Skip to content
Menu
0
Employer's Guide
Employer's Guide
Site content

Petra Lennhede on Schrems II

Data Data Council

This summer, the European Court of Justice issued a judgment, Schrems II, which overturned the Commission's adequacy decision on the transfer of personal data to the United States under the Privacy Shield. This means that there is no longer a valid general agreement to rely on when transferring personal data between the EU and the US.

IT&Telecom companies invited Petra Lennhede, Legal Officer at the DPA's EU Secretariat to participate in a meeting with Data Council and talk about Schrems II. We took the opportunity to ask some questions about the judgment and what you as an entrepreneur should think about.

- What is Schrems II really about and how does it affect businesses in practice?
In the judgment, the CJEU invalidates the Privacy Shield, i.e. the US self-certification mechanism which, under a so-called adequacy decision of the European Commission, allowed the transfer of personal data to recipients who signed up to it.

In short, the Court concludes that the Privacy Shield does not provide sufficient protection for personal data transferred to the United States, partly because the US authorities have too wide a range of possibilities to access data transferred there. The ruling means that it is no longer allowed to transfer personal data to the US under the Privacy Shield.

However, the Court held that the European Commission's decisions on standard contractual clauses remain valid and that they can be used for transfers outside the EU. Although standard contractual clauses as such offer a good level of protection, it is not certain that this protection can be maintained in practice, for example because of the legal situation in the country to which data is transferred. Additional safeguards may therefore be needed to complement them. However, the Court did not give an answer to what such additional measures might be.

When will we see clearer rules for data transfers between the EU and the US?
It is not yet clear whether there will be a replacement for the Privacy Shield, but it is clear that the need to be able to transfer personal data to the US is great. The European Commission is responsible for developing so-called adequacy decisions and negotiations with the US have started.

At the same time, the European Data Protection Board (EDPB) is working intensively to analyze the judgment and develop guidance on interpretation and consequences, including guidance on what additional legal, technical and organizational safeguards may be relevant in cases where, for example, standard contractual clauses do not provide an adequate level of protection. The guidance is expected to be ready by the end of October. It may also be interesting to know that the European Commission is working on modernizing the current standard contractual clauses.

What should the company concerned do?
Our recommendation to companies is: carry out your own analysis and map out the flows of personal data that exist in your organization and in what cases, in what way and with what support the data may be transferred to third countries. As far as possible, you should also try to find out, possibly in consultation with the recipient, what the level of protection is in the receiving country. Then take responsibility to start addressing any shortcomings and stop transfers that are not legally supported. Do not forget to document your considerations. When guidance is issued by the EDPB, you can use it to support your assessments.