Summary of the Frequently Asked Questions on the judgment of the Court of Justice of the European Union in the Schrems 2 Case

25/07/2020


Summary of the Frequently Asked Questions on the judgment of the Court of Justice of the European Union in the Schrems 2 Case

The European Data Protection Board (EDPB) has issued answers to the questions they have received from the EU data protection authorities (DPAs) about the Schrems 2 case. In essence, the EDPB follows the position of the CJEU. If you are still unclear on what to do in the days after the Court of Justice of the European Union (CJEU) decision this short summary of the FAQs can help:


a) The Privacy Shield has been invalidated with immediate effect. That means that there is no grace period during which organizations may transfer personal data relying on the Privacy Shield


b) The CJEU’s position is that because of the surveillance programmes under the US Foreign Intelligence Surveillance Act and Executive Order 12333 an equivalent level of protection cannot be ensured. However, organizations have a freedom to assess whether transfers ‘on the basis of the Standard Contractual Clauses (SCCs) can be used further. They would have to ensure that US laws do not impinge on the adequate level of protection guaranteed by the SCCs


c) Same as above applies to the Binding Corporate Rules (BCRs)


d) Organizations may rely on Article 49 GDPR derogations if all the conditions are met. See the EDPB’s guidelines on derogations


e) For transfers to the US - If appropriate safeguards cannot be ensured, transfers should stop. Organizations which continue to transfer personal data to the US despite the fact that the adequate level of protection cannot be ensured must notify the competent DPA. See point g) for more details


f) For the transfers to other third countries, an assessment whether the level of protection required under the EU laws is respected in the third country must be conducted. If the level of the protection guaranteed under the SCCs and BCRs cannot be met,organizations should cease the transfers. For more details on the assessment whether individuals can be afforded the same level of protection as they would enjoy in the EU see point g). If organizations continue transferring personal data even though the adequate level of protection cannot be guaranteed, they must notify the competent DPA


g) Organizations should assess each transfer on a case-by-case basis to determine whether it meets the requirements from the CJEU decision. The CJEU has mentioned that supplementary measures could be taken in addition to SCCs and BCRs to ensure the adequate level of protection in the US or the third country.The EDPB is currently analyzing what supplementary measures could organizations take


h) Check your data flows. Review your contracts to determine whether personal data flows to US or other third countries (pay attention to subsequent transfers, i.e. if your processors are using sub-processors in the US or third countries, or the data may be access from those countries for administration purposes). If the personal data flows to the US or to the third country and in both cases no supplementary measure could be applied to ensure adequate level of protection guaranteed by the SCCs and BCRs and you cannot rely on derogations, these contracts would have to be amended to ensure that data flows to countries which meet prior requirements or personal data should not be transferred out of the European Economic Area (EEA)


As this is a short summary, please read the FAQ for more details and clarifications.


Photo by Pixabay from Pexels.


Written by

Stevan Stanojevic


These are personal views of the author and do not constitute legal advice.