- The Schrems II decision invalidated the US/EU Privacy Shield program for data transfers, but a replacement has not yet been negotiated for US companies.
- Schrems II will impact US data transfers eventually, but in the meantime US companies can prepare for the changes.
In July 2020, the European Court of Justice issued its decision in Data Protection Commissioner v. Facebook Ireland, Schrems (“Schrems II”) which invalidated the US/EU Privacy Shield framework. The decision put in jeopardy the procedures US companies use to transfer data from Europe to the US.
This article discusses the fallout from Schrems II and what US companies should consider when transferring data from Europe. This article stems from the ACC 2021 Annual Meeting session, “International Data Transfers in the Schrems II Era: Developments From the First Year” by Lewis Dolezal, Corporate Counsel, Scotts Miracle-Gro Co., Kara DeAngelis, Senior Counsel, Privacy and Information Governance, McDonald’s Corp., Hemanshu Nigam, Partner, Venable LLP, and Kirk Herath, Retired Chief Privacy Officer, Nationwide Insurance.
The Impact of Schrems II for US Companies
In-house counsel plays a critical role in data governance. Schrems II decision raises questions about whether a company should stop international data transfers and separate data by country to meet each country’s data privacy requirements.
Schrems II also raises the issue of whether a company is failing to transfer data properly, since enforcement actions under the European General Data Protection Regulation (GDPR) are up.
US companies have the problem that they must also meet the requirements of US privacy laws. Such laws tend to be sectoral, such as the Health Insurance Portability and Accountability Act, which controls data transfers in the healthcare sector, and the Gramm-Leach-Bliley Act, which controls data transfers in the financial sector.
Most US companies have standard contract language about data transfers, but US law doesn’t provide standard contract language. Any data that does not have to be identified should be de-identified.
Due to the many data privacy requirements in both the US and the European Union (EU), US companies should consider whether they can keep information in Europe rather than transferring it to the US if there is no need for such transfer.
Context of Schrems II and the survival of Privacy Shield
Under GDPR, there is a legal process for using personal data and moving it outside the EU. Prior to Schrems I, in line with GDPR there was an EU/US safe harbor certification, by which US companies could comply with EU Directive 95/46/EC and GDPR. The safe harbor system required a company to obtain certification and post a privacy notice online that the company met the requirements.
The safe harbor was invalidated in October 2015, with the Schrems I decision. In that case Maximillian Schrems sued Facebook for transferring his personal data to the US and keeping the data on servers in the US. Schrems claimed the data transfer did not adequately protect his personal information.
The European Court of Justice agreed with Schrems and in response the EU and US agreed on a replacement - the US Privacy Shield program - to facilitate US-EU data transfers. The privacy shield program was supposed to address the shortcomings that came to light in Schrems.
Schrems II was Schrems’ legal challenge to the Privacy Shield program, which led to the invalidation of the program in 2020. While companies cannot rely on the Privacy Shield program, the US Department of Commerce is still administering it, and US companies that are Privacy-Shield certified are required to abide by that program’s requirements. The EU and US are negotiating about how to bring the Privacy Shield program into compliance with the outcome of Schrems II.
New Standard Contractual Clauses
In June 2021, the Standard Contractual Clauses (SCCs) under GDPR were revised to comply with Schrems II. SCCs are general clauses that are required to be used to protect personal data and can be customized for various data transfer scenarios. Companies should understand the laws of the country that the information is coming from and the laws of the country they are delivering the information to when customizing the SCCs.
Steps for US Companies to Consider
While it can be problematic for US companies to transfer data from Europe, there are measures that companies can implement as alternative safeguards, such as:
- Conducting reviews of vendors’ security measures;
- Conducting transfer impact assessments; and
- Having binding company rules on data protection.
US companies also can adopt an internal strategy of:
- Evaluating the necessity of international data flows;
- Training employees on changing regulations; and
- Adopting supplementary measures to bring data protection under GDPR.
US companies should prepare for data transfers under Schrems II by:
- Building process flows and tools that can determine and maintain data pathways and maintain;
- Building dashboards to monitor the transportation of data;
- Completing due diligence for new products, and consulting the legal department on compliance; and
- Training employees to ensure they are aware of the new requirements.
Read “Is Privacy Shield Doomed to Fail? And How Your Company Can Protect Itself” by William Krouse, ACC Docket, September 2017, pp. 67-72.
Read “Guide to the General Data Protection Regulation” by Ruth Boardman, James Mullock, Ariane Mole, Bird & Bird, April 2016.
Read “Changes to EU Privacy Law – The General Data Protection Regulation,” by Dechert LLP, 2016.
Not an ACC member yet? Join ACC today and connect with peers