Schrems II, quick summary
Schrems II, Privacy Shield and the 2021 EU SCCs
On July 16, 2020, the EU Court of Justice (CJEU) struck down the Privacy Shield, one of the most widely used mechanism for personal data transfers between the EU and the US.
In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.
The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.
On June 4, 2021, the European Commission adopted two new sets of standard contractual clauses (SCCs) to replace the Privacy Shield data transfer scheme – a set for controllers and processors, and another for transferring personal data to third countries.
The 2021 EU standard contractual clauses (SCCs)
The new EU SCCs from June 2021 reflect, according to the EU Commission, the new requirements under the General Data Protection Regulation (GDPR) and take into account the Schrems II judgement of the Court of Justice, ensuring a high level of data protection for citizens.
The 2021 EU SCCs –
- Allow transfers of personal data between the EU and any third country (non-adequate under the GDPR) and clears away the need for a separate a data processor agreement (DPA) and signed SCC.
- Safeguards that local legislation in third countries does not prevent compliance with SCC obligations.
- Has provisions to ensure that local legislation does not prevent compliance with the SCCs, e.g. filing a transparency report.
- Requires additional documentation to secure transfers, e.g. frequency of transfer, purpose, data retention period, legal basis for sub-processor transfers and more.
- Allow third parties to join the agreement, making it easier to handle future replacements of parties.
While the old SCCs only allowed data transfers in connection with a data processor agreement (DPA), the new standard contractual clauses adopted in June 2021 allow the following parties to transfer personal data between each other:
- Data controllers to data processors,
- Data processor to data controller,
- Data controllers to other data controllers,
- Data processors to other data processors.
The new standard contractual clauses (SCCs) can be used from June 27, 2021, while the existing SCCs can be used until September 27, 2021.
The EDPB also published updated recommendations for data transfers outside the EU, in which you can find the five-step guide to safely transfer personal data to a third country (like the US).
EDPB recommendations for data transfers outside EU
On June 18, 2021, the European Data Protection Board (EDPB) adopted updated recommendations for safe transfers of personal data outside of the EU in a five-step guide for companies and organizations, delivering clarity to the industry confusion that has existed since the Privacy Shield was struck down earlier in 2020.
The EDPB recommendations help website owners and operators navigate the legal ocean of sending data outside of the EU to non-adequate countries, such as the US, while making sure that the data remains protected.
The EDPB also released a second document – EU Essential Guarantees – that can be used as support for website owners and operators, when assessing whether data transfers to a country is secure or not.
N.B. keep in mind that websites can send data in other ways than through cookies and trackers.
Step 1 – where do you send data to?
You need to know where in the world your website sends end-user personal data to – this is step one.
This is key to everything else, because if you find out that your website is sending personal data from users to e.g. the US, additional steps need to be taken to ensure compliance.
Mapping out your website’s data flow can be a very difficult task but using the industry-leading Cookiebot CMP website scanner will automatically detect all cookies and trackers on your site and give you a detailed report on where in the world your website sends data to.
Step 2 – how do you send data?
Once you have an overview of where in the world your website sends personal data to, step two in the EDPB recommendations is to make sure that you use the right transfer mechanism.
If your website sends personal data to countries with an EU adequacy agreement (e.g. Japan), you don’t need to take any further steps regarding these data transfers.
But if your website is also sending personal data to countries without an EU adequacy agreement (e.g. United States), you need to make sure that your website uses one of the transfer tools listed in Article 46 of the GDPR.
And remember, you always need the consent of your end-users before collecting or processing any personal data – also if you don’t send it to countries outside EU.
Step 3 – will data be protected after you send it?
Evaluating whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for your website’s users and their personal data is step three in the EDPB recommendations guide.
This step might seem a bit tricky – perhaps you’re not very familiar with US privacy law?
Here is where the EDPB’s EU Essential Guarantees can help you determine a country’s level of data protection.
The EU Essential Guarantees can help you get an overview of how to do such an evaluation on the countries your website sends data to, such as looking for whether –
- data processing in the country is based on clear, precise and accessible rules
- legitimate objectives for processing the data is demonstrated in accordance with EU law
- the country has an independent oversight mechanism, e.g. a data protection authority
- your users have legal remedies to pursue if their GDPR-secured rights have been violated
See also Annex 3, page 47 of the EDPB updated recommendations for possible sources of information to assess a third country.
