“For our privacy, the United States must seriously reform its supervision to reclaim the privileged status for American companies.” – Max Schrems
In Schrems II, the CJEU invalidated the European Commission’s conclusion that the Privacy Shield offers adequate protection for personal data transfers pursuant to the EU’s General Data Protection Regulation (the “GDPR“). The Court declared that the agreement “does not grant Europeans actionable rights of recourse before the courts against the American authorities”.
Consequently, the Privacy Shield, currently used by thousands of American companies, can no longer be the basis for European data transfers to the United States.
Nevertheless, the Court declared that another arrangement, known as the standard contractual clauses (“SCC”), may be maintained, thereby offering companies an alternative framework.
However, the SCC are complex to apply in this context because the same issues that invalidate the Privacy Shield also apply to the SCC with American companies.
Decision 2010/87/EC, relative to the SCC, imposes on a data exporter and data receiver (the “data importer“) the obligation to verify, prior to each transfer, and taking into account the circumstances of the transfer, whether such a level of protection is provided in the third country concerned, and Decision 2010/87/EC requires that the data importer inform the data exporter of any inability to comply with the data protection standard clauses and, as applicable, with any measure in addition to those under the clauses. Should that be the case, the data exporter is required to suspend the data transfer and/or terminate the contract with the data importer.
Hence, as Mr. Herwig Hofmann, University of Luxembourg law professor and one of the lawyers pleading the Schrems cases before the CJEU added: “There can be no data transfer to a country with forms of mass surveillance. As long as American law gives its government the power to run the vacuum cleaner over EU data transiting to the United States, those instruments will repeatedly be invalidated.”
In practice, this means that for almost all American companies, the SCC themselves do not guarantee a level of protection and confidentiality substantially equivalent to those required by the GDPR for the international transfer of personal data between the European Union and the United States.
Each agreement must thus be made on a case-by-case basis, and which must be supported by the European Union’s strict data protection rules, such as those under the GDPR.
So, it is clear that the United States must seriously amend their supervisory laws if American companies wish to continue to play a role in the European Union market.
Adapt your contracts, privacy notifications and your processing activity registers if your companies have effectuated such transfers. Also, verify the guarantees established in the context of a personal data transfer and adapt them to the United States.
To assist you with this, the European Data Protection Board has adopted a document aimed at presenting the responses to questions frequently asked since the SCHREMS II decision. The document is available here.
For more information or assistance with the GDPR, contact our Digital team at +3522625621 or send us an email at email@example.com.
|Renaud Le Squeren
Avocat à la Cour
|Kelly Quesada Vega
By Kelly QUESADA VEGA, Jurist.