Tacita has undertaken a large number of assessments and we are still finding that many companies have no knowledge of the Schrems 2 ruling that means that Privacy Shield cannot be relied on for transfers of personal data to the US. Thus we believe it is timely to refresh reader’s minds of what Schrems 2 is and what is required to be considered by companies that have not acted since the Schrems 2 ruling was made.
Schrems 2 is a landmark legal case that has significant implications for data privacy and the protection of personal information. Named after its plaintiff, Max Schrems, the case was brought against Facebook and was decided by the European Court of Justice (ECJ) in July 2020. The decision in Schrems 2 declared that the existing legal framework for transferring personal data between the European Union (EU) and the United States (US) was invalid.
The case began in 2013 when Max Schrems, an Austrian privacy activist, filed a complaint with the Irish Data Protection Commission (DPC) against Facebook. Schrems argued that the data of European citizens was being transferred to the US in violation of EU data protection laws, and that US intelligence agencies were using the data for mass surveillance purposes. The complaint was prompted by the revelations of Edward Snowden, who had exposed the extent of US government surveillance activities.
In the original case, Schrems v. Facebook (known as “Schrems 1”), the Irish DPC ruled in favour of Facebook, stating that the company was following the standard contractual clauses (SCCs) that were in place at the time for transferring personal data from the EU to the US. However, the ECJ overturned the decision in 2015 and invalidated the SCCs. This led to the creation of the EU-US Privacy Shield, a new legal framework for data transfers that was designed to provide stronger protection for EU citizens’ personal information.
However, in Schrems 2, the ECJ declared that the EU-US Privacy Shield was also invalid, as US law does not provide adequate protection for the privacy of EU citizens’ personal information. The court stated that US intelligence agencies can access EU citizens’ personal data without providing sufficient safeguards, and that the Privacy Shield framework did not provide EU citizens with an effective remedy to challenge such access.
The decision in Schrems 2 has far-reaching implications for organizations that transfer personal data between the EU and the US. Companies that relied on the EU-US Privacy Shield must now find alternative legal mechanisms for transferring personal data, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs). The decision has also placed a greater emphasis on organizations to ensure that they have robust data protection practices in place, and to carefully consider the privacy implications of their data transfers.
In summary, we recommend that all companies review the contracts that they have with US companies where there is a transfer of personal information and ensure that they are up-to-date and specifically, where Privacy Shield is still being used as the protection mechanism, that they urgently re-contract using GDPR compliant clauses. Tacita can provide assistance by reviewing your contracts and identifying issues.