What Schrems II Means for Third-Party Risk and Vendor Management
On July 16, the Court of Justice of the European Union (CJEU) issued its decision in the Schrems II case, invalidating the EU-US Privacy Shield as a lawful mechanism to transfer personal data from the EU to the U.S. under the General Data Protection Regulation. The Privacy Shield was the successor to the U.S.-EU Safe Harbor Framework, which was invalidated by the Court in the first Schrems case back in 2015.
According to the Privacy Shield website, “The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.”
Although the Privacy Shield is no longer a lawful transfer mechanism, the use of Standard Contractual Clauses (SCCs) still remains a valid mechanism. However, organizations relying, or intending to rely, on SCCs to transfer personal data from the EU to third countries face legal uncertainty. According to the CJEU’s decision, they must now assess the law in the destination country to ensure that country provides adequate data protection as in the EU. If not, they will need to implement additional safeguards. And if this is not feasible, they will have to suspend or end the transfer; otherwise, they may be liable for damages.
Many cross-border data transfers involve third parties, and many of these third parties process data in the U.S. As a result, the invalidation of Privacy Shield will have far-reaching impact on third-party risk management (TPRM) programs.
So, if Privacy Shield is no longer valid, how can organizations that work with third parties transfer personal data from the EU to the U.S.?
Much is still uncertain as the decision was made only one day ago. Still, some considerations for your TPRM program include:
- Build your vendor inventory to understand which third parties you work with and where they’re located in the world
- Outline all business processes that involve third parties (Hint: Leverage your privacy team’s Art. 30 records of processing activities)
- Begin updating contracts that include Privacy Shield as the cross-border data transfer mechanism (companies transferring EU citizens’ personal data should consider turning to binding corporate rules or rely on a derogation like data subjects’ explicit consent or contractual necessity as the primary cross-border data transfer mechanisms)
- Consider “EU-hosting options” we have available today to offer a containerized EU solution in response to the Schrems II decision
- Begin incorporating specific questions in vendor risk assessments relevant to Privacy Shield invalidation
Want to learn how OneTrust Vendorpedia can help you navigate the third-party concerns relating to the Privacy Shield invalidation? Start an extended free trial and claim 10 free and completed ISO 27701 vendor risk assessments using common industry standards, including ISO 27701, ISO 27001, SIG Lite, SIG Core, NIST 800-53, and more.