The impact of the Schrems II judgment on your data transfers under the GDPR

The impact of the Schrems II judgment on your data transfers under the GDPR

For companies, it is often a reality to rely on non-EU data centres and ‘storage in the cloud’. Does your company store data ‘in the cloud’? Does your company rely on non-EU data centres? Do you have no idea where your data is stored at all? If the answer to one or more of these questions is positive, it is important to take into account the provisions of the GDPR and, more specifically, the provisions on the transfer of personal data. The judgment that is the subject of this article has recently created a legal vacuum for the regime of data transfers.

On 16 July 2020, the Court of Justice decided in the so-called ‘Schrems II judgment’. Max Schrems is the Austrian lawyer who previously challenged the practices of internet giants concerning the transfer of personal data to third countries. In the first case, the Court of Justice nullified the Safe Harbour decision, as a result of which data could no longer be transferred without additional measures. The Privacy Shield replaced Safe Harbour, but even that was not enough for Max Schrems. This second Schrems judgment puts data transfers to third countries under the GDPR in jeopardy once again.

Below, we briefly explain the judgment and its consequences for companies.

1.    What are transfers of personal data?

Companies increasingly use storage ‘in the cloud’ to store their data and applications and use service providers located outside Europe or service providers inside Europe while the data itself is stored in non-EEA data centres. Did you know that these are transfers of personal data?

But what exactly is a transfer of personal data? We can define a transfer of personal data as any transmission of personal data to a recipient or location outside the European Economic Area (EEA). This clearly includes storage ‘in the cloud’, storage in data centres outside the EEA and the transmission of personal data to applications and service providers located outside the EEA.

In addition, the transmission of personal data per email to a recipient outside the EEA, or a website hosted outside the EEA with personal data published on it may also constitute a transfer of personal data. It may be clear that many day-to-day activities of your company fall within the scope of the legal regime of data transfers under the GDPR.

The general principle of data transfers outside the EEA is that the mechanism under Chapter V GDPR must be relied upon. The recent Schrems II judgment has greatly impacted the interpretation of those mechanisms.


2.    Key points and implications of the judgment


2.1 Nullification of the Privacy Shield

One of those mechanisms in the GDPR is the so-called ‘adequacy decision’, in short an agreement between the European Union and a third country on the smooth flow of data between them.

Does your company store personal data in the United States or does it transmit personal data to a recipient in a third country, based on an adequacy decision? Or in the United Kingdom, Canada, Japan or Switzerland? If so, the first key point of the judgment is certainly relevant to your company.

It concerns the nullification of the Privacy Shield, i.e. the adequacy decision between the European Union and the United States, by the Court of Justice of the European Union. On the basis of this adequacy decision, companies could freely transfer personal data to the United States, just like with the Safe Harbour decision. The Court now nullifies the Privacy Shield because, on the one hand, it considers the US surveillance practices not to be ‘strictly necessary and proportionate’ and, on the other hand, because data subjects do not have an effective remedy against those practices, as required by Article 47 of the Charter of Fundamental Rights of the EU. Max Schrems scored another victory in the fight against internet giants, such as Facebook, with the nullification of the Privacy Shield. In addition, the judgement will not have a transitional period, although the obligations under the Privacy Shield will continue to apply. As a result, companies have to balance their obligations under the Privacy Shield and the implications of the Schrems II judgment.

The impact of the judgement not only creates ambiguity and concern for data transfers to the United States, but other adequacy decisions such as those with Canada, Japan and Switzerland must also be questioned after the judgment. The intended adequacy decision with the United Kingdom after the Brexit will also be called into question. Companies should therefore be extremely careful in how they deal with these uncertainties and inform themselves properly to avoid sanctions.


2.2 Standard contractual clauses

The second and potentially even more far-reaching key point of the judgment concerns standard contractual clauses (better known as SCCs). SCCs, together with Privacy Shield, are the main mechanism that companies rely on to justify data transfers. Although the Court does not declare SCCs invalid, it states that companies wishing to transfer personal data to third countries on the basis of SCCs must assess on a case-by-case basis whether the third country offers an ‘adequate level of protection’. This statement is very unclear and makes it very difficult in practice to deal with this mechanism in an objective and certain way.

The ‘adequate level of protection’ boils down to the strict necessity and proportionality of surveillance practices, together with effective remedies against those practices, the foundations for the nullification of the Privacy Shield. If the third country cannot guarantee this, companies must either provide additional safeguards or suspend/ terminate the data transfers. The scope of the notion of ‘additional safeguards’ also raises questions after the judgement and only makes it more complex for companies to deal with the standard contractual clauses.


3.    What after Schrems II?

What can you do after such a drastic change? Can you no longer transfer personal data outside the EEA or make use of ‘the cloud’, data centres, applications and service providers outside the EEA? The answer is not unequivocal. Although the future for data transfers under the GDPR is clearly still uncertain after the judgement, we compile below our advice and best practices for companies:

  1. Map your personal data and data transfers. If you do not transfer personal data outside the EEA (which is unlikely), the judgment will not apply to your company.
  2. Conduct an audit. You should check for all processing operations whether you, as controller (or through your processor(s)), transfer personal data to third countries and on what basis.
  3. Consult a legal advisor, who can guide the assessment of the following points together with your company.
  4. For each transfer, check whether the third country offers an ‘adequate level of protection’, i.e. that the surveillance practices are ‘strictly necessary and proportionate’ and that data subjects have an effective remedy against such practices.
  5. If you want to invoke a third country adequacy decision, always check whether that decision is still in force and what the competent data protection authority says about it.
  6. If you wish to rely on standard contractual clauses to third countries that do not offer an ‘adequate level of protection’, take additional technical and/or organisational measures.
  7. If you transfer personal data to third countries only in an occasional way and to a limited extent, this may be justified by the explicit consent of the data subject.


Monard Law is happy to assist you with your questions regarding the consequences of the Schrems II judgment, transfers of personal data to third countries, standard contractual clauses or any other questions or issues regarding the GDPR.


This article is written by

Looking for advice on a specific topic?

We will guide you to the right person or team.