Hi, In order to better understand what you'd like to get out of our website, we track the URLs you visit in a session. This information is only used to customize future communications with you. Do you consent to allow this tracking?
I Agree I Disagree. Disable Tracking
5 Ways Digital Marketers Use Call Tracking to Grow Their Business
Dionysia Kontotasiou
Convert's Head of Integration and Privacy, helping customers with technical queries.
Read More About Dionysia

Privacy Shield Invalidated 2020: What You Need to Know & Can SCCs Bring Respite?

July 17, 2020 –

Privacy Shield Featured Image

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are still valid emphasizing the need for case-by-case scrutiny. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework (goes against the requirement of Article 45(2)(a) of the GDPR).

Date Event
June 2013Snowden disclosures regarding PRISM program
June 2013Schrems complaint to Irish DPC re Safe Harbor in view of Snowden  disclosures
June 2014Irish High Court refers the Schrems case to CJEU
October 2015CJEU invalidates Safe Harbor
October–December  2015Schrems complaint to Irish DPC re EU Standard Contractual Clauses (SCCs)
July 2016Adoption of EU-US Privacy Shield
October 2017Irish High Court refers Schrems complaint to the CJEU
May 2018Entry into force of the GDPR
July 2019Schrems II hearing in the CJEU
December 2019CJEU AG Opinion in Schrems II
16 July 2020CJEU judgment in Schrems II

As demonstrated by the timeline, Schrems II has been years in the making and is a fascinating case. As a result of the case, US companies doing business in Europe or handling data from European clients will either have to negotiate new individual data-handling arrangements, called Standard Contractual Clauses (SCCs), with the EU, or stop porting data from European operations into the US. 

The ruling has an impact on 

(a) more than 5,000 companies in the United States that have self-certified under the Privacy Shield mechanism, and 

(b) an undefined number of companies outside the United States that relied on the recipients’ Privacy Shield self-certification to comply with the strict EU data protection laws. 

Supervisory Authorities Reaction

Following the EJC Schrems II decision, some supervisory authorities have expressed their view on the way forward, in particular with respect to the continued use of the Standard Contractual Clauses (SCC). Below we have summarized the key messages and findings:

Hamburg

The Hamburg data protection authority concludes:

If the invalidity of the Privacy Shield is primarily due to the escalating intelligence activities in the USA, the same must also apply to the Standard Contractual Clauses. Contractual agreements between data exporter and importer are equally unsuitable for protecting data subjects from state access.

However, they also see that

in addition to Binding Corporate Rules and individual agreements, it is above all the SCC that can be used as a basis for transfers to third countries. At the same time, however, uncertainty has increased this time: The ECJ is passing the ball to the European supervisory authorities.

Johannes Casper, Commission Officer of the Hamburg DPA states:

After today’s ECJ decision, the ball is once again in the court of the supervisory authorities, who will now be faced with the decision to critically question the overall data transfer via standard contractual clauses.

Federal Commissioner

At the same time, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, associates today’s ruling of the European Court of Justice (ECJ) on international data transfer with a strengthening of the rights of those affected:

The ECJ makes it clear that international data traffic is still possible. However, the fundamental rights of European citizens must be respected. Special protective measures must now be taken for data exchange with the USA. Companies and authorities can no longer transfer data on the basis of the Privacy Shield, which the ECJ has declared ineffective. We will, of course, be giving intensive advice on the changeover

Rhineland-Palatinate

A very proactive approach was already taken by the Rhineland-Palatinate DPA. Just a few hours after the ECJ decision, an FAQ document on the ECJ decision was published. Regarding what data exporters now have to do in relation to the SCC, they conclude: 

Data controllers must check the laws applicable to the data importer in the third country to which they intend to transfer the data and, if applicable, to its other contractual partners in this business relationship and whether these laws affect the guarantees provided by the standard contractual clauses. If necessary, the specific data flows must be analyzed to determine which laws of the third country are applicable in each case. These obligations apply to data transfers to all third countries, not only to the USA.

The validity of the SCC Decision is Recognized

Since the Court upheld the validity of the 2010 SCC Decision, then the data flows from the EU to the rest of the world based on SCCs can continue uninterrupted. However, even for companies that rely on SCCs for exporting data out of the EEA, it would be prudent to monitor this space closely. The EU Commissioner for Justice Didier Reynders issued an early announcement on the same day as the decision, noting its plans to update SCCs in light of their now-increased importance.

