The State of EU-US Data Transfer Mechanisms in 2023

Since 2000 regulators have tried to keep an EU-US data transfer mechanism in place. From 2000-2015 it was Safe Harbor. From 2016 until 2020 it was Privacy Shield. And now through the EU-US Data Privacy Framework, the US is once again deemed as adequate for data transfers by the EU.

Despite taking different approaches to data protection in each region, there’s a desire to cooperate from both sides of the Atlantic. That’s because the “European Union and the United States have the largest bilateral trade and investment relationship and enjoy the most integrated economic relationship in the world,” according to the EU.

And, “The transatlantic relationship is a key feature of the overall global economy and trade flows. For most countries, either the EU or the US is the largest trade and investment partner.”

Businesses in the EU and US have a constant need to transfer data across borders. This includes information about users as well as employees. Trade between these nations directly supports 9.4 million jobs and indirectly 16 million jobs.

Additionally, as society becomes more digital, the number of vendors and third party service providers continues to increase. These partnerships often rely on data transfers, or in other words, information sharing, to achieve desired outcomes.

Examples of Non-Obvious Data Transfers from the EU to the US

EU-US data transfers can be tricky due to different regulations and individual protections in each country. Sharing data has become such a normal part of business operations that some may not even realize they’re conducting a cross border data transfer. Below are just a few of the many possible data transfer examples.

• Storing data in a cloud service provider located in the US, where the personal information of EU individuals is uploaded and stored.
• Sending emails containing personal data to recipients or email servers located in the US.
• Allowing employees located in the US to access and process personal data originating from the EU.
• Using a CRM platform hosted in the US to store and manage customer data originating from the EU.
• Replicating and storing data backups in servers located in the US.
• Transferring personal data to social media platforms headquartered in the US when individuals from the EU use these platforms.
• Utilizing analytics tools or trackers hosted in the US that collect and process data from EU visitors on websites or mobile applications.
• Employing SaaS solutions hosted in the US that involve processing personal data originating from the EU.
• Using HR management platforms hosted in the US that handle the personal data of EU employees or job applicants.

What Data Transfer Methods from the EU Exist?

After Privacy Shield was invalidated in 2020, businesses had to use other EU-US data transfer mechanisms. Chapter 5 of the GDPR is dedicated to transfers of personal data to third countries or international organizations and Articles 44 – 50 explain the authorized data transfer methods.

EU Transfers on the Basis of an Adequacy Decision

Adequacy decisions are made by the European Commission about transferring data to a third country, territory, or international organization. Once a country is deemed adequate, the data transfer won’t require any specific authorization or further safeguards.

The decision will be reviewed at least once every four years to ensure adequate protection of personal data. The commission takes into account the third party’s rule of law, the existence of a supervisory authority, and the international commitments entered into by the third party.

Standard Contractual Clauses

Most businesses implemented SCCs as a result of the Schrems II ruling. Revised in 2021, SCCs can be applied to data transfers where the recipient’s organization would not be directly subject to the GDPR for the processing operation. If an organization offers goods or services or monitors individuals’ behavior in the European Economic Area, SCCs can’t be used.

SCCs are approved by the European Commission and are incorporated into data transfer agreements between the EU data exporter and the US data importer to provide appropriate safeguards for the transferred data.

Binding Corporate Rules

This transfer method allows multinational organizations to implement BCRs for transfers of personal data within their group of companies. The BCR must be approved by relevant data protection authorities and provides legally binding commitments to protect personal data across the organization.

Explicit Consent

GDPR Article 49 permits the transfer of personal data to a third country, including the US, based on the explicit and informed consent of the individual. However, explicit consent should meet the GDPRs stringent requirements and must be freely given, specific, informed, and unambiguous.

Comparing EU-US Data Transfer Mechanisms: Which is Best?

While each has its pros and cons, using the EU-US Data Privacy Framework (an adequacy decision) is the most cost-effective – both in terms of time and money for businesses. It’s the fastest and most scalable option. Businesses must certify for the Data Protection Framework once and verify annually. There are no TIAs or supplementary measures required.

The framework ensures that a well implemented privacy program is in place and is a public facing commitment to using personal information fairly, lawfully, and transparently. A DPF verification demonstrates accountability to regulators and the Department of Commerce and provides your business credibility as a vetted trading partner, vendor, and service provider.

The Problems with Using SCCs for EU-US Personal Data Transfers

Standard contractual clauses are a tedious process. They must be completed for every vendor, service provider, and client. (A separate SCC is required for each business activity that transfers personally identifiable information to the US.)

And SCCs require Transfer Impact Assessments (TIA) for each contract and may also require supplementary measures. New transfers don’t fit into the existing process, and every contract needs to be updated for every new transfer.

Using SCCs as your data transfer method can put the business at risk of delay with vendors, providers, service contractors, and clients. Some vendors may even refuse to agree to SCC terms or sign altogether.

View the infographic

The Difficulties of Using BCRs for EU-US Personal Data Transfers

Binding Corporate Rules aren’t an option for all companies; they’re often the least used. BCRs need approval from data protection authorities and depending on the entity this could involve several authorities.

The main difficulty of BCRs is the sheer amount of internal resources and legal fees spent to evaluate risk, write contracts, and develop BCRs for all areas of personal data across the organization. This process is cumbersome and can take several years.

As a transfer mechanism, BCRs aren’t flexible and are very limited in scope. Lastly, Binding Corporate Rules don’t address governance and enforceability.

What About Using Consent for EU-US Personal Data Transfers?

The problem with relying on consent for EU-US personal data transfers is its lack of scalability. Consent in this case was designed for infrequent transfers of very few records.

