Global Law Experts Logo
GLE-PP

Find a Global Law Expert

Specialism
Country
Practice Area
awardsr

Awards

Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.

Transferring Personal Data to the US After the Schrems Ii Judgment? Everything You Need to Know to Avoid Legal Risks

posted 4 years ago

The Austrian Max Schrems has once again been succesful in one of the many privacy lawsuits that he has regularly conducted over the past years. The consequences are significant this time. After the “Safe Harbor” system had already been brought down, the “Privacy Shield” has now also been brought to an end by Schrems (on perfectly logical grounds, by the way). 

The “Privacy Shield” between the EU and the US ensured that personal data could be exported securely and in compliance with GDPR to the United States by European companies. Many US cloud services, apps and software tools have relied on the Privacy Shield to offer their services to European customers in a legally compliant manner.

But as it now shows, Privacy Shield itself is not compliant with European data protection laws and the ECJ has now put a ban on the whole system. 

What does this mean for your company? Read all about it in this article.  

Transfer of personal data outside the EU?

Transferring personal data to persons or companies outside the European Union is in principle not allowed under GDPR. The European legislator assumes that countries outside the EU (or rather the EEA, which is the EU, expanded with Norway, Iceland and Liechtenstein) cannot necessarily offer the same level of data protection as the level that exists in Europe under GDPR. Therefore, personal data may only be transferred outside the EEA under very specific conditions.   

First, there is a (very short) list of “safe” countries, which are expected to provide a similar level of protection based on their own legislation. This list includes a number of British Commonwealth countries, as well as Japan, Canada, Argentina and Israel.  

In order to transfer data to a recipient in a country that is not on this list, one can do so on the basis of two systems. 

When it comes to transfers within a group of companies, so-called “Binding Corporate Rules” can be drawn up internally. BCR’s are internal regulations that must be approved by the competent Data Protection Authority and that have to guarantee the safety of data exchanges within the group. 

If one wants to transfer data to a company that does not belong to the same group, such as a cloud provider, an external software developer, an offshore call center, etc … on the other hand, one must ensure that an agreement is signed with the recipient in which a whole series of guarantees is explicitly provided. The European Commission has created Standard Contractual Clauses for this purpose that can be copied one-to-one in such an agreement.

Anyone who transfers personal data and cannot fall back on one of these legal constructions, is at risk of incurring very high fines.

Privacy Shield?

Many technology companies are located in the United States and there is therefore a lot of personal data export from the EU to the US. However.  Since data protection laws in the US do not offer the same “adequate” level of protection as the stringent requirements set by GDPR in the EU, the US has never been shortlisted by the EU as a “safe country”.  

In order to ensure that American companies could continue to trade with partners in the EU, a different and specific system for data exchange between Europe and the United States was set up many years ago. That system was successively called the Safe Harbor system and later the Privacy Shield and prevented US companies from having to enter into Standard Contractual Clauses with their customers in the EU whenever data had to be passed on to them, for example because they were stored or processed on their servers. Safe Harbor and Privacy Shield ensured that US companies provided an adequate level of security for personal data if they met a number of strict conditions and were certified in the US. It was in other words not the American legislation itself, but the safety level offered by American companies that was considered “adequate”.      

The first version of this system, Safe Harbor, was successfully attacked in 2015 by Max Schrems, who believed that US companies could never guarantee an “adequate” level of security for personal data because US law grants far-reaching rights to US intelligence services that allows them to monitor and analyze personal data. This complaint ultimately resulted in the Safe Harbor system being declared invalid and replaced by a similar system called the Privacy Shield.

With regard to the validity of that Privacy Shield, the European Court now quite rightly says that this regulation in its turns still cannot provide a level of protection equivalent to the level of protection that exists within the EU. Again, this is due to the extensive interference of US intelligence services, which systematically and widely monitor data from emails and cloud storage services based on, amongst others, the Foreign Intelligence Surveillance Act or Executive Order 12333 or the Presidential Policy Directive. The Court of Justice therefore now declares the Privacy Shield to be invalid.

What does this mean for me?

This decision has far-reaching consequences. After all, a lot of online service providers from the US rely on the Privacy Shield to legally process personal data of their European customers. The whole system is now shattered with one stroke of a pen and thousands of American companies no longer meet the minimum conditions to store or process personal data of European citizens. This concerns, for example, cloud storage services, hosting services, all kinds of online tools for online marketing, CRM, accounting packages, ERP, but also, for example, local software developers, consultants, call centers, etc …  

Strictly speaking, all of a sudden and overnight, European companies are no longer allowed to exchange personal data with their American partners. If they do so anyway, they will expose themselves to immense fines and if any data breach should occur at such a non-compliant partner in the US, the European companies involved may also be held liable for all damages following from such a data breach, in addition to the aforementioned fines. 

An additional problem: Brexit

Not only data export to the US under the Privacy Shield is problematic, by the way. By the end of 2020, an equally serious legal problem will arise for European companies that export data to the United Kingdom. After all, if there is no Brexit deal by the end of 2020, the UK will from then on become a “third” country, which for the time being does not have an adequacy decision by the European Commission and to which personal data can therefore no longer be automatically exported.

In other words, British companies will be in the same situation as American companies by the end of this year: they will have to conclude data export agreements with their European customers on the basis of the Standard Contractual Clauses of the European Commission, failing which European companies will no longer be allowed to cooperate with them. 

The solution

Fortunately, the Court ruled that the system of Standard Contractual Clauses is not invalid. The solution is therefore clear: European companies must ensure that all cooperation with US partners, which were based on the Privacy Shield as soon as possible to be replaced by an agreement based on the Standard Contractual Clauses of the European Commission … 

The Commission has worked on modernizing those standard clauses, which go back to 2010 and are no longer GDPR-compliant. It has been waiting for the Schrems-II case to be resolved before releasing them officially, but we can now expect the updated clauses to be made public soon. Anyone who relied on the old clauses in the past may also have to update their agreements in the near future …

What exactly should I do?

  1. Look out for new guidelines from your local Data Protection Authority, the EDPB and the European Commission.

  2. In the meantime, do an internal audit of your pending agreements and watch out for:

    • Data transfer to US partners previously covered by the Privacy Shield

    • Data transfer to UK partners previously located within the EU

    • Data transfer to any other country based on the old Standard Contractual Clauses 

    • Data transfer that is subject to binding corporate rules and that involves data transfer to the US. The ECJ does not mention Binding Corporate Rules, but they are a form of “appropriate protection” under Article 46, so the general comments on the need to review the law of the importing country may also apply here. Guidance from supervisory authorities on this point would be particularly welcome.

  3. Assess for each partner whether the existing framework is still sufficient

  4. Provide a new data export agreement where necessary based on the soon to be announced Standard Contractual Clauses.

  5. Keep in mind that transfer of data outside the EU is only possible if necessary and choose preference for European partners 

  6. Take into account the need that the European Court of Justice also imposes to assess the “appropriate” nature of local legislation, even if Standard Contractual Clauses (or Binding Corporate Rules within a group of companies) are used.  

  7. So -ideally based on a Vendor Assessment List- check the following points:

    • Which country personal data is transferred to?

    • Whether government authorities in that country could be entitled to access the data?

    • Is the data encrypted or tokenized during transport?

    • Whether, as GDPR requires, in addition to Standard Contractual Clauses or Binding Corporate Rules, sufficient safeguards have been taken by the recipient to make up for the lack of data protection in his or her country. The data exporter has a duty to ensure “appropriate safeguards”, especially as regards access by public authorities to data. If the (European) data importer may be required to submit data for inspection to his or her government, he cannot meet the requirement of an “adequate level of protection and must notify the data exporter in advance. This is a huge problem for the US in particular because of the previously cited intelligence legislation… In that case, the data exporter must immediately stop any transfer.

