the transition period of Brexit, there is no Adequacy Decision granted to the UK.
If the EC grants no such Adequacy Decision, the EU SCCs will be required for data export from the EEA to the UK as a third country. Then – just like for the US – it may also be assessed that there is no essential equivalent level of personal data protection in the UK. In this scenario, the story of the US may repeat in the UK.
On December 24, 2020, the European Commission reached an agreement with the UK on the terms of their future relationship: the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”).be an extra interim period of four months granted, with a possible two-month extension, permitting personal data to flow freely from the EU to the UK, until (and if) an adequacy decision has been completed by the European Commission. This means no SCCs or additional safeguards are required during the 6 months interim period, which starts after the expiration of the transition period from 1 January 2021.
While Leaseweb UK is ready to grant customers the SCCs with additional safeguards if required in case no such EC Adequacy Decision is adopted, we will follow the ICO’s (UK’s Information Commissioner’s Office) recommendations for implementing such a transfer mechanism before the end of the interim period to avoid any interruption of the free flow of personal data from EU to UK.
The European Data Protection Board (EDPB) is currently working with the US to complete an effective framework guaranteeing that the level of protection granted to personal data in the US provides the equivalent level of protection that is fully compliant with the GDPR.
In the meantime, it is essential to know your options and obligations as an organization affected by the Schrems ll decision. Leaseweb, a cloud hosting provider with various independent sales companies worldwide, can offer you a wide range of solutions following the invalidation of the EU-US Privacy Shield. These solutions differ depending on if you are a European or US-based business – see What Does the Schrems ll Ruling Mean for Your Business? for more information.
In case you have questions or remarks, please let us know at firstname.lastname@example.org to contact us (Jacqueline van de Werken (General Counsel Leaseweb Global B.V.) and Guisanne Yarzagaray (Legal Counsel, Leaseweb Global B.V.)). Thanks for reading!