Additionally, this opens your company up to upstream and downstream responsibilities concerning how your vendors and service providers meet GDPR requirements with your customer’s data.

From Safe Harbor to Privacy Shield to what is now known as the EU-US Data Privacy Framework, personal data transfers between the European Union and the United States have been on a decades-long rollercoaster.

Transferring personal data from the EU to the US has been more complicated and expensive since Schrems II. A data transfer agreement to restore personal data flows between these economic regions is critical for healthy commerce, trade, and investment. Privacy professionals have been waiting patiently for an adequacy decision since March 2022, when a new agreement was announced.

EU-US Data Privacy Framework Adequacy Decision Announced

Now that the European Commission has adopted a positive adequacy decision for the EU-US Data Privacy Framework, companies can self-certify their participation in the data transfer mechanism as of Monday, July 17, 2023. The EU-US Data Privacy Framework (and UK extension) replaces Privacy Shield and regulates transatlantic data flow starting in July 2023.

European entities that participate in the new framework are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. If your company has been using another data transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), there are still benefits to participating in the Data Privacy Framework.

For example, SCCs:

• Require Transfer Impact Assessments (TIA)
• May require supplementary measures
• Have to be negotiated in every contract
• Have to be updated for every new transfer

The Data Privacy Framework will require no TIA or supplementary measures and will only need to be certified/verified/renewed once a year. New transfers will qualify under the existing mechanism. As a data transfer mechanism, the Data Privacy Framework will require fewer internal resources and is more affordable for small and medium businesses when compared to SCCs.

How is the EU-US Data Privacy Framework Different from Privacy Shield?

The Court of Justice of the European Union (CJEU) overturned Privacy Shield due to U.S. government access to data, not because of commercial protection concerns.

From a business perspective, the Data Privacy Framework is similar in many ways to the former agreement. But it addresses the surveillance concerns raised in the Schrems II decision as outlined in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities.”

Additionally, the U.S. has established a Data Protection Review Court (DPRC) to provide European individuals with a proper redress mechanism for qualifying complaints of violations of the United States law in relation to its intelligence activities.

Therefore obligations for businesses that were previously Privacy Shield verified will be minimal. The Data Privacy Framework Program FAQ explains, “the EU-U.S. DPF does not create new substantive obligations for participating organizations with regards to protecting EU personal data. The privacy principles and the process to initially self-certify and annually re-certify remain substantively the same.“

The primary action for organizations will be to clarify privacy notices for EU individuals and to confirm notices contain all disclosures required under the Data Privacy Framework notice principle.

If your data processing agreements with third parties reference Privacy Shield, these agreements should be updated to instead reference the Data Privacy Framework.

What About Schrems?

As many have suspected, Max Schrems and the NOYB aren’t satisfied with the new agreement for EU-US data transfers.

“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”

Max Schrems, NYOB

Schrems also explains there are various options for a challenge to the new framework and expects that it will be back at the Court of Justice “by the beginning of next year.”

Yet, when Alex Greenstein, Director of Privacy Shield | Data Privacy Framework at the FTC was asked about another Schrems court challenge, he expressed that the FTC and the European Commission believe they’ve addressed those concerns raised in the Schrems II decision.

For now, this current framework restores an important legal basis for transatlantic data flows and participation in the digital economy to expand economic opportunities. And in case the past is any indication, it took four years for the CJEU to examine the Privacy Shield challenge. Experts expect it will take two to three years before an EU-U.S. Data Privacy Framework CJEU examination.

Getting a Data Privacy Framework Verification

Companies must meet strict requirements to protect Europeans’ personal data under the new framework.

A Summary of Key Requirements for Participating Organizations:

• Inform individuals about data processing
• Provide free and accessible dispute resolution
• Cooperate with the U.S. Department of Commerce (DoC)
• Maintain data integrity and purpose limitation
• Ensure accountability for data transferred to third parties
• Transparency related to enforcement actions
• Ensure commitments are kept as long as data is held

For organizations that didn’t withdraw from Privacy Shield, there’s a three month grace period to update company policies to reflect the new Data

Privacy Framework. This grace period provides the FTC with continuous coverage to enforce companies’ commitments to Privacy Shield. Your Privacy Shield and Data Privacy Framework certification renewal date won’t change.

Review the complete EU-U.S. and Swiss-U.S. Privacy Framework and UK Extension to the EU-U.S. and/or the Swiss-U.S. Data Privacy Framework Verification Program Assessment Criteria: Review the criteria

Swiss-U.S. Data Privacy Framework and The UK Extension

Participation in either the EU-U.S. or Swiss-U.S. Data Privacy Frameworks also enables participating organizations to participate in the UK Extension to the EU-U.S. Data Privacy Framework to enable data transfers from the UK to the U.S.

While organizations can prepare for the Swiss-U.S. Data Privacy Framework and the UK extension now, data transfer benefits under those frameworks aren’t available until each country presents an adequacy decision for the U.S.

TrustArc makes our Privacy Shield compliance process easy and straightforward.

Darren D., Chief Information Security Officer

Why Use TRUSTe vs. Self-Certification?

A Data Privacy Framework Verification and seal is the simplest, most reliable, and cost-effective way to ensure EU-U.S. personal data transfer compliance. The verification provides a robust demonstration that you’ve met the obligations of the DoC and European Commission.

The public seal shows consumers and trade partners your standard of compliance. Meaning you will not need to implement complicated supplementary measures.

Certification is administered by the U.S. DoC, which processes applications for certifications and monitors whether participating companies continue to meet the certification requirements. Compliance with the framework will be enforced by the U.S. FTC.

The TRUSTe verification process helps companies prepare for self-certification with the DoC and provides accountability oversight. Your company can self-certify with confidence knowing TRUSTe, as an Accountability Agent, has verified that your organization meets the Data Privacy Framework principles with the appropriate data protection measures in place.