  8. If necessary, stop working with partners who are unable or unwilling to meet the required conditions. The potential impact on your business is far too great to take risks …  

Are all data transfer to the US illegal from now on?

This judgment places a time bomb under just about every data transfer to the US, by the way.  After all, almost all European data is transferred to the US via underwater fiber optic cables at the bottom of the ocean. The EHJ notes that the American NSA has systematic access to these cables and can collect and analyze data even before it arrives in the U.S. 

The ECJ rightly says that this de facto means that personal data is never “secure” in the US and can never be “processed with the minimum safeguards … and as a result, the surveillance programs based on these provisions cannot be considered as limited to what is strictly necessary”. The ECJ further notes that: “In those circumstances, the restrictions on the protection of personal data that arise from United States national law regarding the access to and use by the United States government of such data transferred from the European Union to the United States States are transferred States, which the Commission has assessed in the Privacy Shield Decision, are not defined to meet requirements that are substantially equivalent to those required by EU law … “.

In other words, this means that US law itself is incompatible with the EU’s minimum data protection requirements. Since all data sent to the US via a submarine cable appears to be sensitive to access by the NSA, it is difficult to see how a data exporter could conclude that his data is sufficiently protected by the recipient in the US. It remains to be seen how the various Data Protection Authorities and the EDPB react to this … 

Questions about data export under GDPR or need help with an audit of your current contracts?

Feel free to call or email us. Our team is happy to assist you. You can reach Bart Van den Brande at +32 486 901 931 or at bart@siriuslegal.be

You can also go to our website and download our Scxhremss II vendor assessment form for free: https://siriuslegaladvocaten.be/schrems-ll-data-export-vs/.  This document allows you to gatger all required information regarding data export from your non EU service providers.   

 

Profile photo

Bart van den Brande

Author

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0

Join

who are already getting the benefits
0
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox. Naturally you can unsubscribe at any time.

