Five Steps to Take After the Schrems II Decision
On July 16, 2020, the Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield Framework with immediate effect and strengthen the requirements for organizations relying on Commission’s Decision 2010/87/EU on controller to processor Standard Contractual Clauses (SCCs) for transfers of personal data to third countries. In the same decision the CJEU took the view that SCCs are still valid. However, the CJEU has stated that individuals whose personal data is transferred to a third country pursuant to SCCs, must enjoy the same level of protection as they would under the privacy laws of the European Union (EU). What should organizations do in the light of the CJEU ruling?