SlideShare a Scribd company logo

Evertio Schrems II

Fanny Surjana
Fanny Surjana

The document provides an overview of the Schrems II case which invalidated the EU-US Privacy Shield framework for international data transfers. It summarizes that Max Schrems, an Austrian privacy activist, filed complaints challenging Facebook's data transfers to the US due to inadequate protections from US surveillance programs. The CJEU ruled the Privacy Shield inadequate and set strict standards requiring equivalent protection to the EU for any data transfer mechanism. The ruling significantly impacts companies reliant on transatlantic data transfers and sets a precedent for other nations' data exchange agreements with the EU.

Law
1 of 12
Download to read offline
https://evertio.com Schrems II
Overview The purpose of this slides is to provide an overview of the Schrems II case regarding the transfer of personal data between the European Union (EU) and the United States (US). This paper will then analyze the decision behind the ruling by the European Union Court of Justice (CJEU) against the EU-US Data Protection Shield, and the potential effects of the ruling on the companies that are involved in the data transfers. 2
Background: Schrems I Schrems 2 is the continuation of privacy lawyer Maximilian Schrems’s complaints against Facebook Ireland over data privacy violations [1]. In 2013, former NSA contractor Edward Snowden leaked a trove of information regarding classified NSA materials. This included a program called "PRISM", which is a program whereby the NSA collects internet communications from U.S. companies such as Facebook. The fact that Facebook would share the data of its European users with the NSA prompted Schrems to file a complaint with the Irish Data Protection Commission. He alleged that Facebook Ireland’s data sharing agreement with Facebook, Inc., its American parent, violated Schrems’ rights under the Charter of Fundamental Rights of the European Union because of Facebook Inc.’s cooperation with US intelligence agencies. 3 Schrems I resulted in the invalidation of the Safe Harbor framework, leading to the creation of the Privacy Shield as a replacement [4]. However, this did not address Schrem’s original complaint over the validity of Facebook’s data transfer, as it and other companies simply switched over to using Standard Contractual Clauses (SCCs), an alternative process of data transfer. By consequence, Schrems continued his campaign, filing another complaint to the Irish High court, challenging the validity of the Privacy Shield and the SCCs. This was again referred to the CJEU, leading to the Schrems II case.
What is the Privacy Shield? The privacy shield was a framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration, to provide companies with a presence in both countries with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US for commercial purposes [2]. The framework was initially approved by both the EU and the Swiss, as on July 12, 2016, the European Commission deemed it adequate to enable data transfers under EU law. Similarly, on January 12, 2017, the Swiss Government approved it as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. 4 The framework was initially approved by both the EU and the Swiss, as on July 12, 2016, the European Commission deemed it adequate to enable data transfers under EU law. Similarly, on January 12, 2017, the Swiss Government approved it as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. The privacy shield was a replacement for “Safe Harbor” a EU-US data transfer agreement that was previously invalidated by the CJEU in 2015 after an earlier challenge submitted by Max Schrems, a notable Austrian lawyer and privacy activist.
Who is Max Schrems? Maximillian Schrems is an Austrian attorney and privacy advocate. Schrems I (Maximillian Schrems v Data Protection Commissioner) and Schrems II (Data Protection Commission v. Facebook Ireland, Schrems) arose from complaints lodged by Schrems with the Irish Data Protection Commission [3]. In his complaints, he challenged the lawfulness of transfers of his personal data by Facebook in Ireland to Facebook in the US, on the ground that the legal system in the US did not ensure adequate protection of his personal data against US national security surveillance activities. Schrems I invalidated the Privacy Shield’s predecessor- the Safe Harbor. In Schrems II, Schrems challenged the validity of the Privacy Shield. 5
CJEU Ruling On July 6th, 2020, the CJEU struck down the EU-US Data Protection Shield, ruling the arrangement to be inadequate and not up to the standards of EU law. However, the ruling does not mean invalidate the operations of the privacy shield itself. “The Standard Contractual Clauses remain a valid tool for the transfer of personal data to processors established in the third countries. This means that the transatlantic data flows can continue based on the broad toolbox for international transfers provided by the GDPR.” - Věra Jourova, Commissioner with Responsibility for Trust and Transparency. What happened to the Privacy Shield? 6
