Understanding cross border data transfers in light of Schrems I and II decisions

What are recent advancements in Cross-Border Data Transfers under GDPR?

As a result of the precedent-setting Schrems II data privacy judgment, firms cannot perform even the most basic of data transfers to nations outside the EU.

By ruling that the EU-US Data Protection Shield, on which many corporations relied to move their data between America and the EU, had been invalidated due to concerns about US state and law enforcement agencies’ surveillance, the European Union’s Court of Justice (CJEU) on July 16th, 2020. Schrems II became a nickname for this judgment when it was handed down (after Max Schrems, an activist and lawyer who initiated this legal saga following his complaints against Facebook back in 2013).

In the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) case, the abbreviation “Schrems II” is most commonly used. Max Schrems is an Austrian lawyer, privacy advocate, and the founder of noyb, a group dedicated to bringing cases involving GDPR-related data protection issues before EU courts.

US companies depended on the Data Protection Shield for trans-Atlantic trading before Schrems II. It was easy for these organisations to comply with GDPR.

The CJEU’s statements concerning the nature of U.S. government access to private-sector data cast a long shadow over additional personal data transfers from Europe to the United States. Companies and regulators must do case-by-case studies to determine if foreign protections for government access to data transmitted match EU criteria, despite the ruling upholding the validity of standard contractual terms.

In the United States and around the world, this will have a significant impact in the United States and worldwide.

In light of the recent Schrems II decision, the EDPB has made it plain that there will be no transition time for data transfers from Europe to the United States. Companies that want to move data over the Atlantic Ocean must find new ways. Fines of up to 4 per cent of annual revenue or 20 million euros, whichever is greater, could be levied against corporations who fail to comply with this requirement, now feasible under the GDPR.

Because of this ruling and others like it, data protection specialists play a crucial role in implementing safeguards compliant with international regulatory requirements across the globe’s economic landscape. There may be more questions than answers for privacy experts today. These are some initial thoughts on the court’s ruling and how privacy professionals can begin to respond to it.

Millions of people have had to work from home due to the COVID-19 epidemic, and businesses have adjusted to survive under these new, sometimes tricky conditions.

Microsoft Azure and Amazon Web Services, two of the most popular public cloud systems, have become nearly vital to organisations. Research predicts that end-user spending on public cloud services worldwide will rise by 18.4 per cent in 2021. There will be an increase in spending from $257.5 billion in 2020 to $304.9 billion in 2024.

Remote working and cloud service users have introduced another level of complexity to the equation in Schrems II. Any data transfer to non-EU servers, for example, would have to go through an individual risk assessment to guarantee GDPR compliance if an EU organisation wanted to store customer data there.

Schrems II presents a significant problem for CTOs, given the importance of security and data protection when using public cloud platforms.

With the Schrems II decision, it has become clear that the argument over data protection standards between the EU and the United States is not limited to the EU and the United States, but extends to any third country. Existing adequacy decisions and the validity of those conclusions are now seriously jeopardised. It also raises questions about the UK’s ability to maintain UK-EU data transfers in the wake of Brexit, which would necessitate an adequate decision. It’s unclear if such a judgment will be given in the aftermath of the UK’s extensive surveillance activities.

Concerns about whether data transfers to other major world powers, notably China, will continue to be allowed, given that law enforcement regulations and information about security services may be challenging or non-existent in those countries.

As a result of the Schrems II ruling, practically every sector of the European economy, from the medical industry to the financial markets, will be impacted. If Schrems II results in a harmonised global data protection framework, or if it restricts open data flows and data localisation (and so fragments the data economy), we don’t know yet.