Online Casino Reviews

  • Freeroll Poker Tournaments For Real Money
  • Australian Online Casino Real Money
  • Best Slot App To Win Real Money
  • Online Casino Real Money Australia
  • Best Paying Online Pokies
  • Wizard Of Oz Online Slots
  • All Slots Casino Mobile
  • Best Online Poker App Real Money
  • Best Online Casino To Play Roulette
  • Is Online Casino Legal
  • Online Casino That Accepts Paypal
  • Play Roulette For Real Money
  • Slot Apps To Win Real Money
  • Real Money Slots Online Usa
  • Safe Online Casino
  • Wizard Of Oz Slots
  • Real Online Pokies Nz
  • Biggest Online Casino In The World
  • Online Casino Pay With Paypal
  • Online Casino That Accept Paypal
  • Online Casino Canada Real Money
  • 3 Card Poker Online Real Money
  • Online Slots Real Money Canada
  • Best Online Poker Sites For Real Money
  • Real Money Poker App Android Usa
  • How To Make Money From Online Casino Bonuses
  • Real Money Poker App Iphone
  • How To Play Blackjack Online For Real Money
  • Best Slots To Play
  • Top 10 Online Pokies
  • Best Poker Apps Real Money
  • Online Casino Legal
  • Best Payout Online Casino Uk
  • Win Money Online Slots
  • Online Poker Nj Real Money
  • How To Win Online Slots
  • Casino Gaming License
  • Play Real Pokies Online
  • Blackjack Sites For Real Money
  • Real Money Casino Games For Android
  • Best New Online Slots
  • Flaming 777 Slots Games
  • Online Blackjack With Live Dealers
  • How To Play Online Slots
  • Facebook Casino Games Real Money
  • Online Casino With No Minimum Deposit
  • How To Beat Online Slots
  • Online Casino License
  • The Big Payback Slots
  • Royal Vegas Online Casino Withdrawal
  • Online Casino Minimum Deposit 5
  • Online Pokies Real Money Australia
  • Las Vegas Usa Online Casino
  • Real Money Poker App Android
  • Wheel Of Fortune Slots
  • Game Of Thrones Slots
  • Online Poker Real Money Usa Legal
  • Best Online Casino European Roulette
  • Blackjack Online Real Money Paypal
  • Online Video Poker Real Money Usa
  • How To Create An Online Casino
  • Lucky Nugget Online Casino Mobile
  • How To Withdraw Money From Online Casino
  • Platinum Play Online Casino Download
  • Online Casino For Usa Players
  • Best Online Casino Usa Real Money
  • Online Roulette Real Money Usa
  • Best Real Money Poker Sites
  • Android Slots Real Money
  • How To Start An Online Casino Business
  • How To Start An Online Casino
  • How To Start An Online Gambling Site
  • Best Online Casino For Blackjack
  • Play Baccarat Online For Money
  • Online Pokies New Zealand
  • Best Slots To Play At Golden Nugget
  • Slots Of Vegas Online Casino
  • Best Online Pokies Site
  • How To Beat Online Roulette
  • New Zealand Online Pokies
  • Online Poker Mobile Real Money
  • Which Online Slots Payout The Most
  • Is Online Casino Legal In India
  • Online Casino Software For Sale
  • Best Online Casino For Craps
  • Hard Rock Casino Slots
  • Win Real Money Online Pokies
  • Online Casino With Highest Payout Percentage
  • Poker Apps With Real Money
  • Online Roulette Real Money Review
  • Full Tilt Poker Real Money
  • Online Casino 5 Dollar Minimum Deposit
  • Online Roulette With Real Money
  • Best Online Roulette For Real Money
  • I Migliori Casino Online Italiani
  • Best Payout Online Slots
  • How To Play Baccarat Online
  • Play Casino Card Game Online
  • Play Blackjack Online For Real Money
  • Best Paying Online Slots
  • Casino License Cost
  • Online Poker Real Money California
  • Safe Online Casino Australia
  • Online Roulette Australia Real Money
  • Online Poker Real Money Texas
  • Online Roulette Real Money Paypal
  • Online Slots Australia Real Money
  • Golden Nugget Online Casino Review
  • Casino Games To Win Real Money
  • Online Pokies Australia Real Money
  • Online Gambling Blackjack Real Money
  • Win Real Money Playing Slots
  • How To Win Roulette Online
  • Aristocrat Pokies Online Real Money
  • Hollywood Casino Online Slots
  • Play Online Keno For Real Money
  • What's The Best Online Casino
  • Triple Double Diamond Slots
