New ruling affects international transfer of personal data (“Schrems II”)

24 August 2020

On 16 July 2020, the Court of Justice of the EU (“CJEU”) issued its decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”).

In its decision, the CJEU ruled that the Privacy Shield framework between the EU and the US does not provide adequate and sufficient protection for personal data when transferred to the US, thereby invalidating Commission Decision 2016/1250, which served as the legal basis of Privacy Shield. In short, this decision means that personal data controllers in the EU are no longer allowed to transfer personal data to recipients in the US on the basis of the Privacy Shield framework. On the other hand, the Court held that the Commission’s decision on standard contractual clauses, SCC’s (Commission Decision 2010/87/EU, amended by Commission Decision 2016/2297) is still valid and that such clauses may be used for transfers to countries outside the EU and the EEA – where applicable – provided that necessary additional safeguard measures are taken.

The implications of the Schrems II judgment goes well beyond regulation of data transfers to the US and will affect all data transfers to Third countries. Data controllers will need to conduct a comprehensive examination of the circumstances surrounding each transfer and the adequacy of protection in the country to which the controller intends to transfer data. The parties processing the data will also have to be closely scrutinized. The responsibilities that the CJEU puts on data controllers to carefully investigate the level of protection will make transfers to countries with lacking or less transparent legislation in the relevant areas difficult, or in some cases even impossible.

At Zacco, we can advise on both legal and technical aspects of these and other GDPR-related matters, making sure that your handling of personal data complies with all relevant regulations.