Optionally companies can also use TRUSTe services for dispute resolution (independent redress mechanism).

The TRUSTe Assurance Process

• Conduct Privacy Review: Understand your data policies and practices through a privacy analysis.
• Demonstrate Compliance: Answer questions aligned with the requirements to ensure compliance with the framework principles.
• Customized Action Plan: Receive a gap analysis and action plan including written guidance on compliance posture and remediation recommendations to achieve compliance.
• Remediation and Verification: Collect, compile, or generate documents or processes to demonstrate compliance.
• Privacy Notice Review and Seal Assurance: TRUSTe serves as your verification agent for your U.S. Department of Commerce filing, including a TRUSTe-reviewed Privacy Notice, Letter of Attestation, and a seal for public posting.
• Ongoing Monitoring and Guidance: Ongoing compliance monitoring and dispute resolution provide privacy expertise for your business. Documentation and an audit trail are available in case it’s needed.

The Court of Justice of the European Union (CJEU) didn’t give Maximillian Schrems exactly what he wanted in his second big international data privacy case (now known as Schrems II).

He argued the use of standard contractual clauses (SCCs) and the EU–U.S. Privacy Shield by organizations for cross-border data transfers meant individuals were not guaranteed the same privacy they had in the EU.

The EU–U.S. Privacy Shield was just a few years into its adoption by organizations for cross-border transfers of personal data from the EU to the U.S., following the outcome of Schrems’ first big case.

The CJEU did rule the EU–U.S. Privacy Shield to be invalid, but the primary focus of Schrems’ argument was on the validity of SCCs.

Although, at the time, the CJEU ruled the use of SCCs was still valid, the court explicitly noted the SCCs needed modernizing to align with the GDPR and other laws relating to international transfers of personal data.

The SCCs have been reviewed and updated several times since.

International data transfers before the Schrems II decision

Before the summer of 2020 (and the Schrems II decision), the European Economic Area (EEA) had a simple, three-pronged approach for permitting international data transfers:

1. Adequacy decisions
2. Appropriate safeguards
3. Specific derogations (exemptions).

All three were designed to allow personal data originating in the EEA to be transferred to or accessed from another country (any country or territory outside the EEA) provided certain conditions were met.

Adequacy decisions

Adequacy decisions meant the European Commission had determined a country’s personal privacy legislation offered an essentially equivalent level of data protection as that offered in the EEA.

Appropriate safeguards

Appropriate safeguards for international data transfers had to be approved by the supervisory authority, whether the transfers included the use of SCCs, ad hoc contractual agreements, certifications, codes of conduct or binding corporate rules.

Specific derogations

Specific derogations or exemptions in contracts covering personal data transfer to or access from another country were allowed if neither of the first two options applied, but only under very strict rules.

Rules about individuals giving consent for international transfers of their personal data for example, noted an individual must be properly informed of their rights and given genuine choice and control over how their data was used.

In the EEA, derogations could not be used for any massive, continuous or structural data transfers.

GDPR Article 44: general principle for transfers

The EEA’s use of the three-pronged approach suggested the lower the administrative burden on the controller to start an international data transfer, the higher the initial assessment threshold should be.

Clearly, the level of protection of natural persons guaranteed by the General Data Protection Regulation (GDPR) should not be undermined.

Under the GDPR, any EU-originating international data transfer could be restricted by conditions set out in Article 44:

• Under Chapter 5, it prohibits international data transfers beyond the EU to a recipient country that cannot prove adequate data protection is provided.
• It also states all provisions of Chapter 5 must be applied to “ensure the level of protection of natural persons guaranteed by this regulation is not undermined”.

International Data Transfers After the Schrems II Decision

The GDPR become enforceable on May 25, 2018, approximately halfway into the Schrems II case.

Indeed, it was Schrems’ argument to the Irish Data Protection Commissioner that Facebook’s international data transfers did not comply with the GDPR that led to the Schrems II case being heard by the CJEU from July 2019 to July 2020.

He raised concerns that when his personal data was transferred from Facebook’s servers in the EU to its servers in the U.S., his privacy became vulnerable because his data might be accessed by U.S. intelligence agencies using the U.S. data privacy law exemptions for national security concerns.

Schrems and the Irish Data Protection Commissioner both highlighted Article 44 of the GDPR in their arguments during the CJEU hearing.

The court’s decision on Schrems II changed the dynamic of the EEA’s three-pronged approach to allowing international data transfers.

It meant appropriate safeguards used by organizations in other countries – including SCCs – had to meet a key requirement for adequacy decisions granted to countries outside the EU: they must result in a level of data protection essentially equivalent to that offered in the EEA. Otherwise, the GDPR data privacy guarantees could be weakened or undermined.

Global impact of Schrems II

Initially the Schrems II case focused on Maximillian Schrems’ privacy concerns about personal data transferred from Ireland in the EU (where the GDPR offered reasonable protection) to the U.S. (where Europeans had limited protection under U.S. surveillance laws).

However, Schrems always intended the case to have a much bigger global impact.

It wasn’t just about stopping Facebook transferring his personal data internationally, it was about highlighting a raft of disparities in data privacy laws exploited by companies around the world: especially SCCs.

Schrems might not have gained the decision from the CJEU he really wanted – for SCCs to be held invalid – but several iterations of the SCCs have continued to be heavily scrutinized ever since.

During the Schrems II case, the CJEU raised concerns about whether the SCCs at the time did, in fact, offer appropriate safeguards for international data transfers containing personal information – particularly when personal data could be accessed by organizations in countries with extensive surveillance laws.

