How to Handle International Data Transfers After Schrems II: A Startup's Guide

Schrems II is an important legal ruling from the European Court of Justice, made in 2020. The ruling invalidated the EU-US Privacy Shield, which was an agreement covering data transfers between the two countries.

There are a number of ways in which data transfers can still take place, including Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Transfer Impact Assessments (TIAs) now also need to be carried out.

This article will explain what Schrems II is, why it's important for your business to understand, what SCCs, BCRs, and TIAs are, and how to handle your international data transfers.

Let's begin.

What is Schrems II?

In 2020, the European Court of Justice (ECJ) heard a case called Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, brought by Max Schrems, a data privacy activist and lawyer.

The case was about how Facebook was transferring data from European customers to its headquarters in the United States, and questioned whether this was in violation of the General Data Protection Regulation (GDPR).

This is because if data is transferred to the US, that data could be accessed by US intelligence agencies, without the appropriate safeguards, privacy rights, and legal remedies set out in the GDPR.

The ECJ ultimately ruled that these transfers were in breach of the GDPR and should not be taking place.

What Does it Mean that the Privacy Shield is Invalidated?

You might have seen it written or reported that Schrems II has invalidated the Privacy Shield.

The Privacy Shield was an agreement between the EU and the US that allowed EU data to be transferred to the US without problems. However, it was based on an idea that the US offered a similar level of data protection as the EU did.

The Schrems II ruling decided that this assumption was not the case. Instead, many concerns were raised about the way the US government could access data.

The Schrems II case meant that the Privacy Shield agreement was no longer valid.

Why is Schrems II Important for Businesses to Understand?

Instead of being able to rely on the Privacy Shield and transfer data freely, businesses now need to transfer data with other appropriate safeguards to keep data protected in line with the GDPR.

Schrems II is important for businesses to understand, because it governs the way that data transfers can occur between the EU and the US.

This is important if you are based in the US but have EU users or customers, or if you are based in the EU and use any US services, including cloud storage, SaaS products, or other processing that takes place in the US.

With a good understanding of the Schrems II case and what the law requires, you can make sure you are compliant and not breaking any legal rules.

There are a number of steps that you can take to comply. Some of these options are outlined in Article 46 of the GDPR, which covers "appropriate safeguards".

You can see in Article 46 (1) below that if there has been no adequacy decision made (a decision that states another country has good enough data protection laws), transfers can only take place under certain circumstances.

These transfers can only occur if "appropriate safeguards" are in place, and if enforceable data subject rights and legal remedies are available.

There are a number of options outlined in Article 46 (2) to provide "adequate safeguards". These include Binding Corporate Rules (BCRs), as well as Standard Contractual Clauses (SCCs), among other things.

The most common approaches your business should consider include:

• Using Standard Contractual Clauses (SCCs)
• Using Binding Corporate Rules (BCRs)
• Complying with the new EU-US Data Privacy Framework (DPF)
• Considering non-US options for storage or services

To determine what approach you should use, you'll also need to conduct Transfer Impact Assessments (TIAs).

Let's take a look at each of those in more detail.

What are Standard Contractual Clauses (SCCs), and How Does Schrems II Affect Them?

Standard contractual clauses (SCCs) are a set of standardized clauses that can be used by businesses who are transferring data to the US. They are mentioned in Article 46(2)(c) of the GDPR, which you can see in the image above.

These clauses have been approved by the European Commission, and are considered to ensure "appropriate data protection safeguards".

Before Schrems II, SCCs were also used. But after Schrems II it was ruled that SCCs needed to be updated and strengthened, through the use of "supplementary measures".

Below you can see some examples of SCCs. The first example is the purpose limitation clause.

In this clause, you can see that the data importer has to process the personal data only for the specific purposes of the transfer. They can't process the personal data for another purpose unless they have consent, or the processing is necessary for legal claims or the vital interests of a natural person.

This means that processing must be quite limited.

You can also see below that another SCC relates to accuracy. Data must be kept up to date, and reasonable steps must be taken to ensure this remains so.

Also note that personal data must be "adequate, relevant, and limited to what is necessary". This is the data minimisation principle, and makes sure that no extra or unnecessary data should be processed or transferred. This helps to maintain the data privacy of the data subject.

Below you can also see that compliance with the SCCs needs to be demonstrated. This must be done with appropriate documentation.

This documentation must be provided to the relevant supervisory authority on request. This means that if a business does not comply with these SCCs, they could face legal and financial consequences for breach.

Alongside any SCCs, you also need to use supplementary measures to protect data.