Step 4 – adopting additional data transfer protections
If you discover that your website sends personal data from end-users to e.g. the US, which is not recognized as having an adequate level of data protection, step four of the EDPB recommendations maps out how you can ensure additional security around your data transfers so that they meet EU standards of equivalence.
These supplementary measures in the EDPB recommendations include –
- Technical safeguards (such as encryption protocols and pseudonymization)
- Contractual safeguards (such as importer transparency commitments and enhanced audits)
- Organizational measures (such as internal transfer governance policies)
Step 5 & 6 – document and reassess
In step five and step six of the EDPB recommendation guide, you are encouraged to document your data transfer practices and how you ensure adequate protection for your website’s end-users.
You are also encouraged to reevaluate your data transfer practices at appropriate intervals to make sure that you’re always up to date on the latest developments in the countries you send personal data to.
Where does your website send data to?
Scan your website for free with Cookiebot CMP
Scan your website to get full overview and control of all cookies and tracking in operation on your domain. Cookiebot CMP is a world-leading consent management platform built around an unrivaled scanning technology that enables you to map out what kind of data your website processes and where in the world it sends user data to.
Get a free scan report from Cookiebot CMP showing which countries each cookie on your website sends user data to, and whether the countries are considered an adequate country by the EU.
With Cookiebot CMP, you get total transparency into your website’s data flows and full control of third-party cookies, such as Facebook and Google cookies from the US.
Cookiebot CMP enables true consent for end-users through a cookie banner that automatically groups all trackers into four easy-to-understand cookie categories, which end-users can activate and deactivate in a granular fashion, ensuring valid consent under the GDPR.
The Cookiebot CMP scanning technology finds all cookies and trackers on your website and maps out exactly what kinds of personal data they process and where in the world they send data to – allowing you to quickly gain full insight into your domain’s compliance level and end-user data protection.
Cookiebot CMP consent management platform hands over full control to the end-user, enabling them to give granular consent to each specific data processing purposes, as required under the GDPR to ensure full personal data protection.
Cookiebot CMP is fully customizable, allowing your website to inform its users of your specific cookie and tracking setup and to engage them in honest and transparent dialogue about what data you process, how, for what purpose and where in the world it is sent to.
Try Cookiebot CMP free for 14 days… or forever if you have a small website
What is the Schrems II case about?
Named after Austrian lawyer and data privacy activist Max Schrems of NOYB, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.
The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.
The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.
These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).
Is EU personal data protected adequately after transfer to the US?
The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.
Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.
The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.
Schrems’ request to ban Facebook data transfers from the EU to the US made its way through the Irish High Court to the CJEU, referred to the top EU court as eleven questions that all deal with issues around whether and how personal data from EU citizens can be protected in the US, whose legal landscape is fundamentally different.
The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.
Swiss-US Privacy Shield also struck down
On September 8, 2020, following an assessment of the CH-US Privacy Shield that ensures data transfers between Switzerland and the US, the Swiss Federal Data Protection and Information Commissioner (FDPIC) struck down the transfer regime as inadequate.
The FDPIC deemed the US to have an inadequate level of data protection and the CH-US Privacy Shield transfer mechanism was invalidated – just as the CJEU has invalidated the EU-US Privacy Shield.
What is Schrems II
Schrems II is an EU Court of Justice (CJEU) case ruling on the mechanisms that allow personal data flows from the EU to the US. The CJEU struck down the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that Standard Contractual Clauses (SCCs) can be used, so long as the data controller, data recipient and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.
Does my website send data to the US?
Is my website GDPR compliant?
For your website to be compliant with the General Data Protection Regulation (GDPR), you must ask for and obtain the explicit consent from end-users prior to any collection, processing or sharing of their personal data. If you have Facebook or Google cookies on your website, these are only allowed to be activated after your users have given their consent.
How can I scan my website for cookies?
Using a consent management platform with world-leading scanning technology enables you to deep-scan your domain to detect and control all cookies and similar tracking technologies. Mapping out your website’s cookie setup gives you instant insight into how your website processes personal data and where in the world it sends this data.
Try Cookiebot CMP free for 14 days… or forever if you have a small website.