  • Play Roulette Online With Real Money
  • Roulette Online For Real Money
  • Play Roulette Online Real Money
  • Best Online Pokies Real Money
  • Big Red Pokies Online
  • How To Win At Online Blackjack
  • What Is The Best Online Roulette Site
  • Real Money Online Pokies
  • Spin To Win Slots
  • Ruby Slots Online Casino
  • Wheel Of Fortune Online Casino
  • Spin Palace Flash Casino Online
  • Online Poker Real Money App
  • Online Casino With Paypal Deposit
  • How To Win At Online Roulette
  • Can You Win Real Money On Slot Apps
  • Is Ignition Casino Safe
  • Online Casino Blackjack Real Money
  • Online Casino Win Real Money Usa
  • How To Make Money Online Casino
  • Online Casino Real Money Reviews
  • Slot Games To Win Real Money
  • Jackpot City Online Casino Download
  • Online Pokies Real Money
  • Casino War Online Real Money
  • Online Casino No Minimum Deposit
  • Play Wheel Of Fortune Slots Online
  • Best Online Casino Game To Win Money
  • Online Casino Without Wagering Requirements
  • Online Slots For Real Money Usa
  • Legal Online Casino Australia
  • How Do Online Slots Work
  • Best Online Casino For Us Players
  • Online Play Casino Roulette Game
  • Online Blackjack Real Money Australia
  • Real Casino Games Real Money Online
  • Online Slot Machines Real Money Paypal
  • The Best Online Casino For Roulette
  • What Online Casino Pays Out The Most
  • Start Your Own Online Casino
  • Legal Online Casino
  • Online Live Roulette Casino Game
  • Playing Blackjack Online For Real Money
  • Online Penny Slots Real Money
  • Best Online Blackjack For Money
  • How To Win Online Roulette
  • Real Money Poker Sites Usa
  • Best Time To Play Slots
  • Online Keno For Real Money
  • Best Payout Online Slots Uk
  • Online Slots Real Money Reviews
  • Best Online Pokies Nz
  • What States Allow Online Gambling
  • Best Real Money Poker App
  • Online Slots To Win Real Money
  • Real Money Slots App Iphone
  • Jackpot City Flash Casino Online
  • Ignition Casino Legit
  • All Star Slots Casino
  • How To Play Online Casino
  • Real Time Gaming Slots
  • Online Video Poker Real Money
  • How To Play Roulette Online For Money
  • How To Win On Online Slots
  • Age Of Gods Slots
  • Online Real Casino Money Games
  • Best Online Slots To Play
  • Online Poker California Real Money
  • Is Jackpot City Casino Legit
  • How To Win At Online Slots
  • Play Poker For Real Money
  • Safe Online Pokies Australia
  • Best Way To Play Slots
  • How To Play Casino Online
  • Play Online Roulette For Money
  • Online Casino Australia Real Money
  • Which States Allow Online Gambling
  • Play Keno Online Real Money
  • How To Win Online Blackjack
  • Online Blackjack With Real Dealers
  • How To Open Online Casino
  • What Are The Best Online Slots To Play
  • Big Win Casino Slots
  • Spin Palace Online Casino Australia
  • Best Slots To Win On
  • Casino Slots Win Real Money
  • Slots Magic Online Casino
  • Blackjack Online For Real Money
  • Slot Machine App Win Real Money
  • Online Casino Not Paying Out
  • Slots That Pay Out Real Money
  • Online Pokies Australia Reviews
  • Online Casino Minimum Deposit 1
  • Jackpot City Online Casino Review
  • Live Dealer Baccarat Online Casino
  • Online Casino Apps For Android
  • Online Casino Paypal Deposit Australia
  • Online Casino With Live Dealer
  • How To Play Blackjack Online
  • Slots To Win Real Money
  • Wheel Of Fortune Online Slots
  • Play Quick Hit Slots Online
  • Can You Count Cards In Online Blackjack
  • Palace Of Chance Online Casino
  • How To Play Roulette Online
  • Good Slots To Play
  • Which Online Casino Pays Out The Most
  • Heart Of Vegas Casino Slots
  • Best Online Casino For Canadians
  • Australian Online Pokies Real Money
  • Mohegan Sun Online Casino Nj
  • Online Casino Live Games Best Uk
  • Best Online Casino Australia Reviews
  • Play Pokies Online Real Money
  • Best Online Casino For Usa Players
  • How To Win Online Casino
  • Play Blackjack For Real Money
  • Best Slots On Bovada
  • Online Keno Real Money Usa
