No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Schrems II May Change Everything

What Companies Should Be Doing to Prepare

by Paul Breitbarth
October 5, 2020
in Data Privacy, Featured
invalidated shield icon

The recent Schrems II decision by the Court of Justice of the European Union found that the EU-U.S. Privacy Shield is invalid. TrustArc’s Paul Breitbarth offers guidance for companies on how to maintain compliance going forward.

Thousands of businesses regularly transfer personal data between EU countries and the U.S. The Privacy Shield agreement governed those transfers, but in July, the European Court of Justice (CJEU) invalidated the agreement in what is colloquially known as the Schrems II case. Schrems II also forced the court to examine standard contractual clauses (SCCs), mechanisms for transferring personal data between the U.S. and the EU. Organizations are now left with more questions than answers when it comes to the international transfer of personal data.

What is Schrems II and why does it matter?

In the context of commercial data privacy concerns, that Privacy Shield is no longer valid is important. However, invalidation was collateral damage from the two legal cases that bear privacy advocate Maximilian Schrems’ name. The Schrems cases were about data transfers, specifically from EU member states to the U.S., by a large technology organization.

The latest ruling represents the Irish Data Protection Commissioner’s (DPC) mandate that the organization cease data transfers from the EU to the U.S. For technology companies with business models of selling advertising space based on customer data, the ruling is a potential blow to their operations.

That’s a fact that seems to have escaped many businesses as they prepared to comply with data privacy regulations, namely GDPR. The monetary penalty that befalls a company may not be the worst consequence of noncompliance. In fact, as the Schrems II ruling shows, regulators may even halt businesses from exporting data from Europe altogether.

Be Prepared for Sudden Changes to Data Transfer Laws

Schrems II clarified that eventually there will be a decision that restricts continuous data flows to the U.S. unless there are changes to surveillance laws in the country. Technology companies (and others that leverage customer data as part of their business model) should by now be working on a backup plan for potential restrictions.

The bad news is threefold:

  • As part of the Schrems II decision, it’s up to data protection authorities in given countries to maintain law, as the Irish DPC is expected to do.
  • The data transfer workarounds companies attempt to implement are going to be clunkier than they want: There is no one-size-fits-all solution at the moment.
  • Some of these workarounds may even be invalid themselves.

Understand Mechanisms for Compliance

The best approach companies can take is to understand the data transfer mechanisms that may be in play and how to use them. Without an agreement such as Privacy Shield in place, there is no adequacy agreement that validates data transfers between companies in the EU and those in the U.S. Instead, organizations must turn to options, including SCCs and/or binding corporate rules (BCRs).

It’s important to remember that while the focus of Schrems II analysis has been on data transfers between the EU and U.S., companies must also address data transfers from the EU to the rest of the world. Ninety-two countries have international data transfer requirements, many of which differ from one another. Furthermore, there are 168 countries that are not members of the EU. Some of these countries have strong privacy laws and limited surveillance laws, and some have adequacy decisions, but most do not.

In effect, companies that wish to transfer data from an EU member state to another country must assess the regulations and adequacy decisions of each country and whether SCCs or BCRs (other mechanisms) are still sufficient.

Binding corporate rules govern an entity or group of entities. They apply to data transfers within one entity or group of entities. BCRs do not apply to data transfers between two different entities, however. These contracts wouldn’t necessarily protect against government interference and companies may still have to implement additional safeguards depending on the country in question.

Standard contractual clauses are on a per-contract basis. Every time an organization enters into an agreement to transfer data to another organization, it must fill out an SCC and the adjoining annex. An SCC annex discusses the data the organizations will send to one another. The problem typical with SCCs is that many organizations do not read the entire contract or fill out the annexes. If these annexes aren’t filled out, neither company is compliant.

Furthermore, following the Schrems II case, an additional annex will need to be prepared, spelling out extra safeguards of an operational, technical and legal nature that will help to protect transferred data against the risk of government interference. What these safeguards could be also depends on the volume and nature of the data. Specific regulator guidance on this point is expected in the coming weeks and months.

Take a Proactive Approach to Changing Privacy Regulations

Ideally, the European Data Protection Board (EDPB) would assess the most relevant economies for international data transfers and recommend what safeguards could be put in place for those transfers. As long as such assessments have not been published, the privacy industry must take it upon itself to devise mechanisms for valid data transfers so that some standardization exists. Without EDPB-recommended safeguards or an industry standard in place, it will be nearly impossible for companies without the adequate resources to make assessments of every country’s data privacy laws.

In the meantime, organizations can help themselves prepare for the eventual decision by:

  • Reviewing their international data flows and starting the case-by-case assessment on what additional measures might be needed to protect the data against government interference.
  • Reviewing their data-processing agreements and ensuring that, where relevant, SCCs are attached, filled out and signed.
  • Reviewing the revised draft SCCs once they become available (likely early October) and taking part in the stakeholder consultation. Once the European Commission finalizes and approves these new SCCs, organizations must work with the updated clauses as is.
  • Review the European Data Protection Board’s data controller/processor guidelines. These guidelines are still open for feedback until October 19.
  • Find technology that can automate privacy law assessments. No matter what the European court decides, organizations must be responsible for understanding their data privacy risks and how those risks pertain to different international laws.

Tags: Data GovernancePrivacy Shield
Previous Post

How Successful Leaders Resemble Goldilocks

Next Post

Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

Paul Breitbarth

Paul Breitbarth

Paul Breitbarth is a privacy lawyer from the Netherlands. In 2016, he joined the Canadian privacy software and research company Nymity, which became part of TrustArc in November 2019. He currently serves as Director, EU Policy and Strategy and is based at TrustArc’s office in The Hague, the Netherlands. As part of the Privacy Intelligence team, Paul contributes to the company’s content development and thought leadership, via papers, webinars, podcasts and public speaking opportunities on a variety of topics, including accountability, the demonstration of compliance and dealing with multiple data protection laws with one single privacy program. Paul also maintains regulator contacts across the EU and beyond. Paul is Senior Visiting Fellow and member of the Advisory Board at Maastricht University's European Centre on Privacy and Cybersecurity. Before joining Nymity, Paul served as senior international officer at the Dutch Data Protection Authority. He was an active member of various Article 29 Working Party subgroups, co-authoring opinions on the data protection reform, surveillance, the Privacy Shield and others. In 2015, he organized the International Privacy Conference in Amsterdam. Paul holds a Master of Laws from Maastricht University in the Netherlands.

Related Posts

data privacy leader concept

Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

by Daniel Barber
June 16, 2025

As state privacy laws multiply and AI introduces new vulnerabilities, the question isn't whether you need dedicated privacy expertise —...

abstract obscured data colorful

NIST’s Differential Privacy Guidelines: 6 Critical Areas for Secure Implementation

by Michelle Drolet
June 16, 2025

Standard de-identification methods remain vulnerable to sophisticated attacks, but differential privacy offers mathematical guarantees that scale with emerging threats

doj building sign with flags

‘Reasonable Steps’: What the DOJ Expects From Your Bulk Data Transfer Compliance Program

by Alexandra P. Moylan, Alisa L. Chestler and Michael J. Halaiko
May 5, 2025

Sample provisions offer blueprint for compliant data brokerage with foreign entities

data security program concept cameras

Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program

by Randall Cook, Vince Mekles and Rachel Woloszynski
April 29, 2025

90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information

Next Post
Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

Gartner Identifies the Legal & Compliance Technologies to Focus on Post COVID-19

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights