Schrems II Decision

On 16 July 2020, the Court of Justice of the European Union (CJEU) delivered a landmark decision on EU-US Privacy Shield, a mechanism governing personal data transfers from the EU to the US. The court ruled that this mechanism was invalid due to concerns about US government access to EU personal data.

Organizations that have relied on the EU-US Privacy Shield must now establish an alternative basis with sufficient privacy protections to be able to transfer personal data to the United States. The CJEU confirmed that this could be done with Standard Contractual Clauses (SCCs) which are contractual commitments between entities transferring personal data, requiring them to protect the privacy and security of such data.

The CJEU also made clear that, where SCCs are introduced, the circumstances of each data transfer must be considered on a case-by-case basis. This puts a renewed focus on the hosting and storage of EU citizens’ personal data. Either this means hosting in the EU where international transfers are not necessary, or using strong encryption to prevent access to personal data transferred outside of the EU.

This ruling does not affect Reward Gateway’s commitment to protecting privacy or our compliance practices. 

In accordance with the ruling, we have conducted these reviews, and where we have relied on the EU-US Privacy Shield, Reward Gateway is now using SCCs to establish necessary data protection. We have published an updated Privacy Notice and customer data protection terms to reflect these changes.

This work has allowed us to support continued flows of personal data from the European Economic Area, the UK, and Switzerland regardless of whether we are acting as a processor on behalf of our clients or taking on the obligations of a data controller.

What the ruling means for your other relationships

You should make sure that your providers offer SCCs for their data transfers and are not reliant on the EU-US Privacy Shield if they host data outside of the EU. If they are exporting/importing data to a non-EU country you should check what technical measures (strong encryption, tokenization etc.) they have in place to limit FISA warrants or other surveillance activities involving bulk data collection.

Reward Gateway continues to follow the changes in regulatory frameworks to maintain a high standard of privacy protection for all of our clients and their employees. We will make any necessary adjustments to our compliance practices and continue to safeguard personal data.