Schrems II and its effects on Data Privacy for US Based Companies.


Mr Schrems, an Austrian national and Facebook user, claimed that the United States does not offer adequate protection for his data transferred there, as required by European Union (EU) data protection regulations. The European Court of Justice (ECJ) sided with Schrems in this case invalidating ‘the Privacy Shield’.

The Privacy Shield

The Privacy Shield was an agreement between the European Commission and the United States where the United States agreed to apply EU data protection standards to EU citizens data. The ECJ has now invalidated the Privacy Shield Decision therefore Schrems II is going to have broad-ranging implications for US companies looking to transfer data out of the EU.

In looking at the specifics of this agreement, the ECJ decided that US domestic law, in particular laws which allow for the US authorities to access EU citizens data in the interests of American national security, does not satisfy the requirements of the EU. The effect of this ruling on US companies using the Privacy Shield is that they must immediately cease sending data from the EU to the US unless they assess the legal basis for this transfer to occur.

Standard Contractual Clauses

It must be noted however that the ECJ upheld a separate European Commission Decision on Standard Contractual Clauses (SCCs). A SCC is a standard set of contractual terms which the sender and receiver of data sign up to as it helps them to comply with EU data protection rules. The validity of SCCs depends on whether effective mechanisms make it possible to ensure that there are equivalent protections on EU citizens data in the United States, and where there is cessation of transfers in the event of a breach of such a clause.

There have also been additional obligations placed on data importers and exporters who use SCCs. They must verify before any transfer, whether the level of protection offered by the third country is adequate. It also places a burden on the data importer to inform the data exporter of any inability to comply with the rules set out in the SCC Decision. Once advised of this, the data exporter is obliged to cease transferring data to the importer.

GDPR Article 49

Article 49 of GDPR, where the rules for international transfers of data are set out, is unaffected by this ruling and still provides for transfers of data between the US and EU. It is important to refer to the European Data Protection Board’s guidance in this regard. This being that when transfers are based on the consent of the data subject, it should be explicit, specific to a particular transfer or set of transfers and the subject should be informed of the possible risks of the transfer. Data may also still be transferred if it is objectively necessary for the performance of a contract between a data subject and a controller. The data transfer should only be occasional.

Effects on US businesses operating in the EU

As mentioned above, this will have far-reaching implications for US multinationals operating in the EU. US vendors using the Privacy Shield will begin to move over to SCCs. Enterprise customers, in particular, will more than likely insist on SCCs for any future deals. Reviews of legacy contracts will be necessary and any assumptions regarding the Privacy Shield in such contracts will need to be reviewed.

To comply with the ruling companies will need to carry out work in relation to data mapping exercises, review of processes in relation to intra company and third party data transfers and enhancement of data retention policies and practices. While seemingly straightforward, they are in fact complex areas and companies need to identify and capture a full data inventory, where it’s going, how long it is kept for and crucially when it is being deleted and understanding if it’s being deleted from both online and offline internal environments. In other words, some companies may not even have a full picture of this which makes knowing how to handle the Schrems decision even more difficult.

There will also be significant knock-on effects outside of the legal department for US businesses contracting with EU entities. The changes may result in friction on deals between US and EU based companies as EU businesses may be warier of whether the US companies are genuinely complying with the SCCs. This may result in increased demand on US-based multinationals to carry out due diligence in handling EU citizens data.

Beyond the EU and US, the decision may also encourage Regulators to focus on data transfers to other jurisdictions. As such, it may be advisable for companies to widen the scope of their remediation effort to include all global agreements.

Outside of necessary compliance,  one of the advantages of addressing Schrems II is that it offers companies an opportunity to revisit GDPR related processes and consider whether they are truly suitable for their organisation. Taking this approach to any necessary remediation work can help to drive efficiencies in the area through the implementation of sustainable and efficient processes.

How We Can Help

Johnson Hana is well-positioned to assist companies in adapting to this regulatory change.

We have a team of highly qualified and experienced data privacy lawyers available to support you, whatever stage of the implementation process you’re currently at. Our solutions enable companies to hurdle lengthy recruitment processes providing immediate access to experts as you scale your team for a defined period to deliver your project.

We have vast experience in large scale contract review and amendment i.e. incorporation of standard contract clauses (SCCs) into existing contracts through a combination of our skilled legal professionals and the deployment of KIRA, our strategic technology partner who provide machine learning contract review software. In particular, companies require assistance in relation to data mapping exercises, review of processes in relation to intra company and third party data transfers and enhancement of data retention policies and practices in light of the recent decision.

The Schrems II decision is the biggest shake-up in privacy law since the introduction of GDPR two years ago. Business is going to have to adapt, and Johnson Hana is here to help.

For more information, please contact us by email: [email protected]