The upbringing of Schrems II

Invalidation of the Privacy Shield

U.S. companies that do business in the EU are in for a nasty shock. For the past four years, the EU–U.S. Privacy Shield framework has allowed them to transfer data from the EU in line with EU privacy laws, namely the GDPR (General Data Protection Regulation). However, on July 16, 2020 the ECJ (European Court of Justice) ruled the Privacy Shield invalid as a result of the Schrems II case.

Creation of the Safe Harbor agreement

The Privacy Shield is not the first agreement on the transfer of data between the EU and the U.S. It was preceded by the Safe Harbor program, which was based on recommendations set out by the OECD in 1980 for the protection of personal data. These were propounded in the form of seven principles and found their way into the first EU law on data privacy, the DPD (Data Protection Directive), in 1995.

Like its successor the GDPR, the purpose of the DPD was to ensure that an individual’s data and privacy were always protected. The problem with data traveling across the Internet is that while the Internet crosses borders, laws do not. To protect EU residents, the EU passed Article 25 of the DPD (now Article 44 of the GDPR), which restricted the transfer of any information to a country that wasn’t considered adequate.

To enable data transfers to continue, the EU and the U.S. negotiated the Safe Harbor agreement. The program was developed and administered by the U.S. Department of Commerce in consultation with the EU to allow participating companies to transfer data from the EU to the U.S. It was instituted in 2000 and was in place until October 2015, when, pursuant to a lawsuit by an Austrian law student, Max Schrems, the ECJ ruled the framework invalid.

Safe Harbor’s replacement: The EU-U.S. Privacy Shield

This led to the possibilities of fines for U.S. companies and a scramble to replace the Safe Harbor. A new program, the EU–U.S. Privacy Shield, came into existence in July 2016 when the EU Commission decided it was ‘adequate’. However, the old problems had not gone away – nor had Schrems.

The Privacy Shield was designed for the DPD, but just before it was implemented, the EU adopted the GDPR, which superseded the DPD. Unlike the DPD, the GDPR has massive fines. It can also not be ignored. GDPR Article 44 set off a massive wave of non-EU countries adopting similar laws in order to come within the ‘adequacy’ provisions of Article 45. But the U.S. did nothing, instead choosing to rely on the Privacy Shield program.

The Privacy Shield, although popular with U.S. companies, was not so in Europe. In 2018, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs narrowly voted in favor of a resolution declaring the Privacy Shield inadequate. However, the EU Commission kept the Privacy Shield alive by confirming it during the mandated annual review.

Schrems does not back down

While the EU commissioners rolled over, Schrems did not. Instead he filed another lawsuit, Schrems II. The case eventually worked its way to the ECJ, the EU supreme court. After another year of deliberation, on July 16, 2020, the ECJ ruled the Privacy Shield invalid. This means that more than 5,300 organizations relying on it will have to find another way to transfer information.

One way is to use Article 46 (d) of the GDPR. This allows for transfers of information if the data subjects rights are protected by standard data protection clauses adopted by a supervisory authority, more commonly known as SCCs (standard contractual clauses). Before the decision, this was a relatively simple process. The organization in the EU transferring the information, often a subsidiary of the organization in the U.S., signed a contract with the organization receiving the information. This contract was based on a template and included specific clauses approved by the European Commission.

The court in Schrems II considered the use of SCCs and found them valid. However, it emphasized that the contracting parties had to ensure that the rights of EU residents were protected under these contracts. Both parties were under an obligation to do adequate due diligence and to document the protections in place. The EU supervisory authorities have the power to audit the actions surrounding the use of SCCs and put a stop to data transfers where it finds there is no adequate protection afforded by the country where the data is destined.

Stay on top of the ever-changing rulings with ISO 27001

It is important to put Schrems II into context. The GDPR is a privacy and cybersecurity law. Whether organizations in the U.S. like it or not, it is now the global standard. U.S. laws are lagging, but that is changing. There are dozens of proposals concerning cybersecurity and privacy in either the U.S. Congress or the states. When passed, these laws will impact the way businesses handle customer data for years to come, whether they do business outside of the U.S. or not. The best choice, perhaps the only choice, is to prepare now.

By far the best way to do this is to adopt the foremost international standard, ISO 27001. Its flexibility allows you to modify it to your regulatory environment, whatever that may be. Whether you are trying to comply with privacy laws in other countries, the HIPAA, the GDPR, or the new CMMC (Cybersecurity Maturity Model Certification), ISO 27001 together with the new privacy add-on, ISO 27701, means that your ISMS (information security management system) will have more than adequate documentation to satisfy the requirements of any regulator, anywhere. 

iso 27001 certification