The ruling of the Court of Justice of the European Union (CJEU) in Schrems II stripped US companies of one of the most common mechanisms used to achieve GDPR compliance for EU-US data transfers. In the wake of this decision, organizations need to ensure that their existing business practices comply with the new rules.
GDPR transfer mechanisms for EU citizen data
The General Data Protection Regulation (GDPR)’s protections are not limited to the EU. Anywhere that an EU citizen’s data is collected, stored, processed, or transmitted, it is protected under the GDPR.
In order to enforce this, the EU needs some means of enforcing the rules outside of its jurisdiction. Several mechanisms have been defined for transferring data to the US and other non-EU countries:
Reciprocal Privacy Laws: The GDPR allows data transfer to non-EU countries with privacy laws equivalent to the GDPR currently in place. To the 12 countries deemed “adequate” under the GDPR, EU citizen data can be transferred without restrictions. Currently, the EU’s list of “adequate” countries includes Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. South Korea is currently under consideration.
Model Clauses: Model clauses are sample contractual clauses for data transfers outside of the EU. The ones currently in use were created before the GDPR, are not compliant with the GDPR’s requirements, and are now in the process of being updated.
Binding Corporate Rules: Binding Corporate Rules (BCRs) are data protection rules adopted internally within an organization. For the organization to use EU citizen data, these BCRs must meet the GDPR’s “adequacy” criteria.
Privacy Shield: Privacy Shield is a US government program designed to enable US companies to access EU citizen data in the absence of national privacy law. Organizations are certified as compliant by the US Department of Commerce.
Article 49 Derogations: The GDPR’s Article 49 derogations outline special circumstances under which a data transfer can be performed to an organization that does not meet any other “adequacy” criteria. It is not approved as the primary means for GDPR compliance.
The US lacks a national data protection regulation, and companies are not permitted to use Article 49 derogations as their primary means of compliance. For this reason, US companies were previously dependent on model clauses, binding corporate rules, and Privacy Shield for GDPR compliance.
Impact of Schrems II on US companies
Schrems II refers to a legal ruling by the CJEU made in July 2020. Effective immediately, the Privacy Shield was no longer an approved mechanism for US companies to achieve GDPR compliance.
The Privacy Shield was ruled invalid by the CJEU for two main reasons:
Law Enforcement Access to Data: Under current US laws, law enforcement and the intelligence community can access more data than is strictly necessary. This violates the requirements of the GDPR.
Appointment of an Ombudsperson: While Privacy Shield included the appointment of an ombudsperson (as required by GDPR), the ombudsperson could not make binding decisions on behalf of the US government regarding law enforcement and intelligence activities. This violates the GDPR requirement that data subjects have a method of redressing privacy violations.
The elimination of Privacy Shield as a data transfer mechanism to the US does not make it impossible for US companies to achieve GDPR compliance. Model clauses and BCRs are still acceptable transfer mechanisms. However, in the Schrems II ruling, the CJEU also stated that model clauses may not be sufficient for compliance as written and that supplementary measures may be needed. Organizations are expected to examine data flows on a case-by-case basis and apply these additional measures as needed.
This decision to invalidate Privacy Shield and require case-by-case inspection of existing data flows makes data transfer a challenge for US companies. Some of the major challenges for GDPR compliance after Schrems II include:
Achieving data flow visibility: Organizations can no longer rely on blanket coverage under Privacy Shield for GDPR compliance. Without this as a fallback, companies must be certain that none of their existing operations violate GDPR requirements, which requires full visibility into data flows within the organization.
Lack of regulatory clarity: While the CJEU stated that supplementary measures may be required for EU-US data transfers, they did not define these additional measures. Recommendations for compliance include everything from continuing with business as usual until further guidance is provided, to seeking legal injunctions if US law enforcement or intelligence agencies request access to EU citizen data, to not transferring EU citizen data to the US at all.
Maintaining visibility into subcontractors’ operations: Once data has been transferred to the US under a company’s auspices, that company is responsible for what happens to it. For example, if an organization uses contractors for data processing or storage, it needs to know if those contractors subcontract and send data to countries and companies not deemed “adequate” under the GDPR.
While these are only some of the challenges that US companies face after Schrems II, they are significant ones. Without Privacy Shield as a safety net, an oversight in GDPR compliance could leave an organization facing regulatory penalties.
Achieving GDPR compliance via case-by-case analysis
Based on the guidance provided in the CJEU’s ruling on Schrems II, companies performing EU-US data transfers are advised to perform a case-by-case analysis of their data flows to ensure GDPR compliance. This analysis should include the following steps:
Identify data flows and uses: The CJEU ruling in Schrems II states that organizations may need to apply supplementary measures to achieve GDPR compliance for their EU-US data flows. Identifying any applicable modifications requires full visibility into how EU citizen data is flowing and used both inside and outside an organization’s network.
Verify GDPR applicability: The GDPR’s requirements and protections only apply to data that can uniquely identify an EU citizen. If data is anonymized to the point where re-identification is completely impossible – assuming access to external data sources as well – then the GDPR does not apply to this use of data.
Determine if data use is GDPR-compliant: Article 45 of the GDPR outlines the criteria by which the EU determines if a country’s data privacy regulation meets the GDPR’s “adequacy” criteria. All use of EU citizen data should be examined to ensure that it meets the same criteria.
Check if data remains within GDPR-compliant locations: An organization’s data may be shared with external partners for processing or storage. Every flow of EU citizen data leaving the organization should be checked to verify that the recipients (and their sub-processors) are GDPR-compliant. To prioritize these checks, use a geographic lookup of the destination IP address of each data flow and check the ones not flowing to EU or GDPR-adequate countries first.
Evaluate risk associated with collected data: The Schrems II decision was made due to US law enforcement and intelligence agencies having excessive access to the personal data of foreign nationals. Based on the type of data collected and the probability of a request from law enforcement or the intelligence community, a risk value can be associated with each data piece. This risk can be used to prioritize GDPR compliance activities.
Due to the lack of clarity in regulatory requirements for GDPR compliance, an organization may not currently know how to achieve full compliance with the regulation. However, taking steps to identify and fill potential compliance gaps with the existing guidance can help to reduce a company’s risk of penalties for GDPR non-compliance.
GDPR compliance after Schrems II
The Schrems II decision made GDPR compliance a moving target for US companies. While the ruling invalidated Privacy Shield as a GDPR compliance mechanism, it did not provide clarity regarding the actions that US organizations should take to become compliant.
However, the Schrems II ruling’s immediate enforcement means that companies performing data transfers to the US should not just wait until additional information and clarity become available. Organizations should begin case-by-case analysis of their data flows immediately and achieve a “good faith” level of compliance based upon the available data. This positions companies to take any additional required steps to achieve full compliance once further guidance becomes available.