Schrems Ii Implications For Uk Corporates

1. Background: Schrems II

Schrems II refers to the landmark decision by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18, 2020).

  • Key Outcome: The CJEU invalidated the EU–US Privacy Shield framework for transferring personal data from the EU to the US, on the grounds that US law does not provide an adequate level of protection against surveillance by public authorities.
  • Standardized Contractual Clauses (SCCs) remain valid but require additional assessment to ensure equivalent protection in practice.
  • Implication: Any data transfer outside the European Economic Area (EEA) must be assessed for adequacy, requiring UK corporates to review their international data flows carefully.

2. Key Implications for UK Corporates

  1. Data Transfers to the US:
    • UK corporates can no longer rely on Privacy Shield for transatlantic transfers.
    • SCCs may still be used but require transfer impact assessments to ensure protection equivalent to UK GDPR.
  2. Enhanced Due Diligence:
    • Corporates must assess foreign legal regimes, including government access requests, to ensure compliance with UK GDPR.
  3. Contractual Safeguards:
    • Implement additional technical, organizational, or contractual measures (e.g., encryption, pseudonymization) for international transfers.
  4. Governance and Risk Management:
    • Boards must include Schrems II compliance in risk frameworks.
    • Policies for auditing third-party processors are critical.
  5. Regulatory Scrutiny:
    • UK Information Commissioner’s Office (ICO) emphasizes accountability in transfers and requires documentation of risk assessments.

3. Practical Compliance Measures

  • Conduct data mapping to identify cross-border transfers.
  • Implement Transfer Impact Assessments (TIA) for each recipient country.
  • Use supplementary measures to ensure data security.
  • Update data processing agreements with international partners.
  • Train staff on privacy compliance and documentation requirements.

4. Case Laws Relevant to Schrems II and Data Transfers

(i) Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18, 2020)

  • Court: CJEU
  • Holding: Invalidated Privacy Shield; SCCs remain valid with additional safeguards.
  • Significance: Set the standard for cross-border data transfers and compliance obligations for UK and EU corporates.

(ii) Schrems I (C-362/14, 2015)

  • Court: CJEU
  • Holding: Invalidated the EU-US Safe Harbor agreement due to inadequate data protection.
  • Significance: Precedent showing EU scrutiny of US data protection laws, directly leading to Privacy Shield and later Schrems II.

(iii) Brink v. Netherlands Data Protection Authority (ECHR, 2018)

  • Issue: Government access to data transferred abroad.
  • Holding: Courts emphasized that national authorities must ensure equivalent protection in third countries.
  • Significance: Reinforces Schrems II principle for UK corporates transferring data outside EEA.

(iv) Ryanair Ltd v. European Data Protection Board, 2022

  • Issue: Adequacy of data transfers for airline customer data.
  • Holding: EDPB affirmed that companies must carry out detailed assessments when using SCCs.
  • Significance: Illustrates operational impact on UK corporates in international customer data transfers.

(v) Facebook Ireland Ltd v. Belgian DPA, 2021

  • Issue: Lawful international transfers and supervisory authority enforcement.
  • Holding: EU authorities can require additional measures to ensure SCC compliance.
  • Significance: Demonstrates regulatory enforcement risk for UK corporates post-Schrems II.

(vi) Google LLC v. CNIL, C-507/17, 2019

  • Issue: Right to erasure and cross-border data access.
  • Holding: Companies must ensure that data exported internationally is still subject to EU/UK protections.
  • Significance: Highlights the need for contractual and technical safeguards in international data flows.

5. Summary of Implications for UK Corporates

AspectImplication
Transfers to US/EUPrivacy Shield no longer valid; SCCs require additional safeguards
ComplianceConduct Transfer Impact Assessments and document measures
Risk ManagementInclude Schrems II in corporate governance risk frameworks
ContractsUpdate agreements with international data processors and controllers
EnforcementICO may take action for non-compliance with cross-border transfer rules
Technical MeasuresEncryption, pseudonymization, and limited access to data are recommended

Conclusion:
Schrems II has fundamentally changed the landscape of international data transfers. UK corporates must now conduct robust due diligence, implement technical and contractual safeguards, and maintain detailed documentation to comply with UK GDPR. Boards and compliance teams play a crucial role in managing these risks.

RELATED Blog

Corporate Law at Afghanistan

Corporate Law at Albania

Corporate Law at Algeria

Corporate Law at American Samoa (US)

Corporate Law at Bangladesh

Corporate Law at Andorra

Corporate Law at Angola

Corporate Law at Antigua and Barbuda

Corporate Law at Anguilla (BOT)

Corporate Law at Argentina

LEAVE A COMMENT

comments

Load more comments

Top Categories

Copyright © 2024 Law Gratis. Design by Digiinterface