These concerns prompted the European Data Protection Board (EDPB) to release a set of supplementary measures recommendations on November 10, 2020.

The European Commission released a draft of its revised SCCs for international data transfers to the public for comment on November 12, 2020.

Seven months later, on June 4, 2021, the European Commission issued new SCCs under the GDPR for international data transfers – effectively answering the CJEU’s call for modernized SCCs after the Schrems II decision.

How the new SCCs apply to international data transfers

Following the Schrems II decision, the effective dates for the new SCCs spanned 18 months from their introduction (from June 2021 to late December 2022):

• All new data contracts for international data transfers between controllers or processors in the EU (i.e. subject to the GDPR) and controllers or processors in other countries had to use the new SCCs from September 27, 2021.
• All existing/old contracts for international data transfers must have incorporated the new SCCs under the GDPR by December 27, 2022.

The modernized SCCs include several elements that were influenced by the Schrems II decision:

• Proof an importer can comply – a data exporter must make reasonable efforts to verify the importer can meet its obligations under the SCCs through “technical and organizational measures”.
• Risk-based approach – a data exporter may be allowed to take a risk-based approach, provided an impact assessment is completed in every case.
  • The assessment must consider the purposes of transferring and processing the data, along with the data privacy laws of the importing country.
  • If more than one importer is involved, the assessment must consider and account for every organization involved in the data processing.
• Determining potential risk versus real-world risk – when considering the data laws and practices of the importing country, an exporter conducting an impact assessment can consider the real-world risk to data privacy when it is accessed and/or stored by an importer, rather than a theoretical risk.
  • This point addresses the concern raised in Schrems II about U.S. intelligence authorities potentially accessing private data of European citizens when, in reality, the importer has never had an intelligence authority request to access the data it imports.
• Restrictions due to local laws – if local laws prevent the importer from meeting its contractual obligations, then processing of data is not permitted.
  • Note: there are exceptions under Article 23 of the GDPR, which refers to a data controller or processor whose local laws restrict the scope of some of the obligations and rights provided for in other articles, “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defence, public security”.
• Public authority requests for access – if the importer receives a request to access the data from a government or public authority (e.g. an intelligence agency), then it must let the exporter and any data subjects know of this request, along with any steps the importer takes to challenge such requests.
  • Note: the EDPB’s guideline on these requests is that government access must “not go beyond what is necessary and proportionate in a democratic society”.
• Supervisory authority – all parties must identify the competent supervisory authority for their international data transfers, and the importer must submit to that authority.
  • New SCCs must be made under the law and jurisdiction of an EU member state.

TrustArc’s International Transfer Package

Understanding how to manage international data transfers can be time consuming and the Schrems II decision in 2020 made the risks more complicated.

TrustArc’s international transfer package helps organizations:

• Identify, manage, and mitigate risk through our algorithm that automatically detects data flows with transfer risk
• Conduct data transfer and risk threshold assessments
• Save time by using our templates that help operationalize regulatory requirements and trigger compliance mechanisms.

Privacy advocates have long argued that organizations with global customers must do more than just comply with the data protection laws in their home countries.

At the heart of their argument is the fact internet technologies (and cloud services in particular) support cross-border data transfers into multiple jurisdictions.

Therefore, they believe the data protection laws in each region should apply.

Maximilian Schrems, a high-profile Austrian privacy advocate and lawyer, has brought several cases to EU courts to change rules for cross-border data transfers.

And, in some cases, he’s been very successful.

In his campaign against Facebook, Schrems successfully argued that because personal data transferred to and/or stored in the U.S. could potentially be accessed by U.S. intelligence agencies, such data activities violated EU privacy laws – including the EU’s General Data Protection Regulation (GDPR).

He is best known for a case heard by the Court of Justice of the European Union (CJEU) listed as Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems, more commonly known as the Schrems II decision.

On July 16, 2020, the CJEU ruled the EU–U.S. Privacy Shield was invalid. 

While the court upheld the system of standard contractual clauses (SCCs) at the time, which allowed for data transfers from the EU to other countries, the validity of SCCs was still questioned.

The impact of the Schrems II decision was essentially global, triggering a major rethink of how organizations manage compliance with data protection laws in multiple jurisdictions.

Read on to learn more about how the Schrems II decision came about and how it changed international data transfer frameworks.

Timeline of EU Data Law Reviews and the Schrems I Decision

The Schrems I decision was a significant victory for Maximilian Schrems in his long-running battle with U.S. technology businesses in various European courts, to have EU data privacy laws enforced more strictly.

Key dates related to the Schrems I decision include:

• October 24, 1995 – the European Parliament passes the Data Protection Directive to encourage the free movement of personal data, while providing protections of individual rights.
  • It contains rules for adequacy of protection when data is transferred outside the EU.
• July 19, 2000 – the U.S. Department of Commerce issues its International Safe Harbor Privacy Principles and sends them to the European Commission.
• July 26, 2000 – the European Commission issues its adequacy decision on the International Safe Harbor Privacy Principles.
• June 2013 – international media begin reporting on documents brought to light by U.S. intelligence whistleblower Edward Snowden about the NSA’s surveillance of electronic communications and extensive data collection activities.
  • These revelations are later confirmed by the U.S. administration.
• June 2013 to June 2014 – Maximilian Schrems files several lawsuits against Facebook in courts across Europe, claiming his personal data is not adequately protected.
• June 25, 2013 – Schrems lodges a complaint with the Irish Data Protection Commissioner (DPC) because Facebook’s European headquarters are based in Ireland.
  • He wants the Irish DPC to investigate Facebook Ireland Ltd’s data transfers from its EU HQ in Ireland to its servers in the U.S., amid growing concerns about the NSA’s surveillance activities.
• July 26, 2013 – the Irish DPC rejects Schrems’ complaint as vexatious.
  • Schrems then files and is granted a judicial review in the Irish High Court.
• June 18, 2014 – the Irish High Court decides to adjourn Schrems’ case and refers it to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
• March 24, 2015 – the CJEU begins hearing Schrems’ test case against Facebook (now commonly known as Schrems I).
• October 6, 2015 – the CJEU rules the Safe Harbor framework is invalid because it does not meet adequacy, not being essentially equivalent to the Data Protection Directive.

