EU-US Data Privacy (Schrems II)

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) provided the Schrems II ruling on data transfer mechanisms for transfers of personal data to processors established in countries without adequate levels of data protection (known as “Third Countries”).

The Court concluded that the EU-U.S. Privacy Shield, upon which many EU businesses had relied for their personal data transfers to the US, failed to provide sufficient protection for the data due to the surveillance powers afforded to U.S Government authorities. Consequently, those businesses must now find alternative transfer mechanisms.

Standard Contractual Clauses (SCCs) are the most commonly used instrument to transfer data to third countries. However, SCCs do not bind the public authorities of third countries and, on their own, may not provide sufficient assurance of privacy. Where this is the case, such as personal data transfers to the US, SCCs must now be supplemented by additional measures to protect the data.

The Schrems ruling presents a significant challenge for a very large number of UK and EEA based controllers. Civica, like many other organisations, continues to carry out detailed work with all of its partners (in particular those based in the US) to evaluate the options available to mitigate the impacts of the Schrems II decision, recognising that this regulatory scenario continues to evolve. We recognise the UK Government statement and look forward to greater guidance from the UK Government and the ICO.

The UK Government is working with the Information Commissioner’s Office and international counterparts to address the impacts of the judgment and ensure that updated guidance on international data transfers will be available as soon as possible.