This FAQ deals with frequently asked questions regarding international data transfers following the recent ruling of the European Court of Justice in a case involving data transfers from the EU to the US (so-called “Schrems II” judgement). In its judgement, the court (i) invalidated the Commission Decision 2016/1250 that was the legal basis of the EU-US Privacy Shield which served as one possible data transfer mechanism for the legally-compliant transfer of personal data from the EU to the USA; (ii) affirmed the validity of the standard contractual clauses (SCCs), which serve as another means for data transfers to the USA (and other countries); and (iii) made some further general statements on requirements for international data transfers.
With our answers to the below frequently asked questions (FAQs), we would like to clarify the impact of this judgement on international data transfers from the EU and on your relationship with Nuance. In result, the Schrems II judgement does not hinder you to continue using Nuance products and services.
Q1: What is the Schrems II judgement?
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued a judgement in a dispute between the Irish Data Protection Commissioner, Facebook Ireland Limited and the Facebook user Maximillian Schrems regarding international data transfers of Facebook (so-called “Schrems II” judgement). The decisions made by the CJEU in the judgement are not limited to Facebook; the decision is potentially relevant for every international organisation or company, and therefore has gained a lot of attention.
Schrems II is a companion to the CJEU’s October 2015 ruling in a related dispute on data transfers of Facebook between Maximillian Schrems and the Irish Data Protection Commissioner (“Schrems I”). By way of context, EU privacy law restricts the movement of its citizens’ data outside of the EU unless transferred with “adequate” privacy protections. In July 2000, the European Commission decided that US companies could self-certify with seven data protection principles, the "Safe Harbour Decision", which would allow the free flow of data between the EU and US. In Schrems I, the CJEU invalidated the EU-US agreement on Safe Harbour as a means under which EU entities were able to transfer data to the US. After the invalidation of Safe Harbour, the EU and the US entered into a new arrangement with a focus on data subject rights to serve as the needed adequacy measure to allow data transfers between the EU and the US, the so-called “Privacy Shield”, which was the subject of the Schrems II ruling.
In the background of the Schrems II judgement is the EU General Data Protection Regulation (“GDPR”), the law governing data processing in the EU. Under the GDPR, personal data (meaning data relating to individuals) may flow without national boundaries among the Member States of the European Union and the European Economic Area. Personal data may also flow “freely” to countries outside the EU and the EEA where the EU has evaluated and determined that the data protection regime in those countries is “adequate”, meaning similar to the EU. The EU has undertaken such evaluation and determination only for very few countries, for example Switzerland and Japan. If data is transferred to countries which have not (yet) been determined as “adequate” by the EU, additional means are required to allow a transfer of personal data to such country. Until the judgement in Schrems II, the United States was considered an adequate jurisdiction for those companies which had been certified by Privacy Shield and adhered to its rules. In addition to adequacy determinations by the EU Commission, GDPR provides for other transfer mechanisms including standard contractual clauses, binding corporate rules, certifications, codes of conduct and statutory exceptions.
With its Schrems II judgement, the CJEU invalidated use of the EU-US Privacy Shield as justification for transfers to the US, but the use of other means remains valid. In particular, the EU decisions on Standard Contractual Clauses remain valid, and the CJEU confirmed that SCCs may still serve as a basis for international data transfers. Nuance uses SCCs; international data transfers from you to Nuance or from Nuance to other parties are therefore still possible.
In the ruling, the CJEU also provided some more general statements on international data transfers, to the US and other countries. The CJEU did not prohibit such international transfers but did require that the companies undertake further analysis and potentially implement further measures in context of international data transfers. Nuance is doing this with a thorough evaluation.
Q2: Does the judgement prevent your use of Nuance products and services?
No, it does not. Nuance technology can continue to be used in compliance with European law. The Schrems II judgement does not legally limit or impede your use of Nuance products and/or services.