Reasons behind the ruling Intervention by U.S. Authorities US authorities can access and use personal data of EU subjects transferred under the Privacy Shield for purposes which go beyond what is strictly necessary and proportionate to the purpose of national security. The prime concern with US law and practices is that US businesses receiving national security letters, or other such federal investigative actions, are often precluded from contacting the investigation targets (data subjects) about the inquiry. This is contrary to the transparency principles of the GDPR. 7 Inadequate Protection The Court concluded that the US laws and practices do not ensure a level of protection essentially equivalent to that guaranteed under EU laws, especially the actionable rights of individuals before the US courts with respect to the US intelligence services’ powers [5].
Effects of the Ruling: Companies The invalidation of the Privacy Shield has significant implications for Facebook and other companies that used the framework, as they will need to find alternative methods to transferring data. While the ruling does not invalidate the SCCs themselves, the Court has clarified that the ruling applies to all data flows, even within SCCs, whose company falls under the NSA surveillance law. But the ruling has not had the immediate effect that some may have hoped, as most companies such as Facebook have instituted delays as they review the decision and evaluate potential actions. As such, it might be some time before the effects of the ruling are felt by the private sector at large, if at all by major firms such as Apple or Google who could seek exemptions or otherwise to avoid absolute compliance. 8
Effects of the Ruling: Countries The invalidation of the Privacy Shield also has implications for frameworks between the EU and other countries. Given that other jurisdictions such as India or China also possess strong surveillance capabilities, the ruling sets a new precedent for future evaluations of data transfers to those countries [6]. One immediate implication is for the United Kingdom, which recently separated from the EU as a result of the Brexit referendum. UK surveillance law has also faced repeated challenges under EU human rights. As a result, the UK could stand to fall under the same ‘third country’ category that the US is in. However, there are differences between US law, which is entirely sovereign, and UK law, which has been reviewed and amended by European courts to comply with EU regulations. 9
Conclusion The outcome of Schrems II was unsurprising given the Court’s strong support for data protection rights and previous criticisms of the Privacy Shield. However, the ruling is a monumental decision that could have sweeping consequences for American companies operating in the EU and data transfer agreements between the EU and other nations. Companies that relied on the Privacy Shield must now find legal alternatives if they are to continue operations, or else be forced to pull out of Europe entirely. The ruling also means that the US will not be able to merely reach a third agreement by making minor changes to the Privacy Shield. Given that it is unlikely the US would easily relinquish its national surveillance operations for the sake of adhering to EU regulations, the burden falls on companies to deal with the legal implications [7]. 10 One idea could be to develop codes of conduct or certification mechanisms together with enforceable commitments covering US data flows as foreseen under Article 46(2) GDPR. Codes of conduct and certification mechanisms as a legal basis for data transfers have not been approved under the GDPR thus far but present an opportunity for both countries to cooperate on.
References 1.https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/? 2.https://www.privacyshield.gov/Program-Overview 3.https://www.theprivacyscoop.com/general/schrems-ii-invalidation-of-the-privacy-shield/ 4.https://iapp.org/news/a/understanding-schrems-2-0/ 5.https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf 6.https://europeanlawblog.eu/2020/07/17/the-schrems-ii-judgment-of-the-court-of-justice-and-the-future-of-data-transfer-regulation/ 7.https://www.nortonrosefulbright.com/en/knowledge/publications/ad5f304c/schrems-ii-landmark-ruling-a-detailed-analysis 11
About Evertio Evertio helps companies launch a privacy program by providing basic privacy education and privacy tools. Our software features include data mapping, assessments, privacy and cookie policy generator and many more. 12 https://evertio.com

