What is Schrems II? Last week, a ruling from the Court of Justice of the European Union caused quite a stir in the world of data protection. But what does it all mean – and what are the implications for your organisation? We’ve put together a simple FAQ to help you get to grips with this issue.
The short version is that Privacy Shield doesn’t meet the GDPR requirements for adequacy, and standard contractual clauses (SCCs) aren’t enough to close the gap either. This isn’t a change to data protection law itself, but an official legal finding under the GDPR.
What’s the problem?
US laws allowing mass surveillance for intelligence and national security purposes are deemed by the EU to provide insufficient protection for the rights and freedoms of non-US-citizens. Particular types of organisation are affected by this – those covered by a law known as FISA-702, and by Executive Order 12.333. Privacy Shield isn’t robust enough to be an adequate equivalent to EU data protection law, and SCCs cannot provide suitable safeguards when the laws in the destination country are in conflict with the GDPR.
Haven’t we been here before?
If you’re feeling a touch of déjà vu, then you’re not alone – history is indeed repeating itself. Before Privacy Shield, there was Safe Harbor – which was challenged by Mr Schrems and found to be inadequate on a very similar basis. This time, SCCs have been looked at as well.
What should we do now?
- Don’t panic! (but don’t ignore the problem either; it’s not going to go away)
- Make sure there are no gaps in your ROPA and contract documentation.
- Identify your problematic US transfers and come up with a plan for moving towards compliance
- Don’t renew, or put any new arrangements in place which would rely on Privacy Shield or SCCs for data transfers to the US
- Allocate suitable resources and priorities for resolving this issue in the short, and longer terms
- Prepare your explanations for customers, suppliers, partners etc who will be asking about your approach to this issue
Contact Protecture on 020 3691 5731 to hear more about how we can work with you to manage your risk and move towards compliance.