The Schrems case is called Schrems II because this case revisits the arguments presented in an earlier case brought by Mr Schrems.  In the 2015 case the validity of Safe Harbor (forerunner of Privacy Shield) was challenged and found to be wanting.  Overnight organisations transferring personal data to transferees in the US found that their lawful authority to make the transfers was gone.

Schrems II rehearses the same arguments in relation to Privacy Shield, as regulators have known since the case was brought.  Nevertheless, as with the decision in the first Schrems case, it is an unexpected outcome. A senior legal adviser to the EU gave a view towards the end of 2019 that Privacy Shield provided adequate protection. His view has been overwritten by the Court.

When the deemed protection of Safe Harbor was removed In November 2015, the ICO position was that organisations would need to put other measures in place to ensure that personal data transfers to organisations in the US were lawful but that a short period of grace would be allowed. It is likely that will happen again now.  It seems fair that if the regulators have relied on the Attorney General’s view, organisations should also be able to do so.

So, yes, there is no longer any protection for UK organisations to rely on Privacy Shield to legitimise transfers of personal data to the US, but there should be a short period of grace in which to do so.  Putting in place Standard Contractual Clauses (“Model Clauses” in old money) are a good alternative where possible. It is noted that many large US corporations providing software and data hosting facilities cite Privacy Shield as the data transfer mechanism in their standard online terms.  In practice these terms are non-negotiable. Individual organisations will not be able to put in place separate contracts with these US corporations until they themselves alter their Terms and Conditions and offer a facility to enter into specific contracts. The terms will probably still be non-negotiable!

The Schrems II ruling also added some interpretation to how the Standard Contractual Clauses should be used. The ruling highlighted the continuing obligation on organisations to ensure that there is adequate protection for rights and freedoms of data subjects even where SCCs are in place. So organisations need to consider the risk of SCCs either not being followed or being overthrown by local legal systems (think Hong Kong as a potential for that) and keep it under review. Even where there is very low or no risk at all, regular reviews are now required.

As with everything data protection since GDPR, keep a record of those checks!