Broker Check

Why Schrems II Matters if You Do Business in the EU

July 29, 2020

A Locke Lord Quick Study begins "16 July 2020 will go down in data protection history". It continues "On that day, the EU Court's decision in Schrems II dealt international data transfer a mighty blow. The EU-US Privacy Shield (emphasis in original) has fallen with immediate effect."

Here is the background:

The European Union's GDPR is the "gold standard" for data protection, in EEA countries and other organizations worldwide. The GDPR prevents an organization from transferring personal data outside its area, unless the country is on a white list (spoiler alert: the United States isn't) or the organization has an adequate safeguard. The most common safeguard is the EU-adopted standard contract clauses (SCC).

In 2013 Max Schrems asked the Irish Data Commissioner to prevent Facebook from transferring his data from Ireland to the United States.  In 2015 Schrems I ruled the EU-US Safe Harbor agreement was invalid. Facebook argued the SCC applied. The Irish court  referred the question to the EU Court of Justice and asked that court to determine  the validity of the EU-US Privacy Shield which had by then been adopted.

The EU Court found the Privacy Shield was subject to U.S. national security requirements, which interfered with fundamental rights of data subjects. It found the Privacy Shield invalid, effective immediately

On the SCC, the court ruled it was valid, but only where data subjects are given a level of protection equivalent to GDPR. EU data protection authorities are to suspend or prohibit data transfer to countries where the law does not provide adequate safeguards. Entities exporting and importing data are responsible for assessing compliance.

Data transfers to the US. under the Privacy Shield are now unlawful. Alternatives require an "adequate safeguard"; with narrow exceptions this can only be done within a corporate group or with a data subject's consent. Transfer to other countries depends on that country's laws.

Strict observance of Schrems II will disrupt international data transfers. Using the SCC is problematic. There may be a political solution, but Schrems shows that political solutions may not hold up in court. A world wide data protection standard is a long way off, as long as countries put national security above data privacy.      

If you export or import EU personal data, see a knowledgeable lawyer.