For our privacy, the United States must seriously reform its supervision to reclaim the privileged status for American companies.” – Max Schrems

The 16 July 2020 Schrems II decision of the Court of Justice of the European Union (“CJEU“) had a huge impact on the personal data protection world (e.g., Google was obligated to immediately change its privacy policy). In that judgment, the CJEU brings to light the fundamental right to privacy in the context of a transfer of personal data to third countries (See a summary of the judgment here).

In Schrems II, the CJEU invalidated the European Commission’s conclusion that the Privacy Shield offers adequate protection for personal data transfers pursuant to the EU’s General Data Protection Regulation (the “GDPR“). The Court declared that the agreement “does not grant Europeans actionable rights of recourse before the courts against the American authorities”.

Consequently, the Privacy Shield, currently used by thousands of American companies, can no longer be the basis for European data transfers to the United States.

Nevertheless, the Court declared that another arrangement, known as the standard contractual clauses (“SCC”), may be maintained, thereby offering companies an alternative framework.

However, the SCC are complex to apply in this context because the same issues that invalidate the Privacy Shield also apply to the SCC with American companies.

Decision 2010/87/EC, relative to the SCC, imposes on a data exporter and data receiver (the “data importer“) the obligation to verify, prior to each transfer, and taking into account the circumstances of the transfer, whether such a level of protection is provided in the third country concerned, and Decision 2010/87/EC requires that the data importer inform the data exporter of any inability to comply with the data protection standard clauses and, as applicable, with any measure in addition to those under the clauses. Should that be the case, the data exporter is required to suspend the data transfer and/or terminate the contract with the data importer.

Hence, as Mr. Herwig Hofmann, University of Luxembourg law professor and one of the lawyers pleading the Schrems cases before the CJEU added: “There can be no data transfer to a country with forms of mass surveillance. As long as American law gives its government the power to run the vacuum cleaner over EU data transiting to the United States, those instruments will repeatedly be invalidated.”

In practice, this means that for almost all American companies, the SCC themselves do not guarantee a level  of protection and confidentiality substantially equivalent to those required by the GDPR  for the international transfer of personal data between the European Union and the United States.

Each agreement must thus be made on a case-by-case basis, and which must be supported by the European Union’s strict data protection rules, such as those under the GDPR.

So, it is clear that the United States must seriously amend their supervisory laws if American companies wish to continue to play a role in the European Union market.

Our advice?

Adapt your contracts, privacy notifications and your processing activity registers if your companies have effectuated such transfers. Also, verify the guarantees established in the context of a personal data transfer and adapt them to the United States.

To assist you with this, the European Data Protection Board has adopted a document aimed at presenting the responses to questions frequently asked since the SCHREMS II decision. The document is available here.


For more information or assistance with the GDPR, contact our Digital team at +3522625621 or send us an email at contact@dsm.legal.

Renaud Le Squeren
Partner
Avocat à la Cour
Héloïse Cuche
Senior Associate
Avocat
Alison Front
Associate
Avocat
Kelly QUESADA VEGA Kelly Quesada Vega
Associate
Jurist

By Kelly QUESADA VEGA, Jurist.