Restricted Data Flow: What US Businesses Need to Know about International Data Transfers in the Wake of Schrems II and the GDPR

January 22, 2021

By: Amber L. Lawyer, John D. Clopper, and Shannon A. Knapp

International corporations, technology companies, businesses selling goods and services, and various other entities must comply with strict regulations when transferring personal data from the European Economic Area (EEA) to the U.S. The European Union’s (EU) General Data Protection Regulation (GDPR), which became effective in 2018, mandates that companies comply with certain data protection obligations in order to transfer personal data from the EEA to the U.S. A transfer of personal data out of the EEA may only take place if (1) the European Commission (EC) determines that a country, through its own data protection laws, provides for adequate level of data protection, or (2) private entities put into place appropriate safeguards to adequately protect the personal data and privacy rights of EU residents. Because the U.S. does not have a federal data privacy law comparable to the GDPR, the EC has not certified that the U.S. provides an adequate level of protection for the personal data of EU residents. As such, organizations in the U.S. must work individually to put into place appropriate safeguards to transfer data outside of the EU. 

As of its effective date, the GDPR set forth four ways in which an organization could implement adequate safeguards to permit data transfer from the EEA: (1) certification under the EU-U.S. Privacy Shield; (2) use of EU Standard Contract Clauses (SCCs); (3) adoption of Binding Corporate Rules (BCRs); or (4) through certain derogations enumerated in the GDPR (collectively known as “Data Transfer Mechanisms”).

In July 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commission v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II) which invalidated the EU-U.S. Privacy Shield Framework, the principal mechanism relied on by thousands of U.S. companies to conduct trans-Atlantic data transfers. In Schrems II, the CJEU invalidated the European Commission’s previous determination that the EU-U.S. Privacy Shield offered an adequate level of protection. The CJEU found that the U.S. does not adequately limit government access to or surveillance of personal information. The CJEU also found that U.S. law failed to provide adequate mechanisms for judicial redress for persons whose data had been collected by means of certain U.S. surveillance laws. As a result, the CJEU held that the Privacy Shield did not offer a level of protection essentially equivalent to that offered by EU law. 

While the CJEU’s decision only invalidated the Privacy Shield, and expressly allowed the continued use of SCCs to comply with the GDPR, the CJEU decision required businesses to verify, on a case by case basis, that individuals would be granted a level of protection in the receiving country essentially equivalent to that guaranteed within the EU. If the company determines that the law of the receiving country does not ensure an adequate level of protection, then companies must provide additional contractual safeguards in order to transfer personal data to the receiving country. 

On Nov. 10, 2020, the European Data Protection Board (EDPB) released their recommendations on supplementary measures. The recommendations outlined a six-step plan to ensure compliance with the Schrems II decision. This plan included recommendations for additional safeguards, such as technical safeguards (e.g., encryptions and pseudonymization), contract mechanisms (e.g., technical and transparency obligations), as well as organizational mechanisms (e.g., internal guidelines). On Nov. 12, 2020, the European Commission proposed a draft decision updating the available SCCs in light of Schrems II. Most recently, on January 15, 2020, the EDPB and the European Data Protection Supervisor (EDPS) adopted a joint opinion welcoming many of the provisions contained in the EC’s draft SCC updates, but noting that several provisions could be improved, such as those relating to the SCCs’ scope, obligations regarding onward transfers, certain aspects of the assessment of third country laws regarding data access by public authorities and the notification to supervisory authorities.

It is more important than ever that U.S. businesses review their data transfer agreements and vendor contracts. After the invalidation of the EU-U.S. Privacy Shield, compliance with the GDPR has become even more complicated. Revisions to existing contracts incorporating SCCs may be necessary, and implementation of additional safeguards may also be necessary. 

If you have any questions regarding this memo, GDPR, or any other related matter, please contact Amber Lawyer, John Clopper, Shannon Knapp or any one of our attorneys in the Cybersecurity and Data Privacy practice.