Recommended

Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer UpdateTrustArc
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 

Recommended

Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer UpdateTrustArc
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy Amiit Keshav Naik
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? Magda CHELLY, Ph.D, S-CISO, CISSP®
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article OverviewCraig Clark ITIL, CIS LI,EU GDPR P
 
GDPR
GDPRGDPR
GDPRGopi PD
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataSchellman & Company
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochureJean Luc Creppy
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
Generative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRGenerative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRDavid Erdos
 
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedCohenGrigsby
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?Seb Oram
 

More Related Content

What's hot

UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age - Mark - Fullbright
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataSchellman & Company
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochureJean Luc Creppy
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_indiaAltacit Global
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill Mathew Chacko
 
GDPR training
GDPR training GDPR training
GDPR training ASL
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018amirhannan
 
Generative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRGenerative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRDavid Erdos
 

What's hot (20)

UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Overview on data privacy
Overview on data privacy Overview on data privacy
Overview on data privacy
 
The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age The Human Right to Privacy in the Digital Age
The Human Right to Privacy in the Digital Age
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ?
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
GDPR
GDPRGDPR
GDPR
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochurePersonal Data Protection Singapore - Pdpc corporate-brochure
Personal Data Protection Singapore - Pdpc corporate-brochure
 
Data protection in_india
Data protection in_indiaData protection in_india
Data protection in_india
 
Personal data protection bill
Personal data protection bill Personal data protection bill
Personal data protection bill
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 
GDPR training
GDPR training GDPR training
GDPR training
 
Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018Slides dr farah jameel's gdpr presentation april 2018
Slides dr farah jameel's gdpr presentation april 2018
 
Generative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPRGenerative AI, Search Engines and GDPR
Generative AI, Search Engines and GDPR
 

Similar to Evertio Schrems II

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedCohenGrigsby
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?Seb Oram
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborGayle Gorvett
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
 
Should European Businesses Really Fear The Usa Patriot Act
Should European Businesses Really Fear The Usa Patriot ActShould European Businesses Really Fear The Usa Patriot Act
Should European Businesses Really Fear The Usa Patriot Actfrjennings
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Agustin Argelich Casals
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...Ulf Mattsson
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...TrustArc
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on SchremsGreg Sterling
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSThomas O. Dubuisson
 

Similar to Evertio Schrems II (20)

Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedBulletin - US-EU Data Privacy Safe Harbor Program Invalidated
Bulletin - US-EU Data Privacy Safe Harbor Program Invalidated
 
After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?After Schrems, how lawful is cloud storage?
After Schrems, how lawful is cloud storage?
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
Data Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe HarborData Privacy vs. National Security post Safe Harbor
Data Privacy vs. National Security post Safe Harbor
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORT
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
 
Should European Businesses Really Fear The Usa Patriot Act
Should European Businesses Really Fear The Usa Patriot ActShould European Businesses Really Fear The Usa Patriot Act
Should European Businesses Really Fear The Usa Patriot Act
 
Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16Patricia Ayojedi V SCTC day Cloud 24 feb16
Patricia Ayojedi V SCTC day Cloud 24 feb16
 
The Road to Schrems II
The Road to Schrems IIThe Road to Schrems II
The Road to Schrems II
 
ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...ISACA Houston - How to de-classify data and rethink transfer of data between ...
ISACA Houston - How to de-classify data and rethink transfer of data between ...
 
Newsletter DP issue 19
Newsletter DP issue 19Newsletter DP issue 19
Newsletter DP issue 19
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
CJEU decision on Schrems
CJEU decision on SchremsCJEU decision on Schrems
CJEU decision on Schrems
 
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERSHAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
HAMBURG DPA FINED 3 INTERNATIONAL COMPANIES FOR ILLEGAL U.S. DATA TRANSFERS
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 

Recently uploaded

indian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentindian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentAaruKhanduri
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
 
Types of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on SocietyTypes of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on Societynanjeebarifa
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docBRELGOSIMAT
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizgaelcabigunda
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxpatrons legal
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipBridgeWest.eu
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Mike Keyes
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfssuser5750e1
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtGabe Whitley
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxMwaiMapemba
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...AvinashMittal5
 
Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsanvithaav
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtssuser0576e4
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaUniversity of Ferrara
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...Dr. Oliver Massmann
 

Recently uploaded (20)

indian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law studentindian evidence act.pdf.......very helpful for law student
indian evidence act.pdf.......very helpful for law student
 
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxRIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptx
 
Types of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on SocietyTypes of Cybercrime and Its Impact on Society
Types of Cybercrime and Its Impact on Society
 
Notes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.docNotes-on-Prescription-Obligations-and-Contracts.doc
Notes-on-Prescription-Obligations-and-Contracts.doc
 
Agrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quizAgrarian Reform Policies in the Philippines: a quiz
Agrarian Reform Policies in the Philippines: a quiz
 
DNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptxDNA Testing in Civil and Criminal Matters.pptx
DNA Testing in Civil and Criminal Matters.pptx
 
The Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot CitizenshipThe Main Procedures for Obtaining Cypriot Citizenship
The Main Procedures for Obtaining Cypriot Citizenship
 
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
Casa Tradicion v. Casa Azul Spirits (S.D. Tex. 2024)
 
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdfDonald_J_Trump_katigoritirio_stormi_daniels.pdf
Donald_J_Trump_katigoritirio_stormi_daniels.pdf
 
ALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdfALL EYES ON RAFAH BUT WHY Explain more.pdf
ALL EYES ON RAFAH BUT WHY Explain more.pdf
 
Abdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal CourtAbdul Hakim Shabazz Deposition Hearing in Federal Court
Abdul Hakim Shabazz Deposition Hearing in Federal Court
 
Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898Charge and its essentials rules Under the CRPC, 1898
Charge and its essentials rules Under the CRPC, 1898
 
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptxEMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
EMPLOYMENT LAW AN OVERVIEW in Malawi.pptx
 
Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...Everything You Should Know About Child Custody and Parenting While Living in ...
Everything You Should Know About Child Custody and Parenting While Living in ...
 
Application of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of lawsApplication of Doctrine of Renvoi by foreign courts under conflict of laws
Application of Doctrine of Renvoi by foreign courts under conflict of laws
 
Debt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debtDebt Mapping Camp bebas riba to know how much our debt
Debt Mapping Camp bebas riba to know how much our debt
 
Solidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South AfricaSolidarity and Taxation: the Ubuntu approach in South Africa
Solidarity and Taxation: the Ubuntu approach in South Africa
 
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxPRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptx
 
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselMilitary Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
Military Commissions details LtCol Thomas Jasper as Detailed Defense Counsel
 
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
VIETNAM - DIRECT POWER PURCHASE AGREEMENTS (DPPA) - Latest development - What...
 

