Updated November 12, 2020.
In July 2020, the European Court of Justice (CJEU) struck down the Privacy Shield that secured unrestricted EU-US data flow on the grounds that personal data transferred to and stored in the US could not be guaranteed an adequate level of data protection as that under the GDPR.
In this blogpost, we guide you through the Schrems II ruling, the European Data Protection Board’s (EDPB) recommendations for assessing and securing data transfers outside of the EU, and the consequences for your website.
Use Cookiebot’s powerful scanner to see where in the world your website sends data to.
The EU Court of Justice (CJEU) delivered on Thursday July 16, 2020 a ruling in the case known as Schrems II (C-3111/18), in which the mechanisms for personal data transfers between the EU and the US were challenged based on the argument that US law cannot adequately ensure protection of EU personal data.
In a landmark decision, the CJEU struck down the Privacy Shield, one of the most widely used mechanisms allowing US commercial companies to transfer and store EU personal data in the US.
The decision by the CJEU to rule the Privacy Shield invalid renders the US a non-adequate country without any special access to Europe’s personal data streams.
Next, the CJEU validated the Standard Contractual Clauses (SCCs), another commonly used mechanism for transatlantic data transfers, saying that this mechanism does make it possible in practice to ensure compliance with the level of protection required by EU law.
However, the decision requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.
On November 10, 2020, the European Data Protection Board (EDPB) adopted recommendations for how to transfer data outside of the EU in a step-by-step guide for companies and organizations, delivering clarity to the industry confusion that has existed since the Privacy Shield was struck down earlier in 2020.
The EDPB recommendations help website owners and operators navigate the legal ocean of sending data outside of the EU to non-adequate countries, such as the US, while making sure that the data remains protected.
The EDPB also released a second document – EU Essential Guarantees – that can be used as support for website owners and operators, when assessing whether data transfers to a country is secure or not.
N.B. keep in mind that websites can send data in other ways than through cookies and trackers.
You need to know where in the world your website sends end-user personal data to – this is step one.
This is key to everything else, because if you find out that your website is sending personal data from users to e.g. the US, additional steps need to be taken to ensure compliance.
Mapping out your website’s data flow can be a very difficult task but using Cookiebot’s powerful website scanner will automatically detect all cookies and trackers on your site and give you a detailed report on where in the world your website sends data to.
Once you have an overview of where in the world your website sends personal data to, step two in the EDPB recommendations is to make sure that you use the right transfer mechanism.
If your website sends personal data to countries with an EU adequacy agreement (e.g. Japan), you don’t need to take any further steps regarding these data transfers.
But if your website is also sending personal data to countries without an EU adequacy agreement (e.g. United States), you need to make sure that your website uses one of the transfer tools listed in Article 46 of the GDPR.
And remember, you always need the consent of your end-users before collecting or processing any personal data – also if you don’t send it to countries outside EU.
Evaluating whether a country has laws or privacy practices in place that can guarantee an equivalent level of data protection for your website’s users and their personal data is step three in the EDPB recommendations guide.
This step might seem a bit tricky – perhaps you’re not very familiar with US privacy law?
Here is where the EDPB’s EU Essential Guarantees can help you determine a country’s level of data protection.
The EU Essential Guarantees can help you get an overview of how to do such an evaluation on the countries your website sends data to, such as looking for whether –
If you discover that your website sends personal data from end-users to e.g. the US, which is not recognized as having an adequate level of data protection, step four of the EDPB recommendations maps out how you can ensure additional security around your data transfers so that they meet EU standards of equivalence.
These supplementary measures in the EDPB recommendations include –
In step five and step six of the EDPB recommendation guide, you are encouraged to document your data transfer practices and how you ensure adequate protection for your website’s end-users.
You are also encouraged to reevaluate your data transfer practices at appropriate intervals to make sure that you’re always up to date on the latest developments in the countries you send personal data to.
Scan your website to get full overview and control of all cookies and tracking in operation on your domain.
Cookiebot’s world-leading scanning technology enables you to map out what kind of data your website processes and where in the world it sends user data to.
With Cookiebot, you get total transparency into your website’s data flows and full control of third-party cookies, such as Facebook and Google cookies from the US.
Cookiebot’s consent banner enabling full GDPR compliance on your website.