The short-lived EU–U.S. Privacy Shield Framework

Immediately following the CJEU’s decision on Schrems I, the U.S. Department of Commerce and the European Commission and Swiss Administration began co-designing the EU–U.S. Privacy Shield.

It was intended to help organizations comply with EU data protection rules when transferring personal data to the U.S. from the EU.

On July 12, 2016, the European Commission announced the EU–U.S. Privacy Shield met adequacy requirements under EU law.

On January 12, 2017, the Swiss Government also announced the Swiss–U.S. Privacy Shield framework met Swiss privacy requirements when transferring personal data to the U.S. from Switzerland (which is not an EU member).

After Schrems I: A test of standard contractual clauses for data transfer

The CJEU’s decision that the Safe Harbor Privacy Principles did not guarantee individuals in the EU protections against U.S. surveillance motivated Schrems to resubmit his complaint with the Irish DPC.

In his next filing, he raised concerns about standard contractual clauses (SCCs) used by Facebook (and other organizations), which are an alternative legal arrangement to export personal data from the EU.

He argued SCCs would have a similar effect to a transfer under the Safe Harbor framework, so no adequate protection would be offered.

In his filing, he requested transfer of personal data from Facebook Ireland to Facebook Inc. in the U.S. using SCCs be suspended.

Suspension is one of the possibilities under data protection law for enforcement of the SCCs if insufficient safeguards are available.

Instead, the Irish DPC decided to file a separate case in court trying to suspend or invalidate the use of SCCs altogether.

Timeline of the Schrems II Decision

Maximilian Schrems’ second big case against Facebook aimed to block it from relying on SCCs to sidestep EU data protection rules when transferring data to the U.S. from the EU.

The Irish Data Protection Commissioner then also brought a case against Facebook.

Below are some key dates related to what is now known as the Schrems II decision:

• December 1, 2015 – Schrems resubmits his complaint against Facebook Ireland Ltd to the Irish DPC, arguing it is relying on SCCs to transfer personal data to the U.S. from its European headquarters in Ireland.
  • He also files similar complaints with data protection authorities in Germany and Belgium, which both claim some jurisdiction over Facebook.
• February to March 2017 – the Irish High Court reviews Schrems’ complaint.
• October 3, 2017 – the Irish High Court issues its judgment to refer the case to the CJEU for a preliminary hearing.
• April 12, 2018 – the Irish High Court submits an extensive referral of the case to the CJEU, detailing 11 questions for the CJEU to address.
• May 25, 2018 – the EU’s General Data Protection Regulation (GDPR) comes into force.
  • Schrems then files additional complaints in Ireland that Facebook’s data transfer activities are not GDPR compliant.
• July 2019 – the CJEU begins hearing the case listed as the Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems.
  • The case is popularly called Schrems II.
• December 19, 2019 – the advocate general (AG) of the CJEU, Henrik Saugmandsgaard Øe, publishes his opinion on Schrems II, stating the SCCs are valid.
  • (See below for a summary of the Schrems II AG opinion.)
• July 16, 2020 – the CJEU publishes its rulings on Schrems II: the EU–U.S.
  • Privacy Shield is held to be invalid; the SCCs are upheld as valid; however, the CJEU notes the SCCs needed modernizing, in line with the GDPR and other international data protection requirements.

Schrems II AG Opinion: Key Findings

The CJEU advocate general’s opinion on the Schrems II case stated SCCs are valid.

Henrik Saugmandsgaard Øe AG noted:

• SCCs provide contractual safeguards to guarantee the appropriate level of protection when personal data is transferred, regardless of the destination country.
• The purpose of SCCs is to ensure the data exporter and importer compensate for any data protection deficiencies in another country.
• Whether SCCs are adequate cannot depend on the extent of data protection guaranteed in another country.
• Under the EU Charter of Rights, if clauses could be breached or impossible to honor, any data transfers covered by SCCs should be suspended or prohibited.
• The main case brought before the CJEU related to the validity of SCCs, therefore any findings on the validity of the EU–U.S. Privacy Shield must not influence the main case.

Schrems II case summary: SCCs

The CJEU’s decision on the Schrems II case closely followed the AG’s opinion in its ruling on SCCs:

• One of the main questions of the Schrems II case was if the use of SCCs to guide international data flows should be possible at all.
  • The CJEU confirmed SCCs can be used – but it has tightened the rules for their use.
• National security is recognised as a possible necessary limitation to the fundamental right to data protection, including in the SCC decision itself.
  • Therefore, the existence of national surveillance laws in another country should not be problematic, in principle.
• The afforded level of protection offered by SCCs must be assessed by data exporters and importers.
  • The court referenced GDPR Article 44 (the general principle for transfers), which states the level of protection of natural persons when their personal data is transferred abroad cannot be undermined – regardless of the method used to transfer personal data (e.g. adequacy decisions, contractual safeguards and binding corporate rules).
• Therefore, the guarantees included in SCCs must be essentially equivalent to the level of protection guaranteed within the EU.
• Guarantees may need to be supplemented in cases where SCCs are deemed insufficient.
  • This is allowed, as long as the provisions in the SCCs are unchanged.
• If the protection guaranteed within the EU cannot be ensured when transferring data to another country – because SCCs could be breached or impossible to honor – then supervisory authorities must suspend or prohibit data transfers to the country concerned.
• SCCs need to be reviewed to provide further safeguards.

