Schrems II:
International Data Transfer Compliance

Although the EU-U.S. Data Privacy Framework (DPF) has now been approved, the Schrems II judgment remains relevant for international data transfers. VeraSafe can help your organization bring clarity to the complex rules that govern transfers of personal data from Europe to the United States and elsewhere.

Thank You

Thank You!

We’ll be in contact shortly.

What Is Schrems II?

On July 16, 2020, the Court of Justice of the European Union (CJEU) concluded in its Schrems II decision that the EU-U.S. Privacy Shield Framework (Privacy Shield) was no longer a valid mechanism for transferring personal data from the European Economic Area (EEA) to the United States. The Court also tightened the rules for organizations that rely on Standard Contractual Clauses (SCCs) for international data transfers.

The introduction of the DPF makes it significantly easier to transfer personal data from the EEA to the U.S. However, organizations that still rely on SCCs must ensure that their data flows comply with the required privacy and security measures brought about by the Schrems II judgment. Non-compliance can attract fines of up to 4% of annual revenue or 20 million euros, whichever is higher.

International Data Transfer Strategic Planning

Key activities include:

Scoping of Data Transfers from the EEA

VeraSafe guides you through a discovery exercise, to identify and document the categories and sources of personal data that your organization exports or receives from the EEA.

Identify Realistic Alternative Data Transfer Mechanisms

Depending on your organization’s circumstances, various different GDPR-compliant data export mechanisms may be a useful alternative if you need to transfer personal data to a U.S. organization that has not certified under the DPF. Your VeraSafe privacy law and cybersecurity professionals will consider all available options and will recommend the best solution for your needs.

Confirm Compliance with “Appropriate Safeguards”

If the EU Standard Contractual Clauses (SCCs) will be used as part of your organization’s data transfer strategy, VeraSafe will:

  • Analyze your organization’s data transfers and data processing practices to confirm that you meet all requirements of the SCCs.
  • Draft a memorandum documenting and analyzing your organization’s legal exposure to government surveillance and confirming whether your organization offers an “adequate level of protection” as required by the SCCs.
  • Ensure that the new 2021 SCCs adopted by the European Commission are in effect between your organization and all clients or customers that may be exporting regulated personal data to you.
  • Analyze and recommend additional data protection controls to help ensure compliance with the SCCs and Schrems II.
  • Identify any data transfers to the United States and other countries that might require you to meet more stringent requirements in light of Schrems II.
Update Privacy Notices and Contracts

Your privacy notices and contracts must meet international data transfer requirements. We will support you through the process to ensure that your documentation is compliant.

Managing Vendor Relationships

VeraSafe will assist you in ensuring that all contracts with vendors processing personal data received from the EEA include the security and confidentiality obligations required under the SCCs and incorporate the latest guidance from the European DPAs. This includes reviewing, negotiating, and updating existing agreements with vendors, analyzing vendor exposure to applicable state surveillance laws, and keeping vendors informed of and compliant with all data transfer requirements, especially relating transfers to subcontractors and other onward transfers. VeraSafe will help your organization establish or revise your standard operating procedures for managing vendor relationships in light of Schrems II.

Managing Intra-Group Data Sharing

If applicable, intra-group data sharing agreements and intra-group data flows will be reviewed and analyzed to confirm that adequate data protection controls are in place and that intra-group data transfers are lawful and compliant with Schrems II.

Schrems II FAQ

What does approval of the DPF mean?

The European Commission’s adequacy decision recognizes the DPF as an adequate transfer mechanism to transfer personal data to DPF-certified organizations in the U.S. If personal data is transferred to a certified organization, it is not necessary to rely on SCCs.

How does this impact certifications under Privacy Shield?

Organizations previously certified under the EU-U.S. Privacy Shield Framework are automatically recognized as DPF certified, requiring only minor adjustments to their privacy notices.

What should I do about my organization’s current Swiss-U.S. Privacy Shield self-certification?

The U.S. Department of Commerce (DOC) will continue to administer the Swiss-U.S. Privacy Shield program until Switzerland and the U.S. agree on an updated transfer mechanism. The DOC also stated that the Schrems II judgment does not relieve participating organizations of their compliance obligations under the framework.

Switzerland and the U.S. will likely start negotiations to allow Swiss organizations to benefit from a Swiss counterpart of the DPF. Until then, Swiss organizations or entities receiving personal data from Switzerland can continue using the SCCs with supplemental measures.

Does Schrems II apply to data transfers from the UK to the U.S.?

Data transfers from the UK to the U.S. require the implementation of the International Data Transfer Agreement or the International Data Transfer Agreement and supplementary data protection measures. Contact VeraSafe for more detailed information.

Will there be a framework for data transfers from the UK to the U.S.?

On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology, along with the US Commerce Secretary, jointly announced their intention to establish a UK-US data bridge. The proposed data bridge between the UK and the U.S. aims to build upon the DPF by introducing a UK Extension. This extension would enable the smooth transfer of personal data from the UK to organizations in the U.S. that are certified under the DPF.

Does Schrems II only affect data transfers to the U.S.?

No. Regardless of the decision’s focus on the Privacy Shield and the SCCs for transfers to the U.S., the decision impacts all data transfers to recipients outside the EEA.

Can I still use SCCs to transfer personal data outside the EEA?

The use of SCCs to transfer personal data outside the EEA is still possible, but the rules for their use have been tightened and reliance on them subject to increased scrutiny by the European data protection authorities. To use SCCs both data exporters and data importers must perform a formal assessment, and carry out ongoing monitoring of the data importer’s ability to comply with the SCCs. Depending on the outcome of the formal assessment, it may be unlawful to send data to certain third countries which have surveillance legislation which is not aligned with the EU perspective on privacy rights, unless supplemental protection can be provided to the personal data. In practice, the use of SCCs requires a documented case-by-case analysis as to whether the data importer in a third country can meet its data protection obligations and, if necessary, the agreement on additional safeguards to ensure adequate protection for the personal data. VeraSafe has reviewed the guidance from all the European DPAs as to the legal, technical, and organizational measures that could be useful in conjunction with the SCCs to ensure continued legal data flows to the U.S. and other non-EEA countries and is ready to advise your organization on how to implement them.

Do I need to update my contracts to include the new SCCs adopted by the European Commission?

As of September 27, 2021, the new 2021 EU SCCs must be used for transfers of personal data in all new contracts. These new SCCs are required for transfers of personal data in all new contracts. For existing contracts that relied on the previous “old” 2004 and 2010 SCCs, organizations were given until December 27, 2022 to transition to the 2021 EU SCCs.

Key contacts

Matthew Joseph

Matthew Joseph

CIPP/E, CIPP/US, CIPM, FIP

Managing Director

Jim Cormier

Jim Cormier

CIPP/E, CIPM, FIP

Senior Vice President and Head of Professional Services

Getting Started

Take the first step towards adapting your data transfer practices to comply with Schrems II by contacting VeraSafe for a free consultation today.

Why VeraSafe?

Track record of implementing complex privacy regulations across industries.

Work directly with our in-house team of U.S. and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable Schrems II solution, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside privacy regulations.

Going beyond just European privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.