Schrems II judgement – what does it mean for privacy and personal data in the UK and US?

By Lydia Lavender, managing consultant at NCC Group

In the latest news concerning how the personal data of people in the EU is transferred to the United States, the European Court of Justice has ruled that the protections afforded by the EU-US Privacy Shield are not adequate.

On 16^th July, this much anticipated judgement, in what is known widely as Schrems II, also ruled that the use of Standard Contractual Clauses (SCC) remain valid. However, the decisions now have the privacy world in a spin, trying to work out what they need to do to make their international transfers comply with the GDPR.

With a lot of legal jargon and complicated documents being issued, we have simplified the case and decision to help you to understand the changes.

Background

The story started when Austrian citizen Maximillian Schrems raised a complaint regarding the security of his data with the Irish Data Protection Commissioner against Facebook, Ireland for transferring and processing his personal data outside of the EU to Facebook US.

There have been various investigations and decisions by the court around Safe Harbour, SCC and Privacy Shield leading to the current decision by the Court of Justice. 

What happened?

The Court determined that: 

• the GDPR will apply to the transfer of data to any third country;
• that protection must be in place at least equivalent to the GDPR;
• that supervisory authorities must suspend or prohibit transfers where it is believed adequate security is not in place;
• that the SCC decision is valid and therefore SSCs are also still valid; and
• that the Privacy Shield Decision is invalid because the security of the data in the US is not equivalent to that required by the GDPR as the processing of data is not limited to only that which is necessary due to the US legal system allowing full access to all data stored.

So, what does this mean?

Where personal data is being sent to the US from the EU for processing, you can no longer rely on Privacy Shield. Going forward, you will need to be clear on the controls in place within the US entity, along with the contractual agreements that have been agreed.

What can you do to prepare?

While there is still speculation around the impact of this decision, there are a number of acceptable mechanisms still in place to allow the transfer of personal data outside of the EU.

There are a few simple steps that you can take today to put you in a strong position when the outcome of this decision is fully understood:

1. Review your data flow maps to understand if and where data is sent outside of the EU.
2. Review third party agreements and contracts to ensure adequate wording is used regarding the security of personal data transfers. 
3. Where SCCs are used, the level of protection in the third country must be reviewed initially.
4. DPAs (Data Processing Agreements) must focus on the transfer of data, and as such must be reviewed.
5. Conduct due diligence reviews on any third party to whom you transfer data to ensure adequate security is implemented to meet GDPR requirements.

We will keep you updated as things develop so do stop back again soon for more information and advice, or get in touch with our team to find out more.