In July 2020, the Court of Justice of the European Union (CJEU) declared that the EU-US Privacy Shield was no longer valid as a lawful personal data transfer mechanism in the case of Data Protection Commissioner vs. Facebook Ireland Limited and Maximilian Schrems (Schrems II). In addition, the CJEU clarified that organizations using standard contractual clauses (SCCs) to transfer personal data must evaluate the level of adequate data protection in the third country (i.e., destination country).
The European Commission and the U.S. Department of Commerce adopted the U.S. Privacy Shield in 2016 to serve as the legal basis to allow cross-border transfers of personal data out of countries in the European Union (EU) and the European Economic Area (EEA) to certified U.S. companies in accordance with data protection requirements.
The CJEU’s invalidation of the Privacy Shield has serious impacts on EU-US data flows because so many organizations relied on that framework to transfer personal data lawfully. And, according to the European Data Protection Board (EDPB), organizations have no grace period to comply with the decision. What’s more, organizations relying on SCCs now face additional obligations to evaluate and ensure that the destination third countries provide adequate data protection. Plus, the EDPB stated that the same obligations apply when using binding corporate rules (BCRs) as a lawful transfer mechanism. As a result, these impacts are not only immediate but also require a lot of work.
To help, we’re going to discuss whom Schrems II impacts and how your business should start with its data map for quick compliance.
What’s the Impact of Schrems II and who’s affected?
You’re likely wondering, “How do I know if the Schrems II decision will impact my business?” If you fall within these six categories, the CJEU’s decision will affect you directly:
- If you’re one of the 5,384 companies that have self-certified under the Privacy Shield.
- EU/EEA or U.S. companies that engage a U.S. service provider (e.g., cloud providers, data room providers, payroll providers, etc.) to process personal data and that have self-certified under the Privacy Shield.
- EU/EEA and U.S. companies that use service providers to process personal data that have engaged U.S. subcontractors that rely on the Privacy Shield.
- EU/EEA or U.S. companies that use SCCs
- EU/EEA or U.S. companies that transfer to U.S. companies that rely on SCCs (ex: third parties in a cross-border M&A transaction).
- EU/EEA or U.S. companies that rely on binding corporate rules (BCRs) to transfer personal data internationally.
In short, the ruling will affect any company that self-certified under the Privacy Shield, along with companies that rely on SCCs or BCRs.
What Schrems II means for your business data map
If your company has been complying with data transfers under the Privacy Shield, you need to take action immediately to maintain compliance. The first step after Schrems II is to get a closer look at your EU/EEA-US data flows. Here are the 5 key steps to get an understanding of the extent of personal data your business is currently transferring between the EU/EEA and the United States on the basis of the EU-US Privacy Shield, SCCs, or BCRs:
- Undergo an International Data Mapping Exercise.
Complete a data mapping exercise that includes all affiliates, service providers, and third-party vendors. Once all U.S. recipients (i.e., importers) have been identified, map these against the Privacy Shield database.
- Review your contracts.
Review all of yourcontracts to identify the legal basis relied on to transfer personal data between the United States and Europe.
- Run an assessment.
Conduct a “case-by-base” assessment of data transfers to evaluate the adequacy of data protection in the destination country.
- Update contracts.
You may need to update your contracts. This includes the terms of what personal data is transferred, the technological and organizational controls to protect the data, and any additional contractual protections that should be put into place.
- Monitor continuously.
Ensure your team stays on top of regulatory announcements. You can do this by regularly checking in on:
Conclusion: Schrems II has an immediate impact on your business
Because there’s no grace period for compliance, organizations transferring personal data outside the EU/EEA must act quickly EU data protection authorities are likely to target companies with the highest profiles for enforcement initially. But compliance doesn’t need to be difficult.
In July, OneTrust expanded its current EU hosting options in response to Schrems II. OneTrust’s suite of privacy, security, and data governance solutions are optimized to support companies as they address the impact to their business based on the Schrems II decision by helping them determine what personal data they process and how it moves within the organization and out to vendors.
Learn more about how OneTrust can help your business with the Schrems II impact.