Schrems II case summary: Privacy Shield

Although the main focus of the Schrems II case was always on SCCs – and the case was filed before the GDPR was enforced – the CJEU assessed the validity of the EU–U.S. Privacy Shield adequacy decision made in July 2016 and found fault with it.

The court ruled the Privacy Shield was invalid because:

• The Privacy Shield does not meet the standards of an essentially equivalent level of protection.
  • It does not guarantee the fundamental rights to privacy and data protection of EU citizens when their data is transferred to the U.S. from the EU.
• The legislation related to U.S. Government surveillance programs is too wide and vague: it does not provide clear and precise rules governing the scope and application of the measure in question.
  • The court decided the risk of bulk collection and/or over-collection of personal data is too large.
• There are no minimum safeguards to effectively protect personal data against the risk of abuse.
  • Based on EU case law, this is a requirement: especially related to the circumstances and conditions under which surveillance can be used.
• EU authorities cannot effectively protect personal data transferred to the U.S. because it is outside their jurisdiction.
• Individuals in Europe must be able to pursue legal remedies to get access to their personal data or ask for their data to be corrected or erased.
• However, Europeans’ right to redress relies on the ombudsperson (a mechanism created by the European Commission and the U.S. administration) to oversee data originating from the EU processed by the U.S. intelligence and security services.
• The court ruled the ombudsperson cannot fix the deficiencies of effective redress because it is a political commitment to correct any violation, without an underlying legal obligation.
• There is no cause of action open to EU citizens following a decision from the ombudsperson.

The court also provided important guidelines to assess the national security legislation in other countries.

The legislation must be sufficiently clear, detailed and foreseeable for an individual to understand what might happen to their data once it is used for national security purposes (even if that was not the intention of the data transfer).

Timeline of EU–U.S. data transfer rules proposed after the Schrems II decision

The Schrems II decision triggered several major reviews of the SCCs, aiming to strengthen the data privacy rights of EU citizens and establish a new agreement on data transfer between the U.S. and the EU.

Recent key dates include:

• November 10, 2020 – the European Data Protection Board (EDPB) releases its supplementary measures recommendations.
• November 12, 2020 – the European Commission publishes a draft of revised SCCs for public comment, accompanied by a joint statement by the EDPB and the European Data Protection Supervisor.
• June 4, 2021 – the European Commission issues modernized SCCs under the GDPR for data transfers from controllers or processors in the EU to controllers or processors outside the EU.
  • It also allows an 18-month transition period for controllers and processors using older SCCs.
• March 25, 2022 – the European Commission and the U.S. announce an agreement in principle on a new Trans-Atlantic Data Privacy Framework, which would allow EU citizens to bring cases of data privacy violations to a new Data Protection Review Court.
• October 7, 2022 – U.S. President Biden releases his Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities to implement the EU–U.S. Trans-Atlantic Data Privacy Framework, which would adopt new U.S. intelligence-gathering privacy safeguards.

Stay Up to Date with Evolving International Data Privacy Standards

TrustArc is committed to keeping you up to date with the evolving international standards for data privacy.

As the pioneer in enterprise privacy certifications, our experts regularly share insights on the impact of privacy laws, including recommended actions to ensure ongoing compliance.

Organizations interested in maintaining demonstrable compliance while the EU–U.S. regulators make clarifications can verify their privacy program practices via the TRUSTe International Privacy Verification Program.

Demonstrate to customers and regulators that you are continuing to protect data in the same way PrivacyShield intended to.

You’ve heard about the APEC CBPR Certification, but what is it? How does it help your business? What are the benefits of APEC CBPR Certification? And is it worth it?

Let’s start with the basics.

What is APEC?

Established in 1989, APEC stands for Asia-Pacific Economic Cooperation. It’s a forum for 21 Pacific Rim member economies that promotes trade, investment, and economic growth throughout the region.

Members include all countries with a coastline along the Pacific Ocean, including China, Japan, and the United States.

The 21 APEC members represent over 40% of the world’s population and over 60% of global GDP. Which is significant if you’re operating a global business.

• Australia
• Brunei Darussalam
• Canada; Chile
• People’s Republic of China
• Hong Kong
• China
• Indonesia
• Japan
• Republic of Korea
• Malaysia
• Mexico
• New Zealand
• Papua New Guinea
• Peru
• the Philippines
• the Russian Federation
• Singapore
• Chinese Taipei
• Thailand
• the United States of America
• Vietnam

APEC members work together to improve the business operating environment and reduce red tape between these economies.

Some of the ways members achieve this include faster customs procedures at borders, more favorable business climates behind the border, and aligning regulations and standards across the region.

All economies have an equal say and decision-making is reached by consensus. There are no binding commitments or treaty obligations and commitments are undertaken on a voluntary basis.

APEC also supports the multilateral trade negotiations underway in the World Trade Organization and complements the goals of the G20.

What is APEC CBPR System?

CBPR stands for Cross-Border Privacy Rules. And as you may be guessing, the APEC CBPR system seeks to facilitate compliant and safe cross-border data transfers between participating economies.

The system is administered by the Joint Oversight Panel and assisted by the CBPR Secretariat to consult with prospective APEC CBPR economies and determine whether an economy satisfies the participation requirements.

They also consult with and review applications for prospective Accountability Agents and handle Accountability Agent complaints.

The goal of the CBPR system is protect personal information while ensuring the delivery of innovative products without the barriers of different economy’s regulations through voluntary accountability.

This system helps establish standards for transferring data cross-border so that personal information is protected, and that the requirements are enforceable if violated in those jurisdictions.

