The Schrems II Decision is a landmark ruling by the Court of Justice of the European Union (CJEU). In July 2020, the CJEU invalidated the Privacy Shield (framework) which essentially served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States, prior to the CJEU’s ruling in this case. (curia.europa.eu)
In order to be compliant with GDPR, when transferring personal data from an EU country to a country that does not have a confirmed adequacy status for their level of personal data protection (known as a third country), organisations must set in place a transfer mechanism that demonstrates protection to the equivalent. This is what makes the data transfer legal. (gdpr-info.eu)
All of our services are operated and managed by a team of experts from our head office and data centre located in Dublin, Ireland. Phonovation does not transfer any personal data outside of the EU which is why this judgement does not have an impact on our services. Where applicable, Phonovation continues to ensure that there are adequate contracts in place with vendors and third parties as well as having effective security controls in place to safeguard data.
The Schrems II judgement doesn’t necessarily mean you will have to reduce your data transfer practices, but the process will now be more complicated. This means that you will need to be particularly wary of when transfers are deemed necessary. Any data transfers for which you’d previously used the Privacy Shield must now be done using SCCs (standard contractual clauses). This is the mechanism used for data transfers between the EU and the rest of the world, so you may already be familiar with the process.
There are legal contracts that outline the terms and conditions for data transfers and are designed for organisations that participate in two-way data sharing and in straightforward internal personal data transfers. SCCs only apply to the data processing activities set out in the agreement, so whenever the processing activities change, you will need to draft a new contract.
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards. This again causes problems for EU-based organisations that intend to transfer personal data to and from the US.
Organisations in the US that use SCCs to receive personal data from the EU must inform the data exporter of any inability to ensure equivalent levels of protection. In those cases, the exporter will be required to suspend or terminate the data transfer under the SCCs. These issues mean that, although SCCs can work as a stopgap, organisations shouldn’t view them as a long-term solution. (itgovernance.eu)
Where personal data is transferred under SCCs: (i) determine the destination countries; and (ii) assess the nature of the transferring personal data, in particular:
Organisations may consider creating a risk questionnaire for completion by data importers to help assess the third country’s surveillance laws. They may also choose to: