Today, on 16 July 2020, the Court of Justice of the European Union (CJEU) handed down its Schrems II judgment invalidating the European Commission’s adequacy decision with respect to the EU-US Privacy Shield Framework, a little less than five years after doing the same with respect to the US Safe Harbour (Privacy Shield’s predecessor).

At the same time, the CJEU confirmed the validity of the controller-to-processor “standard contractual clauses” (SCCs) decision by the European Commission (the reasoning appears to be also relevant for the “controller-to-controller” SCCs). This judgment is relevant for any organisation transferring personal data to organisations outside of the EU. 

Pursuant to the General Data Protection Regulation (GDPR), personal data may in principle not be transferred (e.g. also giving access) to recipients outside of the EU, unless (i) the European Commission has determined through an ‘adequacy decision’ that the destination (non-EU) country offers an adequate level of data protection (Article 45 GDPR), which currently applies to the countries listed here,or (ii) appropriate safeguards are put in place (Article 46 GDPR), such as the SCCs (the most widely used data transfer tool).

Many other newsletters and posts over the coming days will describe the judgment in detail. For this reason, we have chosen to focus on the key practical implications for organisations.

What then is the practical outcome of this “Schrems II” judgment?

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.