The Schrems II judgment and data transfers to the US | PRO HR August 2020

2020.08.10

The impact of the Schrems II judgment (C-311/18) handed down by the Court of Justice of the European Union regarding data transfers to the US

Privacy Shield

As of 16 July 2020, the Commission implementing decision (EU) 2016/1250 of 12 July 2016, referred to as the Privacy Shield is invalid, which means that as of that date the Privacy Shield cannot be treated as the basis for the transfer of personal data to the US. The Court has stated that the requirements of the domestic law of the United States, in particular, the powers held by American authorities to obtain access to personal data for the purposes of national security, do not confer rights to these entities that could be enforced in the American courts. 

Even though this decision apparently pertains solely to the Privacy Shield, the case of Schrems II regarded the two bases for the transfer of personal data to third countries in the context of transfers to the US:

  • the Privacy Shield agreement,
  • standard contractual clauses.

What should a data controller do?

Whether an organisation transfers data to the US under the Privacy Shield is something that needs to be checked. If that transpires, there are two options:

  • some other basis for the transfer should be found,
  • the transfer should be suspended.

If the transfer of data is based on standard contractual clauses, then to ensure that its continuation is safe, having regard for the powers of American special services being challenged, it is necessary to check, in collaboration with the entity receiving the data or the assessment, whether additional safeguards should be put into place on top of the ones contemplated by the clauses.

More in the HR law newsletter - PRO HR August 2020.