14 October 2020
Transferring Data Abroad: The Implications of Schrems II
By Faye Cheung, Researcher
Background: Schrems I
In 2015 Max Schrems, a law student at the time, took the Irish Data Protection Commissioner to court over inaction against complaints that he had made about Facebook. The case was considered by the European Court of Justice (CJEU) after The Guardian’s exposé of a US National Security Agency’s surveillance programme, in which the NSA had direct access to data held by Google, Facebook, Apple and others.
In a shock ruling, the CJEU found in favour of Schrems and held that the Safe Harbour agreement was invalid. The Safe Harbour was a mechanism developed by the EU and US, which allowed personal data to travel between the two territories without breaching EU data protection legislation. The EU-US Privacy Shield was created as a replacement to the Safe Harbour in order to rectify its weaknesses, which had made it vulnerable to unlawful surveillance. Meanwhile Facebook Ireland used a ‘standard contractual clause’ (SCC) to continue its data transfer to Facebook’s Head Office in the US, which obliged Facebook US to comply with EU data protection law when processing data about EU citizens.
Schrems II Judgment
In June 2018 Schrems took legal action over Facebook Ireland on the grounds that the standard contractual clause and the EU-US Privacy Shield were still failing to protect the privacy rights of EU citizens. In another shock ruling, on 16th July 2020, the CJEU invalidated the EU-US Privacy Shield on the grounds that US surveillance programmes are still able to access EU Citizen’s data beyond that which would be regarded as strictly necessary.
This judgment will affect any business that transfers data outside of the EU. These businesses now face uncertainty over the legality of their current operations. However, as many will be in the same boat, there is no need to panic. The European Data Protection Board (EDPB) has issued FAQs on the implications of the judgement for those using the Privacy Shield and Standard Contractual Clauses. At this time (September 2020) this guidance continues to be applicable to UK controllers and processors. The FAQs can be viewed here.
The UK Information Commissioner’s Office (ICO) has advised that UK companies should ‘take stock of the international transfers you make and react promptly as guidance and advice becomes available’. According to the ICO, the EDPB has also recommended conducting risk assessments as to whether SCCs ‘provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.’ See here for the ICO’s full statement on the matter.
Naomi Korn Associates offer GDPR health checks and audits where we assess your organisations readiness to protect its data protection interests and ensure efficiency in terms of its management of rights and data. Find out more on our Consultancy page.
© Naomi Korn Associates, 2020. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)