The Schrems II case deals with the possibility of transferring personal data to US companies. So far, this has been possible with the help of the so-called Privacy Shield agreement, which in short is a system of standard contracts in which US companies guaranteed that they could comply with European GDPR rules (There are currently over 3000 US companies in the scheme).
Having the Privacy Shield in place meant that European companies could make use of US services and transfer personal information to them without having to take the long route of risk assessing whether the partner (data processor) is able to live up to its obligations. The Privacy Shield undeniably made it much easier to enter into data processor agreements with US companies.
Max Schrems advocates against the Privacy Shield
However, privacy activist Maximillian Schrems has been dissatisfied with the Privacy Shield scheme, as he believes that US companies cannot guarantee compliance with the GDPR, as the US has national laws that overrule and violate the principles of the GDPR. Among other things, it involves laws that enable the US state to gain insight into the personal data if they, for example, suspect terrorism.
Schrems specifically chose to make a complaint against Facebook, which moves data from their Irish department to the US via the Privacy Shield agreement (Facebook in Ireland and Facebook in the US are two separate companies). This means that European users’ personal data may end up in the United States. Max Schrems is dissatisfied with this, as he does not believe that Facebook can guarantee compliance with the GDPR in the handling of personal data in the USA. It is this appeal that the Court of Justice of the European Union ruled on. The European Court of Justice ruled in favour of Schrems, which rendered the Privacy Shield agreement invalid overnight. This affects not only Facebook but all companies that are part of the scheme. The Privacy Shield is no longer a valid basis for transferring personal information to the United States.
You can read the ruling made by the Court of Justice of the European Union here: EU Court of Justice.
It is not the first time an agreement has been rejected
This is not the first time that an agreement like the Privacy Shield has been rejected. The Privacy Shield agreement was a direct result of the invalidation of a previous agreement back in 2015, the so-called “Safe Harbour Agreement”. At that time, it was also Max Schrems who complained about the agreement and secured a favourable ruling. The Privacy Shield was supposed to have been the solution to the problems that were present with Safe Harbour, but that was clearly not the case. We are now in a situation where personal information cannot be transferred to the United States via either Safe Harbour or the Privacy Shield, and there is no obvious new solution.
Does the decision affect your organisation?
Yes, definitely.
If your organisation has US data processors or partners who use US data processors, it affects you. And who is not in some way entangled in services provided by e.g., Microsoft, Google, Amazon, etc.? It is difficult for everybody to get around the big American tech giants. Most organisations are so integrated with American services that it would be very expensive to stop collaborating. We have some tips to make sure your company stays GDPR compliant. It’s important to make sure that your company is careful with any data transfers since transfers could become a common target for GDPR fines.
Should I terminate my cooperation with all US data processors?
We do not yet know how the decision will specifically affect organisations. The fact remains, however, that it is no longer legal to export data to the United States on the basis of the Privacy Shield Agreement. However, not all organisations can stop using US corporate services from today. We have therefore ended up in limbo, where we are waiting to see what happens next. The question is whether it will be up to the individual companies to find a solution, or whether the solution must be made at a political level.
If the solution is to be found in the companies and organisations, it means that companies from the USA must live up to the same requirements as other third-party countries. This means that as a data controller, you must be able to guarantee that your data processor can live up to the rules in the GDPR. It places a large amount of work on the shoulders of the individual organisation that makes use of American data processors, as you have to do the risk assessment yourself from scratch and supervise these companies. But how can you expect to reach a conclusion in your risk assessment that differs from that reached by the Court of Justice of the European Union: the obvious fact that companies cannot guarantee that they can comply with the requirements? And what do you do if you can no longer make use of e.g., Office365 or AWS? Is there an alternative at all? There are many difficult questions, and the new ruling instantly makes it difficult to see how it will be possible to make use of US companies as data processors.
If the solution is a political one, it is also difficult to predict how it will fare. Should there be tight firewalls between the EU and the US? Should sanctions be imposed on American companies, or should the solution be found somewhere else? It seems unlikely that the EU will relax GDPR legislation to address inadequate US legislation. It also seems unlikely that the US will drop its surveillance laws, which will allow the state to gain insight into American companies’ data.
It is difficult to envision what the consequences would be if there was no amicable solution to the problem. It would render it practically illegal to transfer personal data to the United States, and the scenario of a lack of a workable solution is a bleak one.
It may be relevant for you to examine whether your lawyers have any recommendations for how you should act now.
As it stands, the ruling provides more questions than it answers. The only thing that is certain is that the ruling has dropped a bomb in the digital cooperation between the EU and the US. There is perhaps nothing to do but take a deep breath and wait for the recommendations from the European Data Protection Board, which is analysing the consequences of the decision. However, it is a good idea to prepare for what the potential consequences for your organisation will be if you have to find new IT service suppliers or have to treat these suppliers like other third-party countries.
This may, for example, involve assuming a wait-and-see attitude when it comes to purchasing new services and pausing projects that will connect the organisation more closely to American data processors.