{"id":1768,"date":"2020-07-21T10:19:09","date_gmt":"2020-07-21T09:19:09","guid":{"rendered":"https:\/\/www.calligo.io\/step-by-step-guide-to-schrems-ii-and-privacy-shields-invalidation\/"},"modified":"2024-01-18T14:40:19","modified_gmt":"2024-01-18T14:40:19","slug":"step-by-step-guide-to-schrems-ii-and-privacy-shields-invalidation","status":"publish","type":"post","link":"https:\/\/www.calligo.io\/insights\/glossary\/step-by-step-guide-to-schrems-ii-and-privacy-shields-invalidation\/","title":{"rendered":"Step-by-step guide to Schrems II and Privacy Shield\u2019s invalidation"},"content":{"rendered":"

Data Privacy News: Step-by-step guide to Schrems II and Privacy Shield\u2019s invalidation, and what it means for you<\/h2>\n

Last Thursday, the Court of Justice of the EU (CJEU), the European Union\u2019s top court, struck down the EU-US data sharing agreement, Privacy Shield, technically known as the EU-US Data Protection Shield.<\/p>\n

The case known as Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (also referred to as Schrems II)\u00a0ruled that the data sharing agreement between the EU and the US, Privacy Shield, is not suitable as it does not provide adequate protection for EU citizens\u2019 personal data when stored in the United States.<\/p>\n

<\/p>\n

\"Schrems<\/p>\n

\n

\u201cThe Court of Justice invalidates Decision 2016\/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield\u201d<\/em><\/span><\/p>\n<\/blockquote>\n

The above quote is the opening statement of the official press release from the CJEU regarding the case. Whilst the sentence appears simple enough, its ramifications are far more serious, and essentially puts thousands of businesses at risk of breaching GDPR.<\/p>\n

\n

Privacy Shield was one of the few mechanisms under GDPR where EU personal data could be transferred to the US, and with its immediate shut down, it leaves over 5,300 organizations who relied on this mechanism to find a new and safe way to transfer data.<\/p>\n

\n

The history behind the Schrems II ruling<\/span><\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
June 2013<\/strong><\/td>\nIn June 2013, National Security Agency (NSA) whistleblower, Edward Snowden, discloses information regarding PRISM, a US government surveillance programme that collected data from some of American\u2019s biggest tech companies which included Facebook, Google and Apple.<\/td>\n<\/tr>\n
June 2013<\/strong><\/td>\nIn light of Edward Snowden\u2019s disclosures, Max Schrems files his complaint to the Irish Data Protection Commission regarding Safe Harbor, an agreement prior to Privacy Shield, that was used to transfer EU citizens\u2019 data to the US.<\/p>\n

Schrems argued that by collecting his personal data and transferring it to the US for processing, Facebook was exposing him to mass surveillance, which is illegal under the EU\u2019s Charter of Fundamental Rights.<\/td>\n<\/tr>\n

June 2014<\/strong><\/td>\nThe following year, the Irish High Court refers the case, now referred to as the “Safe Habor decision” or \u201cSchrems I\u201d, to the CJEU (\u201cMax Schrems v. Data Protection Commissioner\u201d)<\/td>\n<\/tr>\n
October 2015<\/strong><\/td>\nThe CJEU rules in Schrems\u2019 favour and invalidates Safe Harbor, as it does not offer EU citizens adequate protection of their personal data against mass surveillance programmes in the US.<\/td>\n<\/tr>\n
October \u2013
\nDecember 2015<\/strong><\/td>\n		With the same motive as in 2013, i.e. resenting the potential exposure of his personal data to mass surveillance, Schrems files a second complaint to the Irish Data Protection Commission re the use of EU Standard Contractual Clauses, known as \u201cData Protection Commissioner v Facebook Ireland and Maximillian Schrems\u201d. The case will also be referred as \u201cSchrems II\u201d.<\/td>\n<\/tr>\n
July 2016<\/strong><\/td>\nEU-US Privacy Shield was adopted as a mechanism for EU data transfers to the US, replacing Safe Harbor.<\/td>\n<\/tr>\n
October 2017<\/strong><\/td>\nThe Irish High Court refers the Schrems II case to the CJEU<\/td>\n<\/tr>\n
May 2018<\/strong><\/td>\nOn the 25th<\/sup> May 2018, Europe enforces its new data protection framework, the General Data Protection Regulation (GDPR) .<\/td>\n<\/tr>\n
July 2019<\/strong><\/td>\nThe first hearing on the case Schrems II takes place at the CJEU<\/td>\n<\/tr>\n
December 2019<\/strong><\/td>\nCJEU Advocate General publishes his opinion on the Schrems II case.<\/td>\n<\/tr>\n
16 July 2020<\/strong><\/td>\nCJEU announce their judgement on the case, with Privacy Shield being immediately invalidated, but upholding data transfer via SCCs.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What did they say and why?<\/span><\/h2>\n

The important thing to note is that this decision was not based on business practices within the US, but in fact, on the surveillance and the regulatory climate within the USA.<\/p>\n

As the U.S. Chamber of Commerce Executive Vice President and Head of International Affairs states, \u201c\u2026[the case] focuses not on commercial uses of data, but on concerns over potential government access.<\/em>\u201d<\/p>\n

There were two main rulings re Privacy Shield:<\/p>\n\n\n\n\n
\"interface<\/td>\nUS law enforcement agencies\u2019 surveillance is not \u201climited to what is strictly necessary\u201d \u2013 the EU standard. Therefore, any EU personal data transferred to the US under Privacy Shield is additionally \u2013 and unacceptably \u2013 exposed to surveillance. In fact, the judgement also revealed that strictly, US law states that surveillance on non-US citizens only needs to be \u201cas tailored as feasible\u201d.<\/td>\n<\/tr>\n
\"interface<\/td>\nProtection of EU citizens\u2019 privacy rights in the US is too weak. Neither EU member states, nor the US Ombudsman (set up to help EU citizens make any case) have either the authority or the practical ability to enforce GDPR in the US.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Considering these findings, it hardly comes as a surprise that the result came in as it did.<\/p>\n

\n

\u201cIn the light of all of the foregoing considerations, it is to be concluded that the Privacy Shield Decision is invalid.\u201d<\/span><\/p>\n<\/blockquote>\n

There was then an additional key ruling on Standard Contractual Clauses:<\/p>\n\n\n\n
\"interface<\/td>\nStandard Contractual Clauses remain valid, though with a caveat that both the data \u201cexporter\u201d and \u201cimporter\u201d must review whether the destination country offers a level of protection equivalent to that of the EU, and in particular what data access rights the country\u2019s authorities may have.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Given the surveillance and regulatory climate of the US, and the judgement also actively encouraging Supervisory Authorities to strike down any SCCs where the guarantees within them are not upheld or capable of being upheld, it is unclear for how long SCCs will survive as a recognised legitimate mechanism.<\/p>\n

Unsurprisingly, guidance is soon expected from the EU and Supervisory Authorities, though in the meantime, SCCs are an entirely legitimate data transfer mechanism.<\/p>\n

What does this mean in practice?<\/span><\/h2>\n

If your business transfers EU data subjects\u2019 data to the US, you may need to take certain steps to ensure continued compliance with the GDPR.<\/p>\n

Circumstances include:<\/p>\n