Schrems II:
International Data Transfer Compliance

In the wake of the Schrems II judgement of the European Court of Justice (“ECJ”), VeraSafe brings clarity to the complex new rules that govern transfers of personal data from Europe to the United States. Partner with VeraSafe to solve your Schrems II data transfers conundrum, and ensure your personal data imports and exports are in compliance with the Schrems II judgement.

Thank You

Thank You!

We’ll be in contact shortly.

What Is Schrems II

On July 16, 2020, the ECJ concluded in its Schrems II decision that the EU-U.S. Privacy Shield Framework (“Privacy Shield”) was no longer a valid mechanism for transferring personal data from the European Economic Area (“EEA”) to the United States. With no grace period to allow companies to adapt, the Schrems II judgment obligates organizations previously depending on the Privacy Shield Framework to immediately identify an alternative solution to continue their data transfers from the EEA to the United States.

The Court also tightened the rules for organizations that rely on Standard Contractual Clauses (“SCCs”) for international data transfers. Organizations using SCCs must examine their data flows and determine if new privacy and security measures now need to be implemented. The European Data Protection Authorities have urged organizations to reassess their transfers of personal data outside the EEA in light of the Schrems II judgment. Non-compliance can attract fines of up to 4% of annual revenue or 20 million euros, whichever is higher.

VeraSafe Will Strategize a Cost-Effective, Schrems II Compliance Plan for Your Organization That Will Enable You to Continue Necessary Data Transfers.

Key activities include:

Initial Scoping of Data Transfers from the EEA

VeraSafe guides you through a discovery exercise, to identify and document the categories and sources of personal data that your organization exports or receives from the EEA.

Identify Realistic Alternative Data Transfer Mechanisms

Depending on your organization’s circumstances, various different GDPR-compliant data export mechanisms may be a useful alternative to the Privacy Shield Framework. Your VeraSafe advisors will consider all available options and will recommend the best solution for your needs.

Confirm Compliance with “Appropriate Safeguards”

If the EU Standard Contractual Clauses (“SCCs”) are to be used as part of your organization’s new data transfer strategy, VeraSafe will:

  • Analyze your organization’s current data transfers and data processing practices to confirm that you meet all requirements of the SCCs.
  • Draft a memorandum documenting and analyzing your organization’s legal exposure to state surveillance and confirming whether your organization offers an “adequate level of protection” as required by the SCCs.
  • Ensure that the new 2021 SCCs adopted by the European Commission are in effect between your organization and all clients or customers that may be exporting regulated personal data to you.
  • Analyze and recommend additional data protection controls to help ensure compliance with the SCCs and Schrems II.
  • Identify any data transfers from EEA member states or regions which have more stringently/expressly restricted transfers of personal data to the United States in light of Schrems II.
Communication

VeraSafe will draft written material that your organization can provide to interested third parties (e.g., your clients) describing the Schrems II decision and the efforts your organization is taking to ensure compliance with the new EU data transfer rules.

Update Privacy Shield Disclosures

VeraSafe will update your organization’s privacy notice and will ensure that your agreements with clients and customers are revised, as needed, to introduce alternate data transfer solutions.

Managing Vendor Relationships

VeraSafe will assist you in ensuring that all contracts with vendors processing personal data received from the EEA include the security and confidentiality obligations required under the SCCs and incorporate the latest guidance from the European DPAs. This includes reviewing, negotiating, and updating existing agreements with vendors, analyzing vendor exposure to applicable state surveillance laws, and keeping vendors informed of and compliant with all data transfer requirements, especially relating transfers to subcontractors and other onward transfers. VeraSafe will help your organization establish or revise your standard operating procedures for managing vendor relationships in light of Schrems II.

Managing Intra-Group Data Sharing

If applicable, intra-group data sharing agreements and intra-group data flows will be reviewed and analyzed to confirm that adequate data protection controls are in place and that intra-group data transfers are lawful and compliant with Schrems II.

Benefits of VeraSafe’s Schrems II Response Program

Our experienced privacy attorneys and IT security experts bring a wealth of experience in crafting tailored realistic solutions for your organization’s needs. VeraSafe has crafted a Schrems II response program that reconciles our privacy attorneys’ analysis of guidance from data protection authorities with your unique needs, tailoring a response plan specific to your organization. Our highly experienced privacy lawyers, IT security experts, and project managers collaborate in this program to ensure your organization can continue key data transfers in compliance with the Schrems II judgment.

Schrems II FAQ

What should I do about my organization’s current Privacy Shield self-certification? Will there be a replacement for the Privacy Shield?

