No grace period after Schrems II Privacy Shield ruling, warn EU data watchdogs

Natasha Lomas

European data watchdogs have issued updated guidance in the wake of last week's landmark ruling striking down a flagship transatlantic data transfer mechanism called Privacy Shield.

In an FAQ on the Schrems II judgement, the European Data Protection Board (EDPB) warns there will be no regulatory grace period.

The EU-U.S. Privacy Shield is dead, and any companies still relying on it to authorize transfers of EU citizens' personal data are doing so illegally is the top-line message.

"Transfers on the basis of this legal framework are illegal," warns the EDPB baldly. Entities that wish to keep on transferring personal data to the U.S. need to use an alternative mechanism -- but must first determine whether they can meet the legal requirement to protect the data from U.S. surveillance.

What alternatives are there? Standard Contractual Clauses (SCCs) were not invalidated by the CJEU ruling. Binding Corporate Rules (BCRs) are also still technically available.

But in both cases, would-be data exporters must conduct an upfront analysis to ascertain whether they can in fact legally use these tools to move data in their specific context.

Anyone who is already using SCCs for the transfer of EU citizens' data to the U.S. (hi, Facebook!) isn't exempt from carrying out an assessment -- and needs to inform the relevant supervisory authority if they intend to keep using the mechanism.

The rub here for U.S. transfers is that the CJEU judges invalidated Privacy Shield on the grounds that U.S. surveillance laws fundamentally clash with EU privacy rights. So, in other words, Houston, you have a privacy problem...

"The Court found that U.S. law (i.e., Section 702 FISA [Foreign Intelligence Surveillance Act] and EO [Executive Order] 12333) does not ensure an essentially equivalent level of protection," warns the EDPB in answer to the (expected) frequently asked question: "I am using SCCs with a data importer in the U.S., what should I do?"

"Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place."

The ability to use SCCs to transfer data to the U.S. hinges on a data controller being able to offer a legal guarantee that "U.S. law does not impinge on the adequate level of protection" for the transferred data.

If an EU-U.S. data exporter can't be confident of that, they are required to pull the plug on the data transfer. No ifs, no buts.

Those who believe they can offer a legal guarantee of "appropriate safeguards" -- and thus intend to keep transferring data to the U.S. via SCC -- must notify the relevant data watchdog. So there's no option to carry on "as normal" without informing the regulator. 

It's the same story with BCRs -- on which the EDPB notes: "Given the judgment of the Court, which invalidated the Privacy Shield because of the degree of interference created by the law of the U.S. with the fundamental rights of persons whose data are transferred to that third country, and the fact that the Privacy Shield was also designed to bring guarantees to data transferred with other tools such as BCRs, the Court’s assessment applies as well in the context of BCRs, since U.S. law will also have primacy over this tool."

So, again, a case by case assessment is required to figure out whether you can be legally confident in offering the required level of protection.


More From

  • Trump signs executive orders banning transactions with TikTok and WeChat

    President Donald Trump signed an executive order on Thursday banning transactions with ByteDance, the parent company of popular app TikTok . The White House also announced that he signed a similar order banning transactions with Tencent-owned WeChat, a messaging app that is ubiquitous in China, but has a much smaller presence than TikTok in the United States, where it is used mainly by members of the Chinese diaspora.

  • Judge says Uber, Lyft preliminary injunction ruling to come in ‘a matter of days’

    California Superior Court Judge Ethan P. Schulman heard arguments from Uber and Lyft, as well as lawyers representing the people of California, regarding the request for a preliminary injunction that seeks to force Uber and Lyft to immediately reclassify their drivers as employees. Schulman did not make a ruling today but said we could all likely expect one to come within a matter of days, rather than weeks. In the hearing, Schulman expressed how hard it is to determine the impact of a preliminary injunction in this case.

  • Cadillac reveals Lyriq, its all-electric SUV flagship loaded with luxury and tech

    GM unveiled Thursday the Cadillac Lyriq, an all-electric crossover dripping in luxury, tech-forward touches and promising more than 300 miles of range that aims to propel the brand into a new electrified era. The Cadillac Lyriq will be a global product, meaning it will be headed to China as well. Production in China will begin ahead of the U.S., according to Cadillac.

  • Google to roll out its digital learning platform to 23 million students and teachers in India's Maharashtra state

    Google has partnered with one of the largest states in India to provide its digital classroom services to tens of millions of students and teachers, the search giant said today, as it makes a further education push in the world’s second largest internet market. The company, which recently announced plans to invest $10 billion in India, said it had partnered with the government of the western state of Maharashtra that will see 23 million students and teachers access Google's education offering at no charge.