Invalidation of the Privacy Shield Without a Transition Period

Since the Court also decided to assess the Privacy Shield and found it invalid, then all the data flows relying on this framework will become unlawful. 

The Privacy Shield now faces the same unfortunate fate as the Safe Harbor program in 2015. Similar to the scramble that occurred after invalidation of the Safe Harbor program, we may see the U.S. and EU governments meet to repair the defects highlighted by the CJEU decision. But, until these defects are remedied, any company relying on the Privacy Shield to properly transfer data should shift to other measures that have been explicitly deemed appropriate safeguards, such as SCCs, user consent, and Binding Corporate Rules (BCRs).

As the authorities acknowledge that the SCCs still work as a basis, we do expect that the authorities will allow organizations a grace period to bring themselves into compliance in relation to transfers following the judgment. A 6-month grace period was allowed after the fall of Safe Harbor in 2015. Given the broader impact, it would be reasonable to repeat this now and potentially to extend this period.

Next Steps for Organizations

Businesses should prepare for the post Privacy Shield era now, and get binding corporate rules (BCR) and standard contractual clauses (SCC) in place for their own data protection.

  1. While SCCs remain valid, organizations that currently rely on them will need to consider whether, having regard to the nature of the personal data, the purposes and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by EU law. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is in fact an “adequate level of protection.”
  2. Organizations that currently rely on the EU – U.S. Privacy Shield framework will need to urgently identify an alternative data transfer mechanism to continue transfers of personal data to the U.S. Organizations may be able to rely on derogations provided in the GDPR for certain transfers (such as when the transfer is necessary to perform a contract), and SCCs or Binding Corporate Rules should also be considered as alternative mechanisms.

In short, companies that are subject to the GDPR should consider 

(i) their data flows to the U.S., 

(ii) the respective legal mechanism for such transfers to the U.S., and 

(iii) if the EU-U.S. Privacy Shield is the current transfer mechanism, put in place a legitimate transfer mechanism for such activities.

What Convert Will Do

  1. Watch out for guidance from supervisory authorities, the European Data Protection Board, and the European Commission.
  2. Assess what data is being transferred outside the EU and on what basis. Look out for:
    1. Data transfers to organizations which participate in the Privacy Shield,
    2. Data transfers which rely on Standard Contractual Clauses – note any data transfers to US importers relying on SCCs in particular,
    3. Data transfers which rely on Binding Corporate Rules and which involve data transfers to the US. The CJEU doesn’t mention BCRs – but they are a form of “appropriate safeguard” pursuant to Art.46, so the general comments about the need to assess the law of the importing country could also be applicable here. 
  3. Develop an approach for due diligence when data transfers take place – either within the organization or with suppliers. This should check:
    1. To which country the personal data is transferred,
    2. Whether public authorities in that country could be entitled to access the data,
    3. On what basis this is authorized.
      1. Is it set out in the law?
      2. Does the law limit the ability to access the data?
      3. Is it no more than is necessary and proportionate, in a democratic society, to safeguard national security, defense, public security or the prevention and detection of criminal offenses and execution of criminal penalties?
      4. Does the law provide effective judicial remedies for data subjects?
    4. Is the data encrypted or tokenized in transit?

15-Day, Full-Access Free Trial of Convert Experiences.

Watch Icon
Quick form submission.
Credit Card Icon
No credit card needed.
Headphones Icon
Support available.
Your email ID is used to send you the registration and login details for the app, (up to 7) suggestions to use the application, and 1:1 emails from buyer journey experts who help you choose the right plans.
You also give Convert consent to send you top CRO content in a monthly newsletter*
You can always change your preferences later.

We've Improved Conversions for
5000+ Leading Brands

Check Icon
You're Almost Done.
Managing Marketing Team
Managing Tech Team
Hypothesizing Experiments
Coding and QA of Experiments
Convert is committed to protecting your privacy and sees GDPR, CCPA and other Privacy Laws as an opportunity to strengthen our commitment even further. We don’t collect & process users’ personal information beyond what is required for the functioning of our services, and this will never change.

You're successfully signed up for the 15-day
Convert Experiences free trial.

You'll be re-directed to the app in a few seconds.
You will also receive a welcome message to your registered email with your login access.