Evertio Schrems II

  • 2. Overview The purpose of this slides is to provide an overview of the Schrems II case regarding the transfer of personal data between the European Union (EU) and the United States (US). This paper will then analyze the decision behind the ruling by the European Union Court of Justice (CJEU) against the EU-US Data Protection Shield, and the potential effects of the ruling on the companies that are involved in the data transfers. 2
  • 3. Background: Schrems I Schrems 2 is the continuation of privacy lawyer Maximilian Schrems’s complaints against Facebook Ireland over data privacy violations [1]. In 2013, former NSA contractor Edward Snowden leaked a trove of information regarding classified NSA materials. This included a program called "PRISM", which is a program whereby the NSA collects internet communications from U.S. companies such as Facebook. The fact that Facebook would share the data of its European users with the NSA prompted Schrems to file a complaint with the Irish Data Protection Commission. He alleged that Facebook Ireland’s data sharing agreement with Facebook, Inc., its American parent, violated Schrems’ rights under the Charter of Fundamental Rights of the European Union because of Facebook Inc.’s cooperation with US intelligence agencies. 3 Schrems I resulted in the invalidation of the Safe Harbor framework, leading to the creation of the Privacy Shield as a replacement [4]. However, this did not address Schrem’s original complaint over the validity of Facebook’s data transfer, as it and other companies simply switched over to using Standard Contractual Clauses (SCCs), an alternative process of data transfer. By consequence, Schrems continued his campaign, filing another complaint to the Irish High court, challenging the validity of the Privacy Shield and the SCCs. This was again referred to the CJEU, leading to the Schrems II case.
  • 4. What is the Privacy Shield? The privacy shield was a framework designed by the U.S. Department of Commerce and the European Commission and Swiss Administration, to provide companies with a presence in both countries with a mechanism to comply with data protection requirements when transferring personal data from the EU to the US for commercial purposes [2]. The framework was initially approved by both the EU and the Swiss, as on July 12, 2016, the European Commission deemed it adequate to enable data transfers under EU law. Similarly, on January 12, 2017, the Swiss Government approved it as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. 4 The framework was initially approved by both the EU and the Swiss, as on July 12, 2016, the European Commission deemed it adequate to enable data transfers under EU law. Similarly, on January 12, 2017, the Swiss Government approved it as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. The privacy shield was a replacement for “Safe Harbor” a EU-US data transfer agreement that was previously invalidated by the CJEU in 2015 after an earlier challenge submitted by Max Schrems, a notable Austrian lawyer and privacy activist.
  • 5. Who is Max Schrems? Maximillian Schrems is an Austrian attorney and privacy advocate. Schrems I (Maximillian Schrems v Data Protection Commissioner) and Schrems II (Data Protection Commission v. Facebook Ireland, Schrems) arose from complaints lodged by Schrems with the Irish Data Protection Commission [3]. In his complaints, he challenged the lawfulness of transfers of his personal data by Facebook in Ireland to Facebook in the US, on the ground that the legal system in the US did not ensure adequate protection of his personal data against US national security surveillance activities. Schrems I invalidated the Privacy Shield’s predecessor- the Safe Harbor. In Schrems II, Schrems challenged the validity of the Privacy Shield. 5
  • 6. CJEU Ruling On July 6th, 2020, the CJEU struck down the EU-US Data Protection Shield, ruling the arrangement to be inadequate and not up to the standards of EU law. However, the ruling does not mean invalidate the operations of the privacy shield itself. “The Standard Contractual Clauses remain a valid tool for the transfer of personal data to processors established in the third countries. This means that the transatlantic data flows can continue based on the broad toolbox for international transfers provided by the GDPR.” - Věra Jourova, Commissioner with Responsibility for Trust and Transparency. What happened to the Privacy Shield? 6
  • 7. Reasons behind the ruling Intervention by U.S. Authorities US authorities can access and use personal data of EU subjects transferred under the Privacy Shield for purposes which go beyond what is strictly necessary and proportionate to the purpose of national security. The prime concern with US law and practices is that US businesses receiving national security letters, or other such federal investigative actions, are often precluded from contacting the investigation targets (data subjects) about the inquiry. This is contrary to the transparency principles of the GDPR. 7 Inadequate Protection The Court concluded that the US laws and practices do not ensure a level of protection essentially equivalent to that guaranteed under EU laws, especially the actionable rights of individuals before the US courts with respect to the US intelligence services’ powers [5].
  • 8. Effects of the Ruling: Companies The invalidation of the Privacy Shield has significant implications for Facebook and other companies that used the framework, as they will need to find alternative methods to transferring data. While the ruling does not invalidate the SCCs themselves, the Court has clarified that the ruling applies to all data flows, even within SCCs, whose company falls under the NSA surveillance law. But the ruling has not had the immediate effect that some may have hoped, as most companies such as Facebook have instituted delays as they review the decision and evaluate potential actions. As such, it might be some time before the effects of the ruling are felt by the private sector at large, if at all by major firms such as Apple or Google who could seek exemptions or otherwise to avoid absolute compliance. 8
  • 9. Effects of the Ruling: Countries The invalidation of the Privacy Shield also has implications for frameworks between the EU and other countries. Given that other jurisdictions such as India or China also possess strong surveillance capabilities, the ruling sets a new precedent for future evaluations of data transfers to those countries [6]. One immediate implication is for the United Kingdom, which recently separated from the EU as a result of the Brexit referendum. UK surveillance law has also faced repeated challenges under EU human rights. As a result, the UK could stand to fall under the same ‘third country’ category that the US is in. However, there are differences between US law, which is entirely sovereign, and UK law, which has been reviewed and amended by European courts to comply with EU regulations. 9
  • 10. Conclusion The outcome of Schrems II was unsurprising given the Court’s strong support for data protection rights and previous criticisms of the Privacy Shield. However, the ruling is a monumental decision that could have sweeping consequences for American companies operating in the EU and data transfer agreements between the EU and other nations. Companies that relied on the Privacy Shield must now find legal alternatives if they are to continue operations, or else be forced to pull out of Europe entirely. The ruling also means that the US will not be able to merely reach a third agreement by making minor changes to the Privacy Shield. Given that it is unlikely the US would easily relinquish its national surveillance operations for the sake of adhering to EU regulations, the burden falls on companies to deal with the legal implications [7]. 10 One idea could be to develop codes of conduct or certification mechanisms together with enforceable commitments covering US data flows as foreseen under Article 46(2) GDPR. Codes of conduct and certification mechanisms as a legal basis for data transfers have not been approved under the GDPR thus far but present an opportunity for both countries to cooperate on.
  • 12. About Evertio Evertio helps companies launch a privacy program by providing basic privacy education and privacy tools. Our software features include data mapping, assessments, privacy and cookie policy generator and many more. 12 https://evertio.com