Schrems II: What is (or should be) on your to-do list for international data transfers?

Today, on 16 July 2020, the Court of Justice of the European Union (CJEU) handed down its Schrems II judgment invalidating the European Commission’s adequacy decision with respect to the EU-US Privacy Shield Framework, a little less than five years after doing the same with respect to the US Safe Harbour (Privacy Shield’s predecessor).

At the same time, the CJEU confirmed the validity of the controller-to-processor “standard contractual clauses” (SCCs) decision by the European Commission (the reasoning appears to be also relevant for the “controller-to-controller” SCCs). This judgment is relevant for any organisation transferring personal data to organisations outside of the EU.

Pursuant to the General Data Protection Regulation (GDPR), personal data may in principle not be transferred (e.g. also giving access) to recipients outside of the EU, unless (i) the European Commission has determined through an ‘adequacy decision’ that the destination (non-EU) country offers an adequate level of data protection (Article 45 GDPR), which currently applies to the countries listed here,or (ii) appropriate safeguards are put in place (Article 46 GDPR), such as the SCCs (the most widely used data transfer tool).

Many other newsletters and posts over the coming days will describe the judgment in detail. For this reason, we have chosen to focus on the key practical implications for organisations.

What then is the practical outcome of this “Schrems II” judgment?

Related articles

Counting down to DORA – governance of ICT risks and board member responsibility

ICT services: comparison of the ESMA and EBA outsourcing guidelines and DORA

DMA countdown - Perhaps the most important milestone: gatekeepers must ensure compliance

NautaDutilh IP team maintains strong standing in WTR 1000 2024

Counting down to DORA – Mapping and classification of ICT services

Privacy & data in the Benelux: five things you need to know in 2024

Benelux Competition Law in 2024: five things you need to know

Technology and the law in 2024: five things you need to know

Counting down to DORA – three key aspects

Strict liability regime in case of enforcement of invalid IP rights can be 'appropriate'

EU AI Act: three key insights on the world's first comprehensive AI law

The Chambers Technology & Outsourcing guide 2023

The Foreign Direct Investment Regimes Guide 2024

Life Sciences challenges and opportunities in Europe and the USA: key insights

Luxembourg FDI screening mechanism enters into force

A new era in patent litigation: five things to know about the start of the UPC

Update Luxembourg law on business licenses: three key insights

Third parties can intervene in BDPA proceedings and appeal its decisions

The law on the use of digital tools and processes in company law in force in Luxembourg

The competition dynamics in relation to cloud services

NautaDutilh assists founding shareholders of Route Mobile in selling majority stake to Proximus

Green light for EU-US Data Privacy Framework: a new era for transatlantic data flows

NautaDutilh named Benelux Trademark Firm of the Year at the 2023 Managing IP Awards

The law on the use of digital tools and processes in company law

Luxembourg: introduction of national FDI screening mechanism

Anke Holtland appointed to counsel Public Law

Upcoming EU legislation on artificial intelligence

NautaDutilh Luxembourg ranked in Chambers FinTech 2023

Best practices for drafting and updating data protection notices

EU Foreign Subsidies Regulation (FSR): five things you need to know

The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR

Benelux Competition Law in 2023: five things you need to know

Dutch DPA letter to the government on PNR: enforcement threatens again with focus on proportionality

Data Protection in Belgium: the 2023 focus of the BDPA

The end-user and its avatar - data integrity risks and ethical challenges in the metaverse - Part one

NautaDutilh contributes to IAPP's Global Legislative Predictions 2023

Online platforms and search engines to publish average monthly active recipients (AMARs) in EU by 17 February 2023

Benelux Technology Law in 2023: five things you need to know

CJEU decision extending the scope of article 5(1) of the Damages Directive

UPC update: extension Sunrise Period, judicial appointments and more

GDPR & AML: no longer public access to UBO data without legitimate interest

A low degree of similarity?

No longer public access to UBO data without legitimate interest

DORA: the forthcoming EU legal framework on Digital Operational Resilience in the financial sector

Vincent Wellens on FATCA in the Paperjam

DORA the EU Regulation

NautaDutilh contributes to Technology Disputes Guide by Lexology

The Unified Patent Court: five things you need to know

Privacy and security concerns in the metaverse

Paying a tribute is not dishonest

VoetbalTV: Administrative fine permanently annulled without judgement on the 'pure commercial interest'

Luxembourg first member state to launch a certification mechanism under the GDPR

European Data Protection Board harmonises EU fining guidelines

New GDPR guidelines on fines on the way

Data protection impact assessments new EDPS recommendations

Heavy fines for Belgian airports for using thermal imaging cameras – what are the lessons for the other controllers?

Revamped CSSF outsourcing guidance for the financial sector

20 years of NautaDutilh Luxembourg

Public procurement in 2022: five things you need to know

NautaDutilh's Benelux IP-team stands out in WTR1000 2022

Our privacy experts Vincent Wellens and Yoann Le Bihan contribute to the IAPP’s Global Legislative Predictions 2022

Benelux Data Law: five things you need to know in 2023

Luxembourg IP & Technology Law: five things you need to know

Data Protection notices after the Whatsapp case: what's the message?

NautaDutilh Luxembourg ranked in Chambers FinTech 2022

The record fine for the Dutch Tax Administration from a legal perspective

Prohibition of online advertising in a list of e-mails or messages: a misstep by the CJEU?

Why all companies should care about the UN's cybersecurity & software update regulations: Lessons for all sectors

New rules on material IT outsourcing in the financial sector

NautaDutilh contributes to Technology Disputes Guide by Lexology

NautaDutilh assists SoftBank Vision Fund 2 with its Series C investment in Dutch scale-up SendCloud

NautaDutilh contributes to digitalization series by EACCNY

Long-awaited clarity on required safeguards for international data transfers

NautaDutilh's IP & Tech Law team recognised by Leaders League

Belgian DPA: fines prohibited in the absence of a prior order to comply?

The CNPD Publishes Several Decisions Following Investigations

Europe proposes first-ever statutory framework for AI

Insufficient cybersecurity measures under GDPR: 100k EUR fine in Belgium & key fines elsewhere

Regulatory changes in the audiovisual media sector