It also sets the criteria for bodies to become recognized as CBPR system Accountability Agents, and a process for information controllers to be certified as compliant APEC CBPR system.

The CBPR system works to protect personal data by requiring:

• Enforceable standards – economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
• Accountability – a company must demonstrate to an Accountability Agent that they meet the CBPR program requirements
• Risk based protections – companies must implement security safeguards for personal data
• Consumer friendly compliant handling – collaboration with Accountability Agents to resolve disputes between consumers and certified companies
• Consumer empowerment – companies must provide consumers with the opportunity to access or correct their personal data
• Consistent protections – all participants must agree to abide by the 50 CBPR program requirements
• Cross-border enforcement cooperation – regulatory authority cooperation on the enforcement of program requirements

An APEC economy must demonstrate that it can enforce compliance with the CBPR System’s requirements before joining.

There are currently nine participating APEC CBPR System economies: United States, Mexico, Japan, Canada, the Republic of Korea, Australia, Chinese Taipei, and the Philippines.

The APEC Privacy Framework

Created in 2005 and updated in 2015, the APEC Privacy Framework was designed to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.

The APEC CBPR system requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework.

The preamble of the updated APEC Privacy Framework states,

”APEC economies realize that a key part of efforts to improve consumer confidence and ensure the growth of electronic commerce and innovation must be cooperation to promote both effective information privacy protection and the free flow of information in the Asia Pacific region, while respecting domestic laws and regulations, applicable international frameworks for information privacy protection, and strengthening information security in the Asia Pacific region.”

This framework is based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which are recognized as the global minimum standard for privacy and data protection.

The APEC Privacy Framework establishes a multilateral mechanism that enables Privacy Enforcement Authorities to cooperate in cross-border privacy law enforcement.

This mechanism is the Cross-border Privacy Enforcement Arrangement (CPEA).

Any Privacy Enforcement Authority in any APEC member economy can participate.

Any public body that is responsible for enforcing Privacy Law, and has the power to conduct investigations or pursue enforcement proceedings is a Privacy Enforcement Authority.

Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the following standards:

• Cross Border Privacy Rules (CBPR) System – which governs “data controller” privacy practices
• Privacy Recognition for Processors (PRP) System – which governs “data processor” privacy practices

You’ll notice the certifications differ based on whether the entity is a data controller or data processor.

APEC CBPR Certification

CBPR certification is currently available to companies headquartered in Japan, Korea, Singapore, and the United States. An independent Accountability Agent is needed to certify your organization’s compliance with the CBPR Program Requirements.

Applications are sent to APEC-recognized Accountability Agents who will begin the compliance review process to verify compliance with the CBPR system.

If an applicant meets the minimum criteria required, the Accountability Agent will be responsible for monitoring its compliance with the CBPR system criteria.

This criteria assesses an applicants:

• Notice of personal information and privacy policies
• Collection limitations to specific purposes stated at time of collection
• Use, transfer, and disclosure of personal information
• Choice for individuals in relation to the collection, use, and disclosure of their personal information
• Integrity of personal information maintained by the controller
• Security safeguards to protect individuals’ personal information from loss, unauthorized access or disclosure, or other misuses
• Access and correction for individuals to update their information when reasonable
• Accountability to complying with measures that make the other criteria operational

While this is just intended to be a summary, you can review the complete APEC Cross-Border Privacy Rules System Program Requirements.

5 Benefits of APEC CBPR Certification

Alignment with Global Frameworks and Global Trade Facilitation

An APEC CBPR certification is based on the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation.

As such, a CBPR certification will help align your organization’s policies to various international privacy frameworks.

This will lower the compliance burden and save your employees time to implement a patchwork of privacy regulations.

If you haven’t started a privacy program yet, completing the necessary actions within the CBPR certification process will create a data privacy roadmap for your business.

Using a baseline of standard privacy protections for personal information, businesses can become a trusted entity for protecting consumer data.

An APEC CBPR certification makes conducting business in participating economies easier and helps to facilitate the increasing trade relationship between APEC economies.

The United States, Mexico, Canada Agreement, which substituted the North America Free Trade Agreement to mutually benefit employees and businesses and grow the North American Economy, also formally recognizes the APEC CBPR System to further facilitate global trade.

Using vendors, outsourcing operations, or partnering with APEC economies can reduce your business costs through access to labor, materials, and new supply chains. All of which is beneficial to the growing global economy.

Jurisdiction-Specific Data Transfer Benefits

This cohesive set of privacy rules allows the responsible transfer of data between participating economies. Rather than spending time and money sorting every individual jurisdiction, participants have an approved network for cross-border transfers.

The CBPR certification gives companies and employees confidence that the transaction will adhere to data protection standards while eliminating unnecessary burdens.

In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.

An APEC CBPR certification may also make it easier for an organization to obtain approval for its Binding Corporate Rules in the European Union.

Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.

In-Network Transactional Streamlining

If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants.

The certification opens businesses up to a wide range of partners and new locations to support your business growth goals.

Some of the companies included in the CBPR certification are:

• Apple Inc
• Asurion LLC
• Electronic Arts
• Expedia Inc
• General Electric Company
• Hewlett Packard Enterprise Company
• International Business Machines Corporation
• Johnson Controls Inc
• Mastercard
• PGA Tour Inc
• Rackspace Technology Global Inc
• Workday Inc

Create Competitive Differentiation and Increase Consumer Trust

Consumers globally are standing up to companies that don’t establish transparent data practices, or adhere to privacy regulations such as GDPR. Alignment with global privacy frameworks and a certification seal demonstrate that a business values consumer privacy.

People still want a relationship with businesses, they just want more control over how their data is collected, used, and shared. Enabling this control generates consumer trust in your business.