Nuance had been using Privacy Shield as a mechanism for transfers of EU personal data for processing in the USA, but the Privacy Shield has been invalidated by the judgement. However, Nuance also has Standard Contractual Clauses in place which are another and sufficient means for transfers of EU personal data. SCCs remain valid under the judgement (see Q1 for details).
Along with over 5,300 organizations that collectively have been using Privacy Shield to legally process the data of millions of European data subjects, Nuance relied on the agreement between the EU and the US on Privacy Shield. Nevertheless, reflecting wishes of some customers and in light of the upcoming judgement on Privacy Shield, Nuance has already put in place means to enable data transfers to the US in addition to Privacy Shield, namely SCCs.
In its Schrems II judgement, the CJEU also raised some general concerns regarding transfers of personal data to the US and other countries which it considers not to have data protection laws in place which are similar to those in the EU. However, the CJEU has not prohibited data transfers to the US or any other countries. It requires companies to more carefully evaluate whether and under which circumstances personal data can be transferred internationally, including evaluating whether additional means of protection can be taken (such as a stronger encryption).
The protection of the personal data of its customers, business partners and employees has always been essential to Nuance. For example, Nuance applies strict contractual and organisational safeguards, technical measures such as robust encryption; and many of its products can be used in a manner not involving personal identification of individuals at all. Nuance is now carefully evaluating whether it can apply even more or alternative protection measures following the Schrems II judgement. Industry and data protection authorities agree that international business can and must continue to function. In particularly sensitive sectors such as healthcare or financial services, the exchange of data is essential. Nuance will ensure that, also following Schrems II, its customers can continue to enjoy the high level of products and services offered by Nuance in the past, while complying with the applicable data protection laws.
Q3: Does the Schrems II judgement impact how Nuance processes my personal data?
There is no immediate impact of the judgement on Nuance products and services (see Q2). The judgement invalidated the EU-US Privacy Shield, but other means used by Nuance (such as Standard Contractual Clauses) remain valid.
To take account of the ruling, Nuance is however reviewing whether it can further improve the protection of the personal data of its customers, business partners and employees. Nuance is also actively monitoring the current developments and is monitoring the future guidance from the local EU data protection authorities regarding potential further safeguards.
Q4: Is my personal data being transferred outside of the EU?
This depends on the services. Many Nuance services can be used in a manner that no personal data or no personal identifiers are transferred outside the EU at all. For certain services and under certain circumstances, personal data is transferred outside of the EU. However, this is undertaken in line with best practices and European laws.
Personal data of EU, EEA, UK and Swiss-based customers is stored in the EU and UK on secure servers. Access from outside the EU, EEA, UK and Switzerland only happens for certain services and only under limited circumstances legitimate under the GDPR and European law. Such transfers are legally based on means which have not been invalidated by the Schrems II judgement and can therefore still be used (see Q1 and Q2 for details).
Q5: Will Nuance still be able to transfer personal data between the EU and the USA?
Yes. Data transfers will still be permitted.
Under EU data protection law, transfers of personal data from the EU to inadequate jurisdictions, called “third countries” must have an adequacy mechanism in place. Until this judgement, the United States was considered an adequate jurisdiction for data transfers as long as the company was certified under the EU-US Privacy Shield. With this decision, Nuance is using other adequacy mechanisms so that data transfers can continue, as explained in more detail above (see Q1 and Q2).
Q6: What is Nuance doing to protect my personal data?
Nuance takes the protection of personal data and the IT security of our products and services very seriously and are constantly and proactively working to improve them.
Personal data of our customers and other personal data processed by Nuance are protected worldwide in accordance with the applicable data protection laws, including the GDPR. In this connection, Nuance in particular undertakes:
Q7: Will Schrems II affect data transfers from the UK to the US?
The UK’s data protection authority (“ICO”) is currently reviewing its guidance on Privacy Shield and SCCs. The UK ICO has instructed companies that are currently using Privacy Shield to continue such use until the ICO provides further guidance. However, even if the UK invalidates the Privacy Shield, Nuance products and services can still be used in the UK based on other means, just as in the EU (see Q1 and Q2 for details).