Updated September 9, 2020.
Can personal data from the EU be transferred to and stored in the US while guaranteed an adequate level of data protection as that under the GDPR?
This was the central question in the Schrems II case before the CJEU.
Learn about the Schrems II ruling and its consequences for your website here.
The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case known as Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and US was challenged based on the argument that US law cannot adequately ensure protection of EU personal data.
In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.
The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.
Next, the CJEU validated the Standard Contractual Clauses (SCCs), another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.
However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.
While awaiting an industry response, especially from Facebook who is directly implicated in the Schrems II ruling by the EU Court of Justice, here is how you can gain full transparency of your website’s data flows, including where in the world personal data from your end-users is sent to.
Scan your website to get full overview and control of all cookies and tracking in operation on your domain.
Cookiebot’s world-leading scanning technology enables you to map out what kind of data your website processes and where in the world it sends user data to.
With Cookiebot, you get total transparency into your website’s data flows and full control of third-party cookies, such as Facebook and Google cookies from the US.
Cookiebot’s consent banner enabling full GDPR compliance on your website.
Cookiebot’s consent management platform enables true consent for end-users through a cookie banner that automatically groups all trackers into four easy-to-understand cookie categories, which end-users can activate and deactivate in a granular fashion, ensuring valid consent under the GDPR.
Cookiebot’s scanning technology finds all cookies and trackers on your website and maps out exactly what kinds of personal data they process and where in the world they send data to – allowing you to quickly gain full insight into your domain’s compliance level and end-user data protection.
Cookiebot’s consent management platform hands over full control to the end-user, enabling them to give granular consent to each specific data processing purposes, as required under the GDPR to ensure full personal data protection.
Cookiebot is fully customizable, allowing your website to inform its users of your specific cookie and tracking setup and to engage them in honest and transparent dialogue about what data you process, how, for what purpose and where in the world it is sent to.
Try Cookiebot free for 30 days... or forever if you have a small website
Named after Austrian lawyer and data privacy activist Max Schrems of NOYB, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.
The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.
The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.
These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).
The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.
Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.
The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.
Schrems’ request to ban Facebook data transfers from the EU to the US made its way through the Irish High Court to the CJEU, referred to the top EU court as eleven questions that all deal with issues around whether and how personal data from EU citizens can be protected in the US, whose legal landscape is fundamentally different.
The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.
On September 8, 2020, following an assessment of the CH-US Privacy Shield that ensures data transfers between Switzerland and the US, the Swiss Federal Data Protection and Information Commissioner (FDPIC) struck down the transfer regime as inadequate.
The FDPIC deemed the US to have an inadequate level of data protection and the CH-US Privacy Shield transfer mechanism was invalidated – just as the CJEU has invalidated the EU-US Privacy Shield.
Schrems II is an EU Court of Justice (CJEU) case ruling on the mechanisms that allow personal data flows from the EU to the US. The CJEU struck down the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that Standard Contractual Clauses (SCCs) can be used, so long as the data controller, data recipient and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.
For your website to be compliant with the General Data Protection Regulation (GDPR), you must ask for and obtain the explicit consent from end-users prior to any collection, processing or sharing of their personal data. If you have Facebook or Google cookies on your website, these are only allowed to be activated after your users have given their consent.
Using a consent management platform with world-leading scanning technology enables you to deep-scan your domain to detect and control all cookies and similar tracking technologies. Mapping out your website’s cookie setup gives you instant insight into how your website processes personal data and where in the world it sends this data.
Try Cookiebot free for 30 days... or forever if you have a small website.
Try Cookiebot free for 30 days… or forever if you have a small website.