The Schrems II ruling (Privacy Shield invalidation)

💌
Join Rie's DPO Letters (yes it's free!) for more content like this.

Disclaimer: all the information in this article and otherwise on this website is for informational purposes only. No information is of a legal nature. Please read our full disclaimer.

On 16 July 2020, the Court of Justice for the European Union issued a ruling (“Schrems II judgment”) regarding the international transfers of personal data from the EU.

The ruling invalidated the Privacy Shield framework and set out stricter criteria for using other safeguards such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).

This article is for you if you’re a:

  • US provider (processor) processing the personal data of anyone in the EU/EEA, or/and
  • A controller for such personal data, using third country processor(s)

Latest update and short summary of the ruling (April 2022)

💡 For those returning, here are the latest, relevant updates:

  • 🔥 The European Commission and the US announced on 25 March 2022 that they agree in principle on a new Trans-Atlantic Data Privacy Framework, which will address the concerns raised by the CJEU in the Schrems II ruling. While privacy professionals, Max Schrems and NOYB are highly sceptical and we don't know any details of the actual legal documents yet (as per April 2022), this agreement will likely give businesses in both the EEA and the US some room to breathe. See also the EUC Fact sheet, the White House Fact sheet, a LinkedIn post by NoTies Consulting's CEO Rie Aleksandra Walle, where she shares some thoughts with VIXIO Regulatory Intelligence, as well as Max Schrems' open letter of 23 May to key stakeholders.

Key updates from 2020 and 2021:

  • The EDPB published the final Recommendations on supplementary measures on 18 June 2021 (press release). Make sure that you update your prior efforts with any changes. PS: Some people point out that the EDPB now allows for a risk-based approach, but don't celebrate too early - there are strict criteria for relying on this and you need to put down quite a bit of work to get there. Make sure you really understand the recommendations, first.
  • On 4 June 2021, the European Commission announced two sets of new standard contractual clauses; one for the use between controllers and processors, and one for transferring personal data to third countries (non-EEA countries). You have ~18 months to transition to new clauses (end of 2022). A key change is that the requirements for a data processing agreement (see Article 28 GDPR), are now included in the clauses, simplifying your documentation.
  • The EDPB published two key documents: 1) Recommendations on supplementary measures (see final version above) and 2) EU Essential Guarantees for surveillance measures.

See further down for what steps you need to take to ensure you have a handle on the situation. 👇

For the newcomer, here’s a short summary of the ruling:

  • The “Schrems” cases stems from the Austrian lawyer Max Schrems and his initial Facebook complaint to the Irish Data Protection Commissioner in 2013
  • Since then, he founded the organization noyb, working to expose and legally pursue commercial privacy and data protection violations - on the behalf of all of us 👏
  • His efforts have so far resulted in the first Schrems case, invalidating the Safe Harbor framework in 2015, and now the Privacy Shield framework in July 2020 (“Schrems II”)
  • These rulings, however, also make it challenging to transfer personal data from the EU/EEA to third countries, including the USA
  • The EU and US quickly started discussing (again) how to proceed
  • If you are a US provider processing the data of people in the EU/EEA (and this is a key market for you), you should treat this situation as critical and urgent
  • If you are a controller in the EU/EEA, you need to do the same, and take necessary actions immediately to protect your business
  • Stay continually up to date going forward – and pay special attention to the advice from the European Data Protection Board and your relevant data protection authority

And here are some of the terms and (credible) sources you should be familiar with, referenced throughout the article:

  • The General Data Protection Regulation, GDPR, the European data protection and privacy law
  • The European Union (EU) and the EEA countries Iceland, Liechtenstein and Norway, collectively the “EEA” henceforth
  • A “third country” is any country outside of the EEA (such as the US)
  • The GDPR Chapter 5 on transfers of personal data to third countries and safeguards for such international transfers, like:
  • Adequacy decisions
  • Standard Contractual Clauses (SCC)
  • Binding Corporate Rules (BCR)
  • Data Processing Agreement/Addendum (DPA), a contract between a controller and a data processor
  • The European Data Protection Board (EDPB), composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS)
  • The Information Commissioner's Office (ICO), the UK’s data protection authority

Generally, make sure you only rely on credible sources whenever you work with the GDPR (or any other law, for that matter).

What is the “Schrems II judgment/ruling”?

The origins of the so-called “Schrems” cases date back to 2013 and the Austrian national and (then) law student Max Schrems. He initially lodged a complaint with the Irish Data Protection Commissioner about Facebook’s transfer of his personal data to the USA.

The first case, simply referred to as “Schrems”, led to the invalidation of the Safe Harbor framework in 2015. This “second round”, where the Privacy Shield framework was invalidated, is referred to as “Schrems II”.

The cases revolve around the transfers of Max Schrems’ personal data from the EEA to third countries that, in Mr. Schrems’ opinion, don’t offer adequate protection of these personal data, as per European data protection and human rights laws.

Also see the sources and further resources at the end of this article.

What are the 50 U.S. Code §1881a (“Section 702”/“FISA 702) and the Executive Order 12333 (E.O. 12333)?

Since the Schrems cases relate to Facebook’s transfer of Schrems’ personal data from the EEA to the US, US laws are under scrutiny, specifically 50 USC §1881a and the E.O. 12333.

The United States Code (“USC”) is a consolidation and codification by subject matter of the general and permanent laws of the United States.

