Schrems II in Proteus® NextGen Summary


As a result of The Court of Justice of the European Union decision on 16th July 2020 (case C-311/18), the previously much relied on EU-U.S. Privacy Shield is no longer a valid adequacy instrument to enable personal data transfers from the EU to the U.S. because U.S. state surveillance powers are excessive. Relationships where third parties export personal data should be reviewed on a case-by-case basis by undertaking Transfer Impact Assessments (TIAs) and then additional measures, likely to include revised Standard Contractual Clauses (SSCs), should be introduced.

Proteus® NextGen Data Privacy™ is able to make this task easy for you. Automated workflow ensures that case-by-case TIAs are conducted and risk assessed. Suitable SCCs are then produced for electronic (or manual if you prefer) signoff. This is achieved either as part of a complete data privacy program or as a stand-alone Schrems II exercise.


Implications of the judgement

There are some practical points that arise from this judgment:

  • The EU-U.S. Privacy Shield may no longer be relied upon as the basis for transfer of personal data from the EU to the US. New solutions are required, which will likely include putting SCCs in place.
  • SCCs remain valid; however, the underlying transfer must be assessed on a case-by-case basis to determine whether the personal data will be adequately protected (e.g. from potential access by law enforcement or national security agencies). This assessment is becoming known as a Transfer Impact Assessment (TIA) and, unless automated, will be burdensome for small organisations and large ones making hundreds/thousands of transfers.
  • The EU Commission is expected to issue updated SCCs to incorporate the TIAs. These will be incorporated into Proteus NextGen as soon as they are available ensuring the earliest possible compliance for organisations that have completed the TIAs.
  • The UK’s position following the Brexit transition period will potentially become more complex as the adequacy findings may result in EU businesses having to consider the effect of the UK government’s surveillance powers (e.g. Investigatory Powers Act 2016). Note all Proteus NextGen data is hosted on servers based in the EU.

The TIA should cover:

  • The data exporter must verify “on a case-by-case basis” what protections apply
  • What personal data is being transferred? How sensitive is it? How much is in the public domain?
  • Where did that personal data originate?
  • What technical measures are used to protect that data? For example, where customer managed encryption keys are used, the ability of third country authorities to access that data will necessarily be limited.
  • What national laws apply in that jurisdiction? How are they exercised in practice? How likely are they to be exercised in relation to the particular personal data transfer?

Automatic Schrems II contracts

Schrems II in Proteus® NextGen


Transfer Impact Assessments (TIAs)

Schrems II in Proteus® NextGen

How Proteus® NextGen can help automate Schrems II

Proteus NextGen is enterprise software that already audits third parties for everything required by the new TIAs, thereby providing the case-by-case assessment required by the Schrems II ruling.

Hosted in the EU as a SaaS platform, systems can be provisioned within half a day if required. Import your third-party vendor list. Issue the preconfigured surveys which incorporate a full TIA. These are automatically risk assessed to enable easy prioritization of activity. Existing SCCs will be updated to incorporate the latest SCCs as soon as the EU Commission issues them. Automated sign off completes the process. Easy ongoing review for subsequent years. It couldn't be easier!