SCHREMS II – AT A GLANCE

Introduction and summary

As you may have already seen, everybody seems to be talking about the “Schrems II” judgement – but what does the decision mean and what is the discussion about? In short, the judgement has the following effects for organisations transferring personal data to countries outside of the EU/EEA:

· The EU – U.S. Privacy Shield has been invalidated, which will undoubtedly increase compliance efforts and costs with regards to all transfers where the EU – U.S. Privacy Shield was used as the basis for the transfer. The standard contractual clauses (“SCC”) will be the most common alternative for such transfers, and one can turn to entering the SCC in those arrangements where the EU – U.S. Privacy Shield was previously deployed.

· However, the SCC must henceforth be used with caution. It will be necessary for EU organisations transferring personal data to countries outside the EU/EEA to be able to assess the transfers in terms of the protection of personal data. In the example of the United States, such assessments may begin with understanding whether the recipient falls under the scope of e.g. Section 702 FISA and E.O. 12333. The consequence of the assessment may be that personal data may not be transferred to the United States, based on the SCC between the exporter and importer.

· It is likely that there will be more discussions in the near future on a non-EU/EEA recipient’s ability to comply with the SCC, which will impact the EU organisations’ willingness to enter the SCC.

· The supervisory authorities may produce guidelines and opinions – our advice is to look out for them and get acquainted with them.

Breakdown of the judgement

In a highly anticipated judgement, the Court of Justice of the European Union (“CJEU”) has invalidated Decision 2016/1250 and, thus, the EU – U.S. Privacy Shield is no longer a valid mechanism for transfers of personal data to the U.S. The CJEU noted that the principles of the EU – U.S. Privacy Shield are subsidiary to the requirements of national security, public interest, or law enforcement of the United States thus enabling interference, based on the aforementioned requirements or U.S. laws, with the fundamental rights of EU data subjects whose personal data is transferred to the U.S.

The CJEU further examined the validity of the SCC and determined that there are no factors negatively influencing the validity of the SCC per se. The CJEU maintained that any transfer of personal data to third countries must afford EU data subjects a level of protection essentially equivalent to that guaranteed by the GDPR. If that is not achieved, the transfer must be stopped – as described in more detail below.

Moreover, the CJEU emphasized that the supervisory authorities have a mandate to investigate transfers relying on the SCC and to suspend or prohibit transfers where the supervisory authority deems that the SCC cannot be complied with in the third country and where the aforementioned protection cannot be ensured otherwise.

The CJEU clarifies that the SCC are not necessarily the only appropriate safeguard to be deployed in a transfer. Namely, the controller and processor may include additional clauses and safeguards that supplement the SCC and heighten the protection afforded. Hence, the CJEU aligns with the Advocate

General’s Opinion in stating that it is the responsibility of the controller and processor assess whether the third country affords protection to data subjects, and in the event that it does not, to undertake necessary and appropriate safeguards in addition to the SCC. Should the EU-based controller or processor not be able to do so, the transfer must be suspended or prohibited until appropriate safeguards are in place. If the EU-based controller or processor do not act according to the foregoing, a supervisory authority may instead prohibit or suspend such transfers. It is important to note that it is also the non-EU/EEA recipient’s responsibility to notify the EU controller or processor that they are unable to comply with the provisions of the SCC.

In summary, the CJEU does not invalidate the SCC per se, but it does clarify that the SCC can be a mechanism for transfers only where appropriate assessments of the level of protection are made on a case-by-case basis. It is therefore essential that organisations have a good overview of the personal data transfers under both the EU – U.S. Privacy Shield and the SCC. This knowledge will help identify compliance risks and actions to be taken to address them.

We are monitoring this matter closely, and we look forward to helping you understand any future developments that this landmark decision may have.

If you should have any questions, please do not hesitate to reach out to us

Nyheter
Pressmeddelanden

Synch har biträtt Helsingborgsbolaget Payzlip AB

12/07/2021

Synch har biträtt Helsingborgsbolaget Payzlip AB vid en nyemission varvid tre mycket kompetenta nya ägare har tillträtt. PayZlip är en Saas-produkt som förenklar vardagen för både anställda och företagare genom att kombinera tidrapporterings- och lönesystemet till ett enda verktyg. För mer information, se https://www.payzlip.se/. Från Synch deltog Johan Ragnar och Emma Lundberg. Synch är en […]

Pressmeddelanden

Synch har biträtt Adapteo AB

07/07/2021

Synch har biträtt Adapteo AB i en fastighetsförsäljning i Eslöv till bolagets f.d. hyresgäster. Adapteo är ett ledande flexibelt fastighetsbolag som erbjuder anpassningsbara byggnader som kan byggas, skalas upp, skalas ner och återanvändas inom några veckor, alltid med användarperspektivet och hållbarhet i fokus. Tillsammans med kund tar dom fram en optimerad lösning anpassat efter byggnadsbehovet. […]

Pressmeddelanden

Synch har agerat juridisk rådgivare till Cortus Energy i en företrädesemission

18/06/2021

Synch agerade rådgivare till Cortus Energy AB (CE) (”Bolaget”) i företrädesemission med aktier upptagna till handel vid Nasdaq First North. Bolaget offentliggjorde idag, att man genomför en företrädesemission av units bestående av aktier och teckningsoptioner om ca: 64,8 miljoner kronor. Bolaget utvecklar och marknadsför en teknik för att förgasa biomassa och kan med det erbjuda gröna energilösningar för […]

Pressmeddelanden

Synch har agerat juridisk rådgivare i blockförsäljning av aktier i Re:NewCell AB

12/06/2021

En grupp om 11 aktieägare i First North noterade Renewcell AB har sålt aktier i ett sk accelererat book building förfarande. Försäljningspriset uppgick till cirka 214 miljoner kronor. Försäljningen genomfördes av Nordea och Pareto Securities som Joint Global Coordinators och Joint Bookrunners. Synch var legal rådgivare till säljarna. Synchs team bestod av Mattias Anjou och […]

Pressmeddelanden

Synch har agerat juridisk rådgivare till Dugga AB

04/05/2021

Synch har agerat juridisk rådgivare till Dugga AB i bolagets investeringsrunda om 46 miljoner kronor. Dugga är ett svenskt Edtech bolag som erbjuder lösningar för digital kunskapsutvärdering som är anpassade till hybridundervisning som sker både i klassrummet och digitalt. ”Synch har varit ett fantastiskt stöd för oss under hela processen i alla juridiska frågor, avtal […]

Pressmeddelanden

SYNCH HAR RÅDGIVIT NAUTA CAPITAL VID DESS INVESTERING I NHOST AB

28/04/2021

Synch har assisterat Nauta Capital, via två av dess fonder, i en riktad nyemission om 2,000,000 EUR i det svenska startupbolaget Nhost AB. Nauta Capital Fonderna, Nauta Tech Invest FCR och Nauta Tech Invest SCR med verksamhet i London, Barcelona och Berlin har i syfte att stödja Europas mest blomstrande mjukvaruföretag och samtidigt bidra till […]