An executive order is a directive signed by the President of the United States, to manage operations of the federal government. E.O. 12333 was first signed in 1981 by former President Ronald Reagan, for the “effective conduct of United States intelligence activities and the protection of constitutional rights”.

50 USC §1881a refers to a law in the US pertaining to national defense, and chapter 36, of which §1881a is part, refers to foreign intelligence and surveillance regarding certain persons outside of the US.

In our opinion, nearly all processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage).

It’s our understanding that this could include companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.

Despite the ruling, US data processors such as Microsoft and Google insist that the transfer of personal data between the US and the EU, are still in line with the GDPR. (Most European-based privacy professionals are not so sure... 🤨)

In sum – both the 50 USC §1881a and the E.O. 12333 are legal instruments the US government leverage to protect their national interests and prevent acts such as sabotage and terrorism.

Current guidelines you should be aware of (and follow)

The sources we rely on are primarily the websites of the European Commission, the European Data Protection Board (EDPB) and the data protection authorities in the UK (the ICO), Denmark and Norway. We will share all relevant updates in English, on this page going forward.

I process EEA-based personal data as a controller, what do I need to do?

First and foremost, you should ensure you comply with the GDPR overall, including that you:

  • Understand what the GDPR is and means for your business/organization
  • Have your GDPR foundation in place (especially your records of processing activities, data processing agreements, tools and safeguards for any international transfers and data protection risk assessment)
  • Keep compliant on an ongoing basis
Read more in our GDPR compliance checklist for SaaS, tech and other online businesses. Note that this is written for small businesses.

Next, you need to take these concrete steps:

  1. Review your records of processing activities ("ROPA", personal data inventory) and personal data flows to determine which processors are, or store personal data they process on your behalf, in a third country (non-EEA country).
  2. Identify the transfer tool(s) for such international transfer (adequacy decision, Privacy Shield, SCC, BCR). Where the data processor only relies on Privacy Shield, find out if they have others safeguards in place. If they don’t, they should be working on getting an alternative safeguard in place as soon as possible (get it confirmed). Unless they have other safeguards in place, this processing is now unlawful.
  3. Conduct privacy/data protection due diligence and risk assessments for all international transfers, including:
    * Validate that the processor is compliant with the GDPR
    * Validate that no national laws (the processor is required to comply with) impinge on the equivalent level of protection as afforded in the EEA (like e.g. FISA 702), for the transfer(s) in question
  4. Make your preliminary conclusion:
    * If the processor has sufficient technical and organizational security measures, and no national laws conflict with the GDPR and the transfer(s) in question, or the processor isn't required to comply with these - then you can continue using them ✅
    * If the processor lacks sufficient security measures, or they're required to comply with laws that conflict with the GDPR - go to the next step:
  5. Identify and implement supplementary measures to close the gap in the level of protection - but note that if these measures cannot mitigate the impingement, then you're required to suspend/end ongoing the transfers (or not start any planned transfers).
  6. Ensure you evaluate and re-assess as needed on an ongoing basis.

You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers.

💡 Note that you have to assess the potential impact of for example FISA 702 to the transfer(s) in question, i.e., does FISA 702 even apply in every specific case (transfer). This, of course, can be extremely challenging to assess and usually you'd need true US-legal experts to help with this - which is likely out of reach for most of us. But that's a rant for another day.

Also, there is a handy flowchart from the EDPB illustrating the steps outline above:

We recommend you document all your considerations and conclusions, so you’ll be able to demonstrate your compliance to data protection authorities, if necessary.

I’m a US based processor, what do I need to do?

(This section only applies to you if you’re a US (or third country) based processor with customers in the EEA (EU member states + the EEA countries))

First and foremost, you need to determine if 50 U.S. Code § 1881a and/or Executive Order 12333 apply to you and the concerned processing activity. We recommend you involve reputable, legal counsel for this assessment. It can become very costly to rely on incorrect advice.

  1. Make sure your management team are familiar with the situation
  2. Involve proper legal counsel
  3. If you’re reading this, it’s because you have determined that the GDPR applies to your business – so you need to ensure that you’re actually GDPR compliant (and for even a small business, here are some of the things you need to have in place)
  4. If you’re a processor, ensure you comply with all requirements as per Article 28 (including for your data processing agreement) and Article 30(2) (records of all categories of processing activities you carry out on behalf of controllers)
  5. Ensure you have other safeguards than the Privacy Shield, in place, otherwise start working on managing this
  6. Ensure key employees are informed, including your customer support team, and create guidelines for how to respond to any requests regarding the ruling and/or Privacy Shield
  7. Be prepared to manage several requests for information from customers in the EEA
  8. Follow closely the EUC, EDPB and the ICO’s guidelines going forward
  9. And, if you haven't already, assess if you're required to appoint a EU Data Representative as per Article 27 and also a Data Protection Officer as per Article 37 (for the latter, consider getting help in this assessment as you don't want to appoint a DPO unless you have to - contact us for more information)
  10. Determine if you should get outside help to support you on dealing with the ruling, customer support information, website updates and overall compliance - and no matter whom you get to help you, ensure that they're highly skilled in the GDPR (which, unless they have direct experience in working with the GDPR for a longer time, most US-based legal people aren't)

If you would like hands-on help to manage the situation, get in touch. Although we don’t provide any legal advice, we can help you manage the situation and provide correct information to your customers.

Sources/resources