Recently, the Court of Justice of the European Union (CJEU) released the long-anticipated Schrems II decision, which effective immediately invalidated the EU-U.S. Privacy Shield mechanism that over 5000 U.S. businesses, from major tech companies to large financial institutions, have relied on for purposes of transferring and processing data from the EU to the U.S. The decision is a companion to the 2015 Schrems I decision where the CJEU invalidated the adequacy decision underlying the EU-U.S. Safe Harbour framework, which led to the development of the Privacy Shield mechanism.
EU international data transfers
Under GDPR, there are several permissible mechanisms under which EU resident personal information may be transferred and processed outside of the EU. First, a third country can receive an adequacy decision from the Commission with respect to the level of protection it offers (GDPR 45). For example, Canada’s federal privacy law, PIPEDA1, has been deemed adequate since December 20022. In the absence of an adequacy decision in the processor’s country, a processor may generally remain compliant by either: a) incorporating the Commission’s (Decision 2010/87) Standard Contract Clauses into its data transfer agreements; or b) subscribing to binding corporate rules (Article 46). For one-off data transfers, organizations may be able to rely on the derogations outlined in Article 49.
The Schrems saga
The Schrems I3 and II4 decisions originate from complaints brought forward by Maximillian Schrems, an Austrian resident, about Facebook Inc.’s requirement that EU users permit Facebook Ireland to transfer EU personal data to Facebook Inc.’s U.S. servers.
The Schrems II decision continues where the 2015 Schrems I decision left off (please review our prior bulletin for an analysis of Schrems I). After the Schrems I decision invalidated the “safe harbor” data transfer mechanism, and before Privacy Shield was adopted, Mr. Schrems filed a complaint with the Irish Data Protection Commission (DPC) requesting the DPC to use its broad powers to suspend EU-U.S. data transfers on the basis that Facebook’s use of Standard Contractual Clauses to transfer personal data to the U.S. was not justified. The Irish DPC raised its own concerns with respect to the use of SCCs, which lead to the broader questions of significance that were eventually referred to the CJEU in Schrems II.