Schrems II: What is (or should be) on your to-do list for international data transfers?
Today, on 16 July 2020, the Court of Justice of the European Union (CJEU) handed down its Schrems II judgment invalidating the European Commission’s adequacy decision with respect to the EU-US Privacy Shield Framework, a little less than five years after doing the same with respect to the US Safe Harbour (Privacy Shield’s predecessor). At the same time, the CJEU confirmed the validity of the controller-to-processor “standard contractual clauses” (SCCs) decision by the European Commission (the reasoning appears to be also relevant for the “controller-to-controller” SCCs). This judgment is relevant for any organisation transferring personal data to organisations outside of the EU.
Pursuant to the General Data Protection Regulation (GDPR), personal data may in principle not be transferred (e.g. also giving access) to recipients outside of the EU, unless (i) the European Commission has determined through an ‘adequacy decision’ that the destination (non-EU) country offers an adequate level of data protection (Article 45 GDPR), which currently applies to the countries listed here,or (ii) appropriate safeguards are put in place (Article 46 GDPR), such as the SCCs (the most widely used data transfer tool).
Many other newsletters and posts over the coming days will describe the judgment in detail. For this reason, we have chosen to focus on the key practical implications for organisations.
What then is the practical outcome of this “Schrems II” judgment?