{"id":2686,"date":"2020-08-06T13:55:26","date_gmt":"2020-08-06T12:55:26","guid":{"rendered":"https:\/\/staging.techgdpr.com\/?p=2686"},"modified":"2025-04-29T11:15:28","modified_gmt":"2025-04-29T09:15:28","slug":"international-transfers-personal-data-schrems-ii-ruling","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/international-transfers-personal-data-schrems-ii-ruling\/","title":{"rendered":"International Transfers of Personal Data after the Schrems II ruling"},"content":{"rendered":"\n

On July 16, 2020, the top court of the European Union (CJEU) issued a groundbreaking <\/span>ruling<\/span><\/a> on the so-called \u201cSchrems II\u201d case concerning  international transfers of personal data from the European Union. It was meant to deal mostly with transfers to the main EU commercial partner – the United States – but turned out to have implications for all countries outside of the European Economic Area (EEA). <\/span><\/p>\n\n\n\n

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.<\/span><\/p>\n\n\n\n

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU<\/b><\/h2>\n\n\n\n

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. <\/span><\/p>\n\n\n\n

The European Commission produced a <\/span>list<\/span><\/a> of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations\u00a0used\u00a0the scheme, among which Amazon, Facebook, and Google.\u00a0<\/span><\/p>\n\n\n\n

\n
\n

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in <\/span>88%<\/span><\/a> of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.<\/span><\/p>\n<\/div>\n\n\n\n

\n
\"\"<\/figure>\n<\/div><\/div>\n<\/div>\n\n\n\n

<\/span><\/p>\n\n\n\n

As if this were not enough, the court left <\/span>no grace period <\/b>for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.<\/span><\/p>\n\n\n\n

Step-by-step guide to international data transfers after the CJEU ruling<\/b><\/h2>\n\n\n\n

Step 1 – Audit existing transfers<\/b> <\/span><\/h4>\n\n\n\n

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.<\/span><\/p>\n\n\n\n

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).<\/span><\/p>\n\n\n\n

Step 2 – Choose appropriate safeguards<\/b><\/h4>\n\n\n\n

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.<\/span><\/p>\n\n\n\n

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers <\/span>whether they are subject to national laws that<\/b>:<\/span><\/p>\n\n\n\n