The U.S. Department of Commerce (“DOC”) has stated that it will continue to administer the Privacy Shield program and that the Schrems II judgment does not relieve participating organizations of their compliance obligations under the framework.

Meanwhile, the DOC and the European Commission have urgently begun the effort to develop an enhanced EU-U.S. Privacy Shield framework. Maintaining your Privacy Shield certification may ease the transition to the enhanced Privacy Shield framework.

However, to continue transferring data from the EEA, the UK, and Switzerland to the U.S., your organization must take action now.

Further, your organization can seek certification under the VeraSafe Privacy Program to help you demonstrate continued protection of the personal data received from Europe.

Does Schrems II apply to data transfers from the UK to the U.S.?

Data transfers from the UK to the United States cannot continue under the Privacy Shield Framework and require the implementation of supplementary data protection measures. Contact VeraSafe for more detailed information.

Is there any grace period during which my organization can continue to receive and transfer personal data from the EEA pursuant to the Privacy Shield?

The European regulators have released guidance stating that there will be no grace period to implement Schrems II compliance. Organizations that relied on the Privacy Shield for EU-U.S. data transfers need to find an appropriate alternative solution right away, or face potential regulatory enforcement actions. As an example, in 2021 the Italian data protection authority fined a university for transferring personal data to the United States of America without ensuring the transfer was subject to appropriate safeguards.

Does Schrems II only affect data transfers to the U.S.?

No. Regardless of the decision’s focus on the Privacy Shield and the SCCs for transfers to the U.S., the decision impacts all data transfers to recipients outside the EEA.

Can I still use SCCs to transfer personal data outside the EEA?

The use of SCCs to transfer personal data outside the EEA is still possible, but the rules for their use have been tightened. To use SCCs both data exporters and data importers must perform a formal assessment, and carry out ongoing monitoring of the data importer’s ability to comply with the SCCs. Depending on the outcome of the formal assessment, it may be unlawful to send data to certain third countries which have surveillance legislation which is not aligned with the EU perspective on privacy rights, unless supplemental protection can be provided to the personal data. In practice, the use of SCCs requires a documented case-by-case analysis as to whether the data importer in a third country can meet its data protection obligations and, if necessary, the agreement on additional safeguards to ensure adequate protection for the personal data. VeraSafe has reviewed the guidance from all the European DPAs as to the legal, technical, and organizational measures that could be useful in conjunction with the SCCs to ensure continued legal data flows to the U.S. and other non-EEA countries and is ready to advise your organization on how to implement them.

Do I need to update my organization’s privacy policy?

If your organization transferred personal data from the EEA, the UK, or Switzerland to the U.S. on the basis of the Privacy Shield, you likely need to update your organization’s privacy notices to reflect your new data transfer strategy. VeraSafe is readily able to assist with this.

Do I need to update my contracts to include the new SCCs adopted by the European Commission?

As of September 27, 2021, the new 2021 EU SCCs must be used for transfers of personal data in all new contracts. For existing contracts relying on the “old” 2004 and 2010 SCCs, organizations have until December 27, 2022 to switch to the 2021 EU SCCs.

Notably, between September 27, 2021 and December 27, 2022, entities transferring personal data must switch to the 2021 EU SCCs if there are “relevant changes to the contract” or to the processing operations that are the subject matter of the contract. For example, an EU-based controller that concluded the 2010 SCCs with a U.S. hosting provider in 2017 can continue using the 2010 SCCs (provided that adequate supplementary measures are in place) until December 27, 2022. However, if in February 2022, the parties decide to expand the scope of the processing services (for example, they agree that the U.S. hosting provider will now also perform analytics services on the transferred personal data), the EU company must ensure that the new 2021 EU SCCs are used for both the hosting services and the analytics services.

Key contacts

Matthew Joseph

Matthew Joseph

CIPP/E, CIPP/US, CIPM, FIP

Managing Director

Jim Cormier

Jim Cormier

CIPP/E, CIPM, FIP

Senior Vice President and Head of Professional Services

Getting Started

Take the first step towards adapting your data transfer practices to comply with Schrems II by contacting VeraSafe for a free consultation today.

Why VeraSafe?

Track record of implementing complex privacy regulations across industries.

Work directly with our in-house team of U.S. and European attorneys, IT experts, and project managers.

Strategic, risked-based approach to compliance.

Fully customizable Schrems II solution, tailored to fit your needs.

Holistic approach: We help you identify business opportunity hidden inside privacy regulations.

Going beyond just European privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.