What is Schrems II?
GDPR restricts transfers of EU citizen data to organizations that meet GDPR “adequacy” criteria. The U.S. does not have a national privacy regulation that meets GDPR standards, so U.S. based organizations could take one of the following approaches:
- Use the GDPR’s model clauses within its contracts
- Implement binding corporate rules “BCRs” that make internal data protection policies GDPR-compliant
- Achieve compliance under the US Privacy Shield Program
The Schrems II decision, made in July 2020, ruled that Privacy Shield was inadequate to meet GDPR requirements. The primary issues are that U.S law enforcement and intelligence agencies have excessive access to the data of foreign nationals and that the Privacy Shield ombudsperson was not sufficiently independent of the U.S. government. As a result, all organizations using Privacy Shield for GDPR compliance were no longer considered compliant effective immediately.
GDPR Compliance After Schrems II
Without Privacy Shield, U.S. based organizations are reliant upon model clauses and BCRs for GDPR compliance. However, the model clauses are currently being updated as they predate GDPR and are themselves not GDPR-compliant. Within the Schrems II ruling, the CJEU stated that model clauses are likely to be inadequate for compliance and that “supplementary measures” may be necessary.
In its ruling, the CJEU did not outline what “supplementary measures” may be required to make a U.S. based organization compliant with the GDPR. This has resulted in some confusion with recommendations ranging from “don’t transfer any EU citizen data to the U.S.” to “if the NSA asks for EU citizen data, fight it in court.”
While these recommendations are not particularly helpful to U.S. based organizations processing EU citizen data, taking a “wait and see” approach can leave an organization vulnerable to lawsuits or regulatory penalties. While awaiting further clarification, companies should perform a complete audit of collected EU citizen data and processing practices and identify anything that does not comply with GDPR regulations. During this time of uncertainty, an organization is much more likely to face penalties if it is demonstrably non-compliant with GDPR requirements and best practices than if it has made a good faith effort to comply.