On July 16, 2020 the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield as an adequate framework for regulating exchanges of personal data between the European Union and United States. This decision introduces greater complexities to those managing data privacy because many multinational organizations relied on the Privacy Shield for cross-border data transfers. Consequently, organizations will need to revisit data residency and sharing practices to align more closely with the system of Standard Contractual Clauses on a case-by-case basis. For global organizations conducting business in the E.U. and beyond, Collibra provides solutions to help manage the complexities from the recent Schrems II decision.
So what are the results of Schrems II?
For years, global organizations have struggled to comply with EU privacy regulations. The EU-US Privacy Shield helped these organizations legally transfer personal data from the EU to the United States. However, with Schrems II, many organizations are wondering how they can share personal data across borders in the future. The Schrems II decision resulted in the following developments:
Dismantling of the Privacy Shield
The Privacy Shield is no longer valid, as the Court determined that the U.S. surveillance programs do not meet the EU’s principle of proportionality. Moreover, EU data subjects lack actionable judicial redress from the U.S. and, therefore, are not guaranteed an effective means to access or seek rectification of their personal data.
Standard Contractual Clauses require individual reviews
In addition to its judgement concerning the Privacy Shield, CJEU discussed the Standard Contractual Clauses (SCC). The CJEU confirmed the validity of SCCs, but stated that companies must verify, on a case-by-case basis, whether the law in the importer/recipient country ensures adequate protection under EU law for personal data transferred under SCCs. For cases in which data protection is inadequate or unclear, companies must provide additional safeguards, suspend or even cease transfers.
Further clarification on data transfers expected
The European Commission, which was responsible for adopting the SCC, is planning to release a new version of the clauses. The new clauses are expected to align closer to additional protections provided by the GDPR and will provide greater clarity into standards regarding the transfer of personal data to the U.S. and other countries outside of the EU. In addition, a number of regional data protection authorities across the EU have released public statements concerning the verdict and are in the process of reexamining their own positions.
Support compliance efforts with Collibra Data Privacy
The CJEU judgement provides clarity on the fact that the EU-U.S. Privacy Shield cannot be used as a safeguard for international data transfer between EU and the U.S. Conversely, it provokes more questions around the existing reliance on the Standard Contractual Clauses, while valid, will require further review. This process will take time and create legal uncertainty for months, or even years to come.
As a Data Intelligence company, Collibra helps global organizations manage the complexities of data and achieve compliance through the changing regulatory landscape. Global organizations doing business in the E.U. and beyond can rely on Collibra for:
- PI discovery and classification to uncover personal data and apply relevant labels to other sensitive data
- Data mapping to improve visibility into the location of data and how it flows throughout the data ecosystem. This view will allow organizations to document business context, data use purposes, and third parties affected by the CJEU ruling
- Regulatory and management reporting to assess compliance readiness and track the organization’s progress as it adapts its data residency and data sharing practices
With Collibra Data Privacy, companies can adapt to the changing regulatory landscape so that they can continue to use data to make impactful business decisions. Collibra has the flexibility to support data sovereignty requirements with EU-based deployment options on GCP or AWS, allowing customers to quickly comply with country-specific data sovereignty laws.