Discussion Points Post CJEU Schrems II Ruling

Enhanced EU-US Privacy Shield

Due to the decision by the CJEU on 16th July 2020, which invalidated the Privacy Shield arrangement, more than 5000 companies who had been participating in this arrangement have been affected.

On August 10th, the US Secretary of Commerce, Wilbur Ross, and European Commissioner for Justice Didier Reynders stated that they have initiated discussions regarding a new “enhanced” EU-US Privacy Shield which would comply with the CJEU judgement.

Reynders also tweeted, “I will now work closely with national data protection authorities and the @EU_EDPB. I will also reach out to my U.S. counterparts and look forward to working constructively with them to develop a strengthened and durable transfer mechanism.” 

Considering that there have been two successful challenges by Max Schrems to the EU-US data transfer mechanisms in the CJEU over the last 17 years i.e. Schrems I & II; drafting a new enhanced version of Privacy Shield may well prove to be a difficult task. Any new version would have to tackle the US surveillance laws because there can be no transfer of data to a country with forms of mass surveillance. Therefore, any arrangement that includes such surveillance laws will be challenged by Mas Schrems and from past precedents, will be invalidated again in the courts.

Standard Contractual Clauses

Until a new “enhanced” Privacy Shield arrangement has been put in place, companies might think that they could use standard contractual clauses (SCCs) for trans-Atlantic data transfers.

The ruling increased the standard of due diligence considerably that organisations would have to engage in. The ruling made it clear that companies cannot just sign the SCCs, they have to check if they can be complied with in practice. As a result, not only should the organisation internally comply with the SCCs, it must also ensure that the jurisdiction in which the data is held is essentially equivalent to the standards of data protection in the EU.

As a result, organisation may find it difficult to justify the legitimacy of this method considering how critical the CJEU was of the US legal regime when discussing the Privacy Shield. It appears that the ruling requires the US to review its surveillance laws before the EU could resume data-transfers with any US based organisations using SCCs.

Crucially necessary data flows to the US

CJEU highlighted that crucially necessary data flows can still be undertaken. Simply put, the US has now the same transfer mechanism available to it as any other third country. If there is no adequacy decision or appropriate safeguard then under limited circumstances crucially necessary personal data can continue to be transferred to the US under Article 49 of the GDPR – derogations for special situations.

The specific conditions available are explicit consent, the performance of a contract, protection of vital interests, establishment exercise or defence of legal claims, public interest recognised under union or member state law, transfer from a register of public information or legitimate interests