Understanding the Schrems II decision on data privacy: check if you’re compliant

Share on facebook
Facebook
Share on twitter
Twitter

At BNZSA, we make sure that our customers can rely on the fact that the data they receive from us will be 100% data privacy safe. Our legal team is always compliant with the latest decisions, the most recent of which is the Schrems II decision in the Court of the European Union, which relates to the transfer of data between the EU and the USA. 

What is the Schrems II decision? 

The Schrems II decision refers to the findings of the Court of the European Union (CJEU) in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems (Case C-311/18), taken on 16 July 2020. It has significant consequences regarding the transfer of personal data between the EU and the USA. 

In this case, the court found that the Privacy Shield mechanism could not be a valid legal basis for the transfer of personal data between the EU and the USA, since the USA were not complying with the level of data privacy required by the EU’s General Data Protection Regulation, particularly regarding data access by public authorities.   

The decision clarifies the fact that data transfer to third countries requires their data protection safeguards to be essentially equivalent to those in force in the EU. Adapted Standard Contractual Clauses (SCCs) can be used as a relevant legal basis provided that the data exporter verifies that the third country rules respect these EU safeguards.  

What does it mean for your business?

Even though the decision was taken in July, we haven’t yet received a definitive piece of guidance on how companies should respond.

For now it’s still not totally clear, but in the next section we’ll explore some recommendations to ensure that you are compliant.

How can you ensure you are compliant? 

These tips are based on our summary of the guidance from the various authorities. You may need to take more specific actions based on your data privacy requirements but hopefully this is a good starting point:

  • Respecting the fundamental principles – One of the pillars of the GDPR is to allow the data subject to know where their data is and how it is used. We take this very seriously and maintain a clear line of traceability for every single contact we engage with. 
  • Map out your data transfers – if your organisation is making any international data transfers, you should take some time to map exactly which third countries are receiving your data. This will help you ensure compliance with the EDPB and GDPR requirements.
  • Adapt your contractual terms – review your Data Processing Agreements and Standard Contractual Clauses (SCCs) as the legal basis to transfer data to third countries. You may find you need to adapt them on a case by case basis based on your evaluation of the risk emanating from the data protection laws of the recipient country (as recommended by the EDPB and Article 46 of the GPDR).
  • Put the right technologies in place – work with your IT team to ensure you take the necessary data security measures for the transfer of data, such as encryption, anonymisation of data etc.
  • Providing high levels of transparency – When collecting and processing data, all prospects are clearly informed whether data will be transferred to a third party and to a third country. We secure their clear consent and explain the risks before proceeding with any such transfer. 

Next steps

It’s important to stay informed about what’s coming next. When the Commission issues their guidance on SCC, we’re expecting some updates on the responsibilities of data importers to inform exporters where public authorities request to access data, as well as further requirements on data security.

Do let us know if you have any specific doubts or questions that we might be able to help with.