Regular readers of our articles on data protection will recall that we recently commented on the European Court of Justice (ECJ) decision in Schrems II . The decision invalidated the EU-US Data Privacy Shield arrangements and set out limitations on which EU standard contractual clauses (SCCs) arrangements could be used to export data to countries whose laws might override the protections contained in the SCCs.
Privacy group noyb takes action on the back of Schrems II
Following the Schrems II decision, the European Center for Digital Rights – the privacy group of Max Schrems, which styles itself as "noyb" (as in "none of your business") – has filed complaints with the personal data regulators of every single EU member state. The complaints target 101 EU businesses for continuing to transfer personal data to US businesses despite the Schrems II ruling.
The basis of the complaints is that the websites for each business use Google Analytics or Facebook Connect. These transfer visitors' data to the US in breach (so the complaints allege) of the Schrems II judgment. noyb asserts that Google still claims to rely on Privacy Shield whilst Facebook relies on the SCCs. In relation to the latter, noyb's complaint is that the ECJ made it clear that US law and its legal system were not currently satisfactory in terms of providing equivalent protection for personal data to that guaranteed under EU law. Under Schrems II, SCCs can only be validly used to justify transfers of personal data to the US if accompanied by appropriate additional safeguards, which noyb do not believe exist. noyb are demanding that EU regulators take action.
This marks noyb's first step in turning up the heat on data controllers, processors and regulators, following the judgment. noyb are planning further complaints and targeted litigation, so watch this space.
Post-Schrems II planning
We still await formal guidance from EU regulators in response to Schrems II. However, it is clear that organisations will be expected to review data transfers that rely on Privacy Shield and SCCs and to come up with an action plan to shift away from Privacy Shield and review the use of SCCs to check they are still valid.
This guidance is yet to come, so organisations should be using this time to audit any data transfers to non-EEA countries to identify the mechanisms that are used and to check they are valid. In the case of Privacy Shield, the answer will be clear – and another mechanism will have to be found. For SCCs, reviewing each use on a case-by-case basis will be required, as well as looking to assess whether the local law in the destination country offers adequate protection. If not, it will need to be determined whether adequate additional safeguards are (or can be) put in place to meet the Schrems II requirements. Further due diligence checks may be required. That is likely to involve asking questions of the data importer since it is likely to be best placed to describe the legal regime in which it operates.
How can we help?
If your organisation transfers personal data to an organisation based in the US and you are currently relying on the Privacy Shield, we can help you explore the other options available to you to ensure you continue to meet your GDPR obligations.
Likewise, if you currently rely upon SCCs to transfer data and are concerned about whether you are meeting the standards required to sustain their valid use then please do not hesitate to contact us for advice.