On July 16, 2020, the EU Court of Justice (CJEU) delivered a ruling in the so-called Schrems II case which came to lead the way when it comes to transferring personal data between the EU and the US.
According to the CJEU, US law cannot ensure the protection of EU personal data in the way that the European General Data Protection Regulation (GDPR) requires.
Brief recap of the GDPR
The GDPR was enforced by the EU in 2018 to protect EU citizens and their personal data. The GDPR applies to all companies and organizations in and outside the EU that process personal data from EU citizens. An example of processing data is using cookies, Google Analytics, and other tracking technologies on your website. In this case, the GDPR requires websites to obtain consent from their users before processing any personal data from them.
In the Schrems II case, the CJEU struck down the Privacy Shield, which was designed to provide companies on both sides of the Atlantic with a way of complying with data protection requirements when it comes to transferring personal data from the European Union and Switzerland to the United States in terms of transatlantic commerce.
Thereby, the CJEU marked the US as a non-adequate country without any special access to the personal data streams of Europe. On the contrary, the CJEU validated the Standard Contractual Clauses (SCCs), which make it possible to transfer data between the parties who have signed the agreement.
The SCCs make transatlantic data transfer possible after all
Because the CJEU validated the SCCs, transatlantic data transfer is still possible while at the same time ensuring compliance with the GDPR.
However, the Schrems II case stresses how important it is for data controllers to make sure that the transfer of personal data to and from the EU comply with the GDPR.
How to comply with the GDPR when transferring data outside the EU
But how can you as a company or organization make sure to comply with the GDPR when transferring data outside the EU?
Be aware of:
- Where in the world does your website send the data of your end-user to?
- Which transfer mechanism do you use to send data?
- What are the rules for data protection in the country to which you send the data?
- If you send data to a country with different rules for data protection, how can you then ensure additional security around your data transfers so that they meet the standards of equivalence?
- Finally, the EDPB recommends that you document your data transfer practices and the way in which you have ensured adequate protection for your website’s end-users.