What are Supplementary Measures?

Supplementary measures that can help strengthen SCCs were set out by the European Data Protection Board (EDPB) in response to Schrems II.

The EDPB has said that you can use a number of technical supplementary measures, including:

1. Strong encryption for data in transit
2. Pseudonymisation (as defined in the GDPR) of data in use, with "additional information" held separately (which could reverse the pseudonymisation) in an EU member state
3. Transfers to a "protected recipient", i.e. a medical body with data protected under health privacy laws, plus encryption
4. Split or multi-party processing

Processing data in the clear (i.e. without pseudonymisation) is not sufficient. Remote processing of data is also not sufficient.

You can also make sure any transfer recipient uses organisational measures, including clear policies and procedures for data access, processing, storage, and deletion. Additional contractual measures can also be used to strengthen data privacy protection.

Now let's take a look at Binding Corporate Rules.

What are Binding Corporate Rules (BCRs)?

Binding Corporate Rules (BCRs) are policies that you set up, i.e. internal policies, that explain how you deal with personal data.

BCRs are particularly for cases when you will transfer personal data outside of the EU, and when you are working within a group of companies or branches of a company, because some branches or members of the group might be outside the EU.

BCRs are outlined in Article 47 of the GDPR. BCRs are usually used for larger companies and multinationals, rather than startups.

Here's one example of a BCR clause from the Allianz Group Companies:

You can see that much of the content is similar to what would be contained in SCCs. If your company grows or becomes part of a larger group, you might need to consider BCRs as well.

EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) is a post-Schrems II agreement that allows data to be transferred to some commercial organisations in the US, who have voluntarily complied with the DPF.

There are a number of principles set out in the DPF that these companies need to comply with. Both the US Department of Commerce and the Federal Trade Commission (FTC) play a role in ensuring compliance.

In 2024, however, Max Schrems and his organisation noyb - European Center for Digital Rights, has said it will challenge the DPF in the same way that the Privacy Shield was challenged.

There is a high risk for businesses that the DPF will also be struck down. Relying on SCCs, BCRs, and using appropriate assessment of transfer risk, is still a good option for ensuring compliance and adequate data protection.

Non-US Storage or Services

Another option, if you don't want to use any of these mechanisms, is to choose non-US data processing, storage, or services.

There are some countries that have been granted what is called an "adequacy decision". This means that the European Commission has decided that that country has an "adequate level of data protection" compared to the EU, and data can be transferred there without using additional measures to protect data.

The countries so far are:

• Andorra
• Argentina
• Canada (commercial organisations)
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• The United Kingdom
• Uruguay

These countries have shown that their data privacy laws are extensive enough to be equivalent to the protection of the GDPR. If you store, transfer or process data in these countries, you don't need to use SCCs or BCRs. You also don't need to conduct a TIA, because the European Commission has already decided that privacy protection is sufficient.

What are Transfer Impact Assessments (TIAs)?

Transfer Impact Assessments (TIAs) are assessments that your business should make before you transfer data outside of the EU. They help you to decide which measures you should take to protect data.

TIAs are required if you want to transfer data outside of the EU based on Article 46 options, including SCCs and BCRs. Before you decide to use SCCs, you have to carry out a TIA to determine whether your approach will actually be an "adequate safeguard" for the data you want to transfer.

If you are transferring to a country with an adequacy decision (discussed above) you don't need to use the mechanisms set out in Article 46, and you don't need to carry out a TIA.

CNIL, a French regulatory body for data privacy, has released a practical guide for writing TIAs. You can read the guide at the link here (in English). The main steps for a TIA that CNIL recommends include:

• Know your transfer
• Identify the transfer tool used
• Evaluate the legislation and practices of the country of destination of the data and the effectiveness of the transfer tool
• Identify and adopt supplementary measures
• Implement the supplementary measures
• Reassess the level of protection at appropriate intervals and monitor potential developments that could affect it

CNIL's guidelines provide a wide range of information and advice on how to conduct this process. You can see further details in the image from CNIL below:

Taking the correct steps in your TIA helps to make sure that your decision to use SCCs or BCRs is appropriate and protects personal data adequately.

Summary

Transferring data internationally after Schrems II requires a little bit more forward planning, particularly when transferring data to the US. You can no longer rely on the Privacy Shield between the US and the EU, and the new Data Privacy Framework is likely to be challenged as well.

If you make use of SCCs along with appropriate supplementary measures, and conduct a thorough TIA, you will be in a good position to ensure that your transfers are compliant and protect data in a way that is adequate when compared to the GDPR.