In July 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision in Schrems II, effectively invalidating the EU-U.S. Privacy Shield and imposing new requirements for cross-border data transfers.
Since then, American organizations that collect, process, or transfer personal data from the European Union (EU) have been grappling with the ruling’s implications. As data privacy lawyers at By Design Law, we aim to provide you with guidance on how to navigate cross-border data transfers, particularly after this ruling.
In this guide, we break down the key issues, practical steps for compliance, and the importance of supplemental measures to help you align with EU data protection standards while maintaining smooth international operations.
Looking for personalized guidance regarding your Seattle company’s compliance with Schrems II? Call us at (206) 593-1519 or use our online scheduling tool to get started.
Understanding the Schrems II Decision
The Schrems II decision came about when the CJEU assessed the validity of the EU-U.S. Privacy Shield framework, which once allowed U.S. companies to self-certify their adherence to certain privacy principles to facilitate transfers of EU personal data to the United States. The ruling found that U.S. surveillance laws granted government authorities extensive access to personal data, which conflicted with the EU’s high data protection standards under the General Data Protection Regulation (GDPR). Consequently, the court invalidated the Privacy Shield framework.
How Does the Schrems II Decision Affect Companies in Seattle, Washington?
Seattle hosts a thriving tech sector, along with diverse startups and established companies that engage in global data flows. Whether you are a cutting-edge technology platform, a multinational retailer, or a small SaaS provider, if you handle EU personal data, the Schrems II decision likely affects your compliance obligations.
Key factors for Seattle-based companies to consider:
- Cloud services: Many businesses rely on cloud or hosting providers that might store or process data outside the EU.
- Vendor relationships: If you use third-party service providers that have a global presence, your data may be transferred through multiple jurisdictions.
- Employee data: For companies with EU employees, cross-border HR-related data transfers also trigger compliance obligations.
Maintaining the trust of EU data subjects, business partners, and regulators hinges on your ability to demonstrate that you have taken every reasonable measure to secure personal data.
Practical Steps for Compliance
If you own a business in Seattle, WA, and don’t understand what to do to comply with Schrems II, you will need to take a structured approach that can help you embed data privacy into your everyday operations.
1. Map Your Data Flows
Identify all points where EU personal data is collected, stored, processed, or transferred. This mapping exercise allows you to determine which transfers are subject to GDPR rules and where potential risks lie.
2. Implement the Updated SCCs
Standard Contractual Clauses (SCCs) are legal templates approved by the European Commission that organizations can incorporate into contracts with non-EU data importers. In response to Schrems II, the European Commission issued updated SCCs in 2021. These new SCCs:
- Contain modular clauses tailored to different types of data transfer relationships (e.g., controller-to-controller, controller-to-processor, processor-to-processor);
- Require organizations to conduct risk assessments and cooperate with supervisory authorities; and
- Include obligations to implement supplementary measures if needed.
Update any existing contracts with non-EU data recipients to include the new SCCs. For new service providers, ensure your Data Processing Agreements (DPAs) incorporate the correct modular clauses. Remember that the new SCCs have replaced the older versions, and any existing agreements might need to be re-papered to comply with the updated requirements.
3. Conduct Transfer Impact Assessments
For each data transfer, conduct a Transfer Impact Assessment (TIA) to evaluate the regulatory landscape of the recipient country. When doing so:
- Consider local surveillance laws and government access practices.
- Assess the nature of the data and the data importer’s ability to protect it.
- Document your findings and any actions taken as a result.
4. Adopt Supplementary Measures
If a TIA indicates that data subjects’ rights might be at risk, implement additional safeguards.
- Technical measures: Encryption, anonymization, or tokenization.
- Contractual measures: Detailed clauses limiting disclosures to government authorities.
- Organizational measures: Strong internal policies on data governance and breach responses.
5. Monitor and Reassess Regularly
Data privacy compliance is not a one-off project. Periodically review your data transfer mechanisms, TIAs, and supplementary measures to account for:
- Changes in local laws or legal interpretations.
- Evolving best practices and guidance from EU regulators.
- The dynamic nature of your own data flows and business operations.
Have Questions About Your Company’s Compliance with Schrems II? We Can Help
At By Design Law, we believe in practical solutions that empower your business. Our goal is to minimize legal risks while enabling you to maintain seamless cross-border data operations. When you partner with us, you can expect personalized attention, a deep understanding of data privacy best practices, and a clear path toward compliance.
Ready to take the next step? Contact By Design Law today to schedule a personalized consultation. Let us help you reduce uncertainty, build consumer trust, and fortify your international data transfer framework in this new era of data protection. Connect with us today by calling (206) 9593-1519 or using our online scheduling tool.