February 5, 2023

Volume XIII, Number 36

Error message

  • Warning: Undefined variable $settings in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).
  • Warning: Trying to access array offset on value of type null in include_once() (line 135 of /var/www/html/docroot/sites/default/settings.php).

February 03, 2023

Subscribe to Latest Legal News and Analysis

February 02, 2023

Subscribe to Latest Legal News and Analysis

Schrems II Fallout Continued: Can Companies Rely on Consent?

The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S..  As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:

  1. The consent is explicit.

  2. The consent is specific to a specific data transfer or set of transfers.

  3. The consent is informed, including informing the individual about the risks to their information if it is sent outside of the EU’s borders.

What does this mean for companies in practice? This decision is a reminder of takeaways from EDPB’s prior guidance: consents are difficult to rely on when addressing large volumes of data transfers. As a result, companies will likely need to continue to use Standard Contractual Clauses, albeit with the additional review that we discussed in our prior article in this series.

Why the difficulty with consent? For transfers made because they are necessary for a contract between the company and the individual, the EDPB’s original guidance explained that consent works if the transfer is “occasional,” something the EDPB acknowledges is a case-by-case issue. A transfer made by a travel agency to a hotel was an example of an acceptable necessary transfer made based on consent given in the prior guidance. With respect to occasional transfers, two examples were given in the prior guidance. First, transferring the personal details of a sales manager who travels to third countries to his or her clients in those third countries in order to arrange meetings with the sales manager and clients. Second, transferring personal information to a bank in a country outside of the EU in order to make a payment that the bank client requests be made. In sum, the EDPB guidance makes clear that consent cannot always be used.

Putting it Into Practice: Since the advent of GDPR, it has become harder to rely on consent as a basis for mass transfers of data out of the EU. While in some circumstances consent may be viable, it will likely not be the “magic bullet” to solving Schrems II, and instead companies will likely need to rely on an “SCC plus” model.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 212

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...