The General Data Protection Regulation (GDPR) changed the landscape of data privacy and placed individuals at the center of data protection. It imposed restrictions on cross-border transfer of personal data and provided the mechanisms that can be utilized for such transfers. This was done to ensure that any transfer of personal data outside the European Union (EU) region was sufficiently protected.
Under the GDPR, Standard Contractual Clauses (SCCs) and EU-US Privacy Shield are the most widely used mechanisms for transfer of personal data. These transfer mechanisms were challenged by activist Maximilian Schrems, a lawyer and privacy activist on the grounds that personal data, in transfer or when stored in the US, could be accessed by intelligence agencies.
On July 16, 2020, the Court of Justice of the European Union (CJEU) published its decision in the matter of Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18 (Schrems II case). This was a landmark judgement that had an impact on the cross-border data transfer mechanisms utilized by several large organizations. The judgement concluded the following points:
- Confirmed the validity of the SCCs used for data transfer between EU and non-EU countries subject to the requirement that the business verifies on a case-by-case basis that the personal data being transferred under the mechanism is adequately protected
- Abolished the EU-US Privacy Shield as a data transfer mechanism for transferring personal data from the EU to the US due to its inability to protect European Economic Area (EEA) data subject's personal information from the U.S. surveillance laws
The Schrems II judgement is relevant to EU based organizations as well as organizations that collect data of EU citizens, regardless of a physical presence in the EU. This judgement will also have an impact on organizations in the US and worldwide as it relates to international data flows.
On June 4, 2021, the European Commission (the Commission) published the final version of the Standard Contractual Clauses new SCCs governing international transfer of personal data.
Need for Schrems II compliance
The Schrems II judgment and the new SCCs significantly change the data transfer mechanisms currently utilized by organizations for cross-border data transfer. Today, cross border transfers are an essential part of the global economy with data being transferred from the EU across the US as well as other third countries. Schrems II will apply to all organizations irrespective of whether they are headquartered in the EU or outside if they are involved in transfer of personal data outside the EU region.
Some examples of services impacted due to Schrems II include cloud storage, telecommunications, software-as-a-service, digital platform providers, and business process outsourcing. For example, any telecommunications company providing roaming services to EU resident travelling to any third country such as US or India will fall within the purview of Schrems II due to exchange of personal data between EU and the third country. Similarly, IT services providers, contact centers and outsourcing of business processes often require transfer or access of personal data from EU region to third countries such as India and China. Any company providing services that requires cross border transfer of personal data would require to be compliant to Schrems II and execute new SCCs as a data transfer mechanism.
According to privacyshield.gov, close to 4,000 companies rely on EU-US Privacy Shield as a data transfer mechanism, which has been abolished by Schrems II.
DIGITALEUROPE’s Schrems II Impact Survey Report has provided the following implications -
- The vast majority of companies using SCCs (75%) have their headquarters in Europe, with US-headquartered companies coming in a distant second (13%)
- Over half of SCC users transfer data to close business partners or non-EU subsidiaries (57% use controller-to-controller SCCs), while almost all transfer data in order to outsource processes or services
- Almost everybody transfers to the US, but six out of ten transfer data to Asia or the UK, South America, the Middle East and Africa
Timelines for Schrems II compliance
The new SCCs come into effect from June 27, 2021 (see Figure 1). Organizations will have 18 months until December 27, 2022 to execute the new SCCs into existing contractual arrangements involving international transfers and re-negotiate contracts with customers, vendors and sub-contractors. Organizations have been provided a limited period of three months until September 27, 2021 where they can still utilize old SCCs while entering into any new contracts. However, such contracts will have to be updated with the new SCCs within the stipulated timelines of 18 months.