It helps your marketing and communications teams as well. If consumers can better communicate their preferences to businesses, you can respond with more relevant messages to better meet their needs.

Rather than spending time and effort on mass promotions, messages can be more personalized and generate a better ROI.

And because not every business has been forced to catch on (through regulations in their region), consumer first data practices can set you apart from your competition. At least, it’s worked for Apple, anyway.

Compliance and Resolution Efforts

Part of maintaining consumer trust is giving data subjects a method for resolving disputes with your organization.

Obtaining a CBPR certification means your Accountability Agent will handle the frontline consumer complaints and dispute resolution. This helps to ensure key issues are addressed before they become larger problems.

Facilitate the compliant transfer of data among participating APEC economies

TRUSTe, a subsidiary of TrustArc, was unanimously approved to be the first Accountability Agent to certify data transfer practices under the CBPR framework for data controllers and the APEC PRP framework for data processors.

First, TrustArc will assess your privacy program’s operations to understand and work with you to remediate any compliance risks. You’ll receive expert guidance through the process with our powerful technology.

Based on the information gathered from the assessment, you’ll be guided through the remediation process with support to ensure the required changes are complete.

As proof of the TRUSTe Certification, an official Letter of Attestation can be shared with your business partners, providing your organization with competitive differentiation.

In March 2022, the EU and the U.S. struck an understanding on a revamped Privacy Shield data transfer agreement. The goal?

To allow Europeans’ personal data to flow to the U.S. once again, following the striking of the Privacy Shield agreement in July 2020.

At the time, there were fears data was not safe from access by American agencies once transferred across the Atlantic.

Approaching the end of 2022, the European Commission is set to spend six months approving a new Privacy Policy. The new transatlantic data agreement is expected to be ready around March 2023.

Here’s how we got to this stage.

The End of the Privacy Shield

In December 2020, the Commerce Committee of the U.S. Senate held a hearing on the July 2020 Schrems-II decision, impacting the future of U.S.–EU data flows.

The committee invited five experts to give evidence and respond to the senators’ questions.

Back then, with the invalidation of the Privacy Shield, it was unclear when a new international agreement would come into play.

While we now know it will likely be March 2023, the experts’ 2020 insights were revealing.

The Need for a Data Flow Agreement

The Privacy Shield was the most cost-effective and easy-to-use framework for data-related international trade.

When the Schrems-II decision ended it in 2020, experts and senators stressed the need for a new data flow agreement – soon.

It was particularly urgent to allow small business owners to continue international trade.

After all, they make up over 70% of Privacy Shield certified companies and are essential to the U.S. economy. 

At the hearing, James Sullivan, Deputy Assistant Secretary for Services with the International Trade Administration of the U.S. Department of Commerce, said his team was already working with the European Commission to discuss a replacement Privacy Shield.

He noted ongoing all-party talks, including within the OECD, to find common ground on government access restrictions.

Meanwhile, FTC Commissioner Noah Phillips explained the increased legal uncertainty and costs for businesses following the Privacy Shield invalidation.

The key to re-establishing data flows, he said, was in establishing a transparent exchange between legal frameworks around the world, and particularly between Europe and the U.S.

Strong Data Privacy Protections

Victoria Espinel, President and Chief Executive Officer of BSA – The Software Alliance, told the committee that data trade often takes place without consumers being aware of it: perhaps when using email, exchanging HR data or shopping online.

She said consumers should be able to rely on effective and strong data privacy protections. She noted that some level of signals intelligence by governments might be required.

Privacy Shield: an Academic View

Professors Peter Swire and Neil Richards both spoke at the court proceedings leading to the Schrems-II decision. Swire said he believed the U.S. did offer an equivalent level of protection under the Privacy Shield.

Some improvements could be made to individual rights under U.S. surveillance laws, he admitted.

He advocated for a short-term, temporary deal to be approved before the end of the Trump Administration.

This would buy time for a bigger and broader agreement to be negotiated. That could then involve legislative change in the U.S. and possibly in Europe.

Richards encouraged the U.S. to seek an EU adequacy decision, and to initiate both privacy and surveillance law reform.

He said this would be the best solution for U.S. small businesses, creating added value for the economy.

The Schrems-II decision should be seen as an opportunity, he said, giving the U.S. the chance to regain leadership in privacy and data protection.

U.S. Federal Privacy Law

During the Q&A, it was apparent that the development of a U.S. federal privacy law was supported. Many members of the committee thought it should be a priority of the Biden Administration.

It may not solve all challenges, but adopting a strong federal privacy law would send a positive signal to the EU, increasing trust in the U.S.

Richards stressed the current U.S. system of ‘notice and choice’ is no longer adequate. ‘Choice’ is often illusory, he said, and ‘notice’ is often unclear.

Surveillance Reform for Data Flow

Espinel said the way forward was to create a global group of countries that share the same values, in order to reach agreement on what can and cannot be allowed in terms of government access to personal data.

This raised issues of data localization, which some in the EU are for. But senators and experts thought data localization is ineffective in today’s global and digital economy.

Plus, it increases the cost of doing business.

Among like-minded countries, data localization requirements should not be needed.

The recording of the hearing and written evidence of experts is available via the website of the U.S. Senate.

Hot Hot Hot – Executive Order – Start your Privacy Engines

Listen as Dr. K Royal and co-host, Paul Breitbarth distill the various events that comprise the Executive Order (Fact sheet along with the information on the European Commission site), Department of Commerce statement, Department of Justice from the Office of the Attorney General on the Data Protection review Board final rule, and NOYB’s response.

As expected, and TrustArc predicted, those companies who remained in the Privacy Shield will have a transition plan.

Listen now