Cookiebot’s consent management platform enables true consent for end-users through a cookie banner that automatically groups all trackers into four easy-to-understand cookie categories, which end-users can activate and deactivate in a granular fashion, ensuring valid consent under the GDPR.
Cookiebot’s scanning technology finds all cookies and trackers on your website and maps out exactly what kinds of personal data they process and where in the world they send data to – allowing you to quickly gain full insight into your domain’s compliance level and end-user data protection.
Cookiebot’s consent management platform hands over full control to the end-user, enabling them to give granular consent to each specific data processing purposes, as required under the GDPR to ensure full personal data protection.
Cookiebot is fully customizable, allowing your website to inform its users of your specific cookie and tracking setup and to engage them in honest and transparent dialogue about what data you process, how, for what purpose and where in the world it is sent to.
Try Cookiebot free for 30 days... or forever if you have a small website
Named after Austrian lawyer and data privacy activist Max Schrems of NOYB, the Schrems II case challenged two of the most widely used mechanisms for transferring personal data from the EU to the US, namely the Standard Contractual Clauses (SCCs) and the Privacy Shield framework.
The EU’s General Data Protection Regulation (GDPR) requires a country to have an adequate level of data protection before personal data can be transferred to it from the EU. Adequacy decisions made by the EU Commission determine whether personal data can legally be sent to a country outside the EU.
The United States is not recognized by the EU as having an adequate level of data protection, but several transfer mechanisms allow commercial companies and organizations in the US to engage in transfers of personal data from the EU to the US where it is then stored.
These include the Standard Contractual Clauses (SCCs), Privacy Shield and Binding Corporate Rules (BCRs).
The Schrems II case made its way to the CJEU from a request in 2015 by Max Schrems to the Irish Data Protection Commissioner to order Facebook to suspend its data transfers from the EU to the US.
Facebook’s practices of transferring personal data out of the EU via their servers in Ireland to their headquarters in the US relies on the SCCs.
The Schrems II case challenged the legality of this system, arguing that an EU adequate level of data protection cannot be ensured by Facebook, since US laws (like FISA 702 and EO 12.333) mandates mass surveillance in sharp contrast to EU law (like the GDPR) that mandates strong data privacy.
Schrems’ request to ban Facebook data transfers from the EU to the US made its way through the Irish High Court to the CJEU, referred to the top EU court as eleven questions that all deal with issues around whether and how personal data from EU citizens can be protected in the US, whose legal landscape is fundamentally different.
The CJEU ruling in the Schrems II case on July 16, 2020 sided in large part with Max Schrems, invalidating the Privacy Shield as a mechanism for EU-US personal data transfer and imposing strong obligations on data controllers and data protection authorities in each EU member state to ensure adequate protection for personal data transfers when using Standard Contractual Clauses as a mechanism.
On September 8, 2020, following an assessment of the CH-US Privacy Shield that ensures data transfers between Switzerland and the US, the Swiss Federal Data Protection and Information Commissioner (FDPIC) struck down the transfer regime as inadequate.
The FDPIC deemed the US to have an inadequate level of data protection and the CH-US Privacy Shield transfer mechanism was invalidated – just as the CJEU has invalidated the EU-US Privacy Shield.
Schrems II is an EU Court of Justice (CJEU) case ruling on the mechanisms that allow personal data flows from the EU to the US. The CJEU struck down the Privacy Shield, a widely-used framework for personal data transfer to the US, and ruled that Standard Contractual Clauses (SCCs) can be used, so long as the data controller, data recipient and data protection authority in the EU member country deem the transfer to be able to ensure an adequate level of data protection.
For your website to be compliant with the General Data Protection Regulation (GDPR), you must ask for and obtain the explicit consent from end-users prior to any collection, processing or sharing of their personal data. If you have Facebook or Google cookies on your website, these are only allowed to be activated after your users have given their consent.
Using a consent management platform with world-leading scanning technology enables you to deep-scan your domain to detect and control all cookies and similar tracking technologies. Mapping out your website’s cookie setup gives you instant insight into how your website processes personal data and where in the world it sends this data.
Try Cookiebot free for 30 days... or forever if you have a small website.
Try Cookiebot free for 30 days… or forever if you have a small website.