The Court of Justice of the European Union (“CJEU”)has handed down its judgment on a case brought by privacy rights activist Max Schrems (“Schrems II”).1 The case concerned the transfer of personal data to recipients in the United States via the EU Commission standard contractual clauses (“SCCs”) and questioned the validity of the EU–U.S. Privacy Shield (“Privacy Shield”). The ruling affects not just transfers of personal data from the EU to the United States but also applies to all transfers of personal data from the EU to countries outside the EEA.
In summary, the CJEU has:
- Invalidated the use of the Privacy Shield as an adequate safeguard when transferring personal data outside the EEA to the United States – primarily due to potential unrestricted U.S. government access.
- Found the SCCs to be an adequate safeguard when transferring personal data outside the EEA to third parties. However, depending on the prevailing position in a particular third country, the adoption of supplementary contractual provisions by the controller to ensure compliance with that level of protection afforded in the SCCs may be required.
To conclude, all data transfers from the EEA to countries outside the EEA will have to be assessed on a caseby- case basis to determine whether additional clauses, in addition to those afforded under the SCCs or even under binding corporate rules, have to be implemented by organizations. It is expected that EU data protection authorities will grant more guidance regarding specific countries.
To read the full article, please download the PDF below.
- C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems, available at http://curia.europa.eu/. CJEU’s press release is available at https://curia.europa.eu/.