  • Online Slots Real Money Paypal
  • Best Poker Sites For Real Money
  • Safe Casino Sites
  • The Best Online Slots
  • Play Keno For Real Money
  • Real Online Pokies Australia
  • Queen Of The Nile Slots
  • Mummys Gold Casino Online Casino
  • Play Keno Online For Real Money
  • Best Poker Websites Real Money
  • Lucky Nugget Online Casino Download
  • Best Online Casino For Roulette
  • Play Roulette For Money Online
  • Video Slots Mobile Casino
  • Best Time To Play Online Slots
  • Best Real Money Online Poker
  • Play Blackjack Online With Friends
  • Play Baccarat Online For Real Money
  • Is Silver Oak Casino Legit
  • Big Fish Casino Real Money
  • Can You Win Real Money On Caesars Slots
  • Game Of Thrones Slots Casino
  • Best Online Slots Payout Percentage
  • Play Online Pokies For Real Money
  • Play Pokies Online Australia
  • High 5 Casino Real Slots
  • The Best Online Pokies
  • Online Pokies That Accept Paypal
  • Heart Of Vegas Slots
  • How To Play Online Roulette
  • Best Poker App Real Money
  • Best Online Casino Fast Payout
  • Best Slots At Wind Creek Casino
  • Online Casino 10 Minimum Deposit
  • Play Roulette Online For Money
  • Us Real Money Poker Sites
  • How To Win In Online Casino
  • Best Online Pokies Australia Review
  • Where To Play Roulette Online For Real Money
  • How To Beat Online Casino Slot Machines
  • Highest Payout Online Slots
  • Best Paying Online Casino Slots
  • Golden Tiger Online Casino Review
  • Online Casino With Live Dealers
  • Play Roulette Online For Real Money
  • Best Slots To Play At Casino
  • Slot Machine Games Win Real Money
  • Most Popular Online Casino Games
  • Casino Slots App Real Money
  • Online Casino Real Money Canada
  • Online Real Money Pokies
  • Online Roulette Game Real Money
  • Online Casino Roulette Real Money
  • Best Place To Play Roulette Online
  • Online Casino Book Of Ra Paypal
  • Online Blackjack With Real Money
  • Play Online Blackjack For Real Money
  • Is There A Slot Machine App For Real Money
  • Royal Vegas Online Casino App
  • Best Casino Slots To Play
  • Most Popular Online Slots
  • Best Way To Win At Slots
  • Slots You Can Win Real Money
  • Play Roulette Online Real Money Usa
  • Online Casino Real Money Paypal
  • Online Casino Australia Legal
  • Treasures Of Troy Slots
  • Online Casino For Us Players
  • Where Can I Play Blackjack Online For Real Money
  • Online Casino Paypal Book Of Ra
  • Online Roulette For Real Money
  • Best Online Blackjack Real Money
  • Poker App For Real Money
  • Jackpot Magic Slots Facebook
  • Best Online Casino Real Money Usa
  • Best Online Casino New Zealand
  • The Four Kings Casino And Slots
  • How To Play Slots Online
  • Best Online Pokies Australia
  • Usa Online Slots Real Money
  • Real Money Casino Android App
  • Online Slot Machines That Pay Real Money
  • Online Pokies Real Money Nz
  • Online Pokies Real Money App
  • Play Igt Slots Online
  • Best Casino Slots To Win Money
  • Online Casino Business For Sale
  • Play N Go Slots
  • Poker Apps For Real Money
  • Lucky Slots Real Money
  • All Slots Online Casino
  • Best Online Pokies Real Money Australia
  • Online Pokies Win Real Money
  • Best Online Casinos For Roulette
  • Pay Slots For Real Money
  • Best Online Poker Real Money
  • Slots App Win Real Money
  • Play Online Roulette For Real Money
  • Is Ignition Casino Legit
  • Wheel Of Fortune Slots Online
  • Lotsa Slots Real Money
  • Video Poker Online Real Money
  • Online Slots Usa Real Money
  • Play Blackjack Online Real Money
  • Jackpot City Online Pokies
  • Video Slots Online Casino
  • Is 888 Casino Legit
  • Online Slot Games That Pay Real Money
  • Prepaid Visa Card Online Casino
  • How To Stop Online Gambling
  • Best Slots To Play Online
  • Online Blackjack For Real Money
  • Slot Apps For Real Money
  • Mobile Slots Win Real Money
  • Newsletter Sign Up

    About Us

    Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

    Social Posts

    See More:

    Contact Us

    Stay Informed

    Join Mailing List

    GLE