Schrems II

What it means for U.S. organizations & how they handle European personal data

Steven Stein

Steven Stein

Principal, Cyber Security Services, KPMG US

+1 312-665-3181

Orson Lucas

Orson Lucas

Principal, Advisory, Cyber Security Services, KPMG US

+1 704-502-1067

On July 16, 2020, the Court of Justice of the European Union (CJEU) concluded in its Schrems II decision that the EU-U.S. Privacy Shield framework was no longer a valid mechanism for European organizations to rely on when transferring personal data to US companies for processing. The Court held that the Privacy Shield framework cannot guarantee EU citizens the fundamental right to privacy and data protection based on US surveillance laws.

Schrems II also added a burden on organizations that currently rely on Standard Contractual Clauses (SSC) to support data transfers from the EU by requiring personal data exporters to assess the impact of US national security laws on US data importers’ ability to respect Europeans’ privacy and data protection rights. The CJEU decision applies immediately and requires European data exporters and their recipients in the US to review and enhance their data protection practices relating to making personal data available to government national security and law enforcement agencies.

Many organizations are seeking legal opinions on the impact of this decision on their business practices. In order to best support the legal advisors on this impact, US organizations expecting to use SCC to govern importation of personal data from Europe should assess and gain visibility into their personal data transfer practices.

At KPMG, we can help you perform a personal data transfer assessment (PDTA) through a series of steps that include:

  • Map export of European personal data to the US
  • Perform privacy impact assessments (PIA)
  • Consider necessity of cloud relocation
Schrems II
Download PDF