An overview of Schrems II

Schrems II is the short name for a European court ruling in July 2020. 

Privacy Shield was the name for an informal agreement between the EU and US so that companies could transfer personal information between the two locations while complying with data privacy laws. But the court invalidated the Privacy Shield, meaning that data processors and controllers can no longer use it.

Background: Schrems I

Before we look at Schrems II, it’s important to get some background from Schrems I. These are the preceding events that began in 2011 with the Austrian activist and lawyer, Max Schrems. 

At the time, he found that Facebook was exporting his data from their European headquarters in Ireland to their US office. They were able to do this under the Safe Harbour Principles, but this allowed organisations to self-certify their compliance. It also meant that the data that Facebook was transferring could be accessed by US intelligence agencies, which violated privacy. Moreover, the rumour at the time was that Facebook was working with the state under a mass surveillance program. 

Since this was before GDPR, Schrems filed a complaint under EU Data Privacy. In 2015, the court ruled that Safe Harbour was invalid, but that some parts of the process such as standard contractual clauses (SCCs), were still valid. 

As such, a new agreement was drawn to implement SCCs, known as Privacy Shield. 

Privacy Shield did not solve the problem: Schrems II

Privacy Shield was implemented in August 2016, but Schrems found the same issue. Due to a direct conflict with US laws, the European Commission didn’t have the power to protect data from US intelligence agencies. 

The law allows agents to investigate EU citizens (including all transferred data) on the basis of national security. This meant that Privacy Shield was inadequate to protect data properly, and the gap in protection violated GDPR. 

Even though more than 5,000 companies relied on Privacy Shield to comply with data transfer regulations, it was ruled inadequate in July 2020. This meant that companies were to stop using the process immediately. 

Impact on regulated institutions

The Schrems II ruling had a huge impact on data transfer between the EU and US. Private companies were immediately told to stop using Privacy Shield principles, which means that EU companies now need to assess every individual data transfer to ensure their compliance.

A new EU-US data-sharing framework has been proposed and approved in the US, but not yet introduced. Until it is implemented, it’s up to firms to prudentially manage data transfers. 

Thinking about security by design (rather than as an afterthought), companies may need to encrypt their data to ensure compliance with the regulations. Alternatively, businesses might need to review their vendors and consider non-US-based alternatives to reduce supplier risk.  

Moreover, private companies could switch to an alternative safeguard method. For example, using codes of conduct or other forms of data protection. Since there’s no global standard for data protection, it’s important to review your processing records and the laws of every country you interact with. 

Compliance is key

The unique factor with Schrems II is the pace at which Privacy Shield (and Safe Harbour) was dumped after their inadequacy rulings. In many other regulatory cases, companies have a grace period to implement new regimes over many months. However, Schrems II led to the immediate stopping of Privacy Shield. 

This all happened in 2020, and although the new EU-US data-sharing framework has been approved by the Biden administration, it’s not yet implemented. To prepare your organisation for the new framework, choose to implement regulatory intelligence software with horizon-scanning technology. 

CUBE’s Automated Regulatory Intelligence (ARI), RegPlatform combines enterprise-wide compliance mechanisms with workflow management, helping you to actually implement the changes, too. 

For help with implementing Schrems II, get in touch with CUBE today.