FAQs on the Schrems II CJEU judgement
In its ruling dated 16th July 2020 (C-311/18, Schrems II), the CJEU invalidated the adequacy of the EU-US Privacy Shield. This was the basis of transfers of personal data by controllers in the EU (data exporters) to companies in the US (data importers). This means that such transfers can no longer be possible under this adequacy framework,
Furthermore, the Court examined the validity of the European Commission's Decision 2010/87/EC on Standard Contractual Clauses and considred it as valid. Having said that, the Court pointed out that such decision imposes an obligation on the data exporter and the recipient to verify, prior to any transfer, and taking into account the cirucmstances of the transfer, whether the level of protection is essentially equivalent to that provided under EU law. In those circumstances where the data imported is not able to comply with the standard contractual requirements, and where necessary with any additional or supplementary measures imposed by the data exporter, it shall be the responsibiity of the exporter to suspend/terminate the transfer of personal data.
Following a preliminary evaluation of the judgment, the EDPB adopted FAQs intended to provide the necessary guidance to controllers. You may access the document by accessing this hyperlink.
Article by Lucas Cortizo, on 30th July 2020