Frequently Asked Questions & Resources on ‘Schrems II’

Last Updated: July 2021

The following questions are a compilation and consolidation of the hundreds of questions the IAPP received during the five LinkedIn Live sessions we hosted the week following the decision of the Court of Justice of the European Union in the Case C-311/18: Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems. We are publishing these frequently asked questions and links to relevant resources from government authorities and privacy practitioners as a resource for privacy professionals working to respond to this significant court decision.

The CJEU decision included two main findings. First, it found the European Commission’s adequacy determination for the EU-U.S. Privacy Shield Framework invalid due to concerns regarding the necessity and proportionality of U.S. government surveillance authorities and the availability of actionable judicial redress for EU data subjects. Second, it reaffirmed the validity of standard contractual clauses, while stating that companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, provide additional safeguards to guarantee such protection or suspend transfers.

We will continue to update these FAQs as we identify additional resources and welcome the assistance of IAPP members. Please let us know at research@iapp.org if there are additional materials we should include.

Questions and Resources by Topic

Privacy Shield
Standard contractual clauses
Binding corporate rules
Derogations
Case-by-case assessments and supplementary measures
Types of data transfers/sectors affected
DPA guidance


1. What alternatives to Privacy Shield are available to U.S.-based companies that need a legal mechanism to transfer personal data to the U.S. in compliance with EU data protection rules?

 



2.
Can or should EU-U.S. Privacy Shield participants recertify considering the “Schrems II” decision?

 



3. Does “Schrems II” impact the Swiss-U.S. Privacy Shield?

 



4.
Does “Schrems II” impact use of the EU-U.S. Privacy Shield to transfer personal data from the U.K. to the U.S.?

 


On June 4, 2021, the European Commission released new standard contractual clauses for international transfers. Organizations will need to use these SCCs for all new data transfer contracts beginning late September 2021, and incorporate them into existing data transfer contracts beginning late December 2022. These new SCCs impact the answers to each of the questions below. These should be read in conjunction with the EDPB’s recommendations on supplementary safeguards cited in the relevant section below.

LinkedIn Live: SCCs master class with Bird & Bird Partner Ruth Boardman and IAPP Chief Knowledge Officer Omer Tene

Article analyzing the new SCCs by Fieldfisher Partner Phillip Lee

5. Can a business use SCCs to transfer data to the U.S.?

 



6.
Can a business use SCCs to transfer data to other third countries outside of the EU?

 


7. Can businesses still transfer data to the U.S. using BCRs?

 



8. Can businesses use BCRs to transfer data to other third countries outside of the EU?

 


9. Can businesses use one of the derogations of Article 49 GDPR to transfer data to the U.S or other countries?

 


10. How do businesses conduct case-by-case assessments of the sufficiency of foreign protections when using SCCs, BCRs or other transfer mechanisms?

 



11. When conducting case-by-case assessments, what is the appropriate comparator of sufficiency, as established by the Court of Justice by the EU in ‘Schrems II’?

 



12. What supplementary measures can companies use to provide sufficient protections when case-by-case assessments reveal deficiencies?

 


13. How does the Schrems II decision impact the transfer of HR data?

 



14. Does the Schrems II decision impact communications providers, tech companies, and/or companies across sectors?

 


15. Where can businesses find guidance from DPAs on transfers of personal data post-Schrems II?

Article by Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US, discussing DPA guidance.


 


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 2

Submit for CPEs