Privacy shield ruled invalid - Schrems II Update Cabinet De Backer & DPA


On 16 July 2020, the Court of Justice of the European Union (CJEU) ruled the Privacy Shield invalid in a landmark decision now dubbed Schrems II.



Beltug’s Privacy Council takeaways and Beltug Paper


Privacy Shield is ruled invalid


Privacy Shield was based on the European Commission’s position that the US legal system provides an adequate level of protection of personal data for EU citizens. The EU/US Privacy Shield Framework was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States.


With the Schrems II decision, the CJEU has ruled that the Commission's data protection adequacy finding for Privacy Shield is invalid, which will have a huge impact on companies that transfer personal data from an EU country to the US. The decision also impacts standard contractual clauses (SCCs): while they are still valid, companies must conduct case-by-case analyses to determine whether the protections in the destination country regarding government access to the data transferred meet EU standards. Schrems II is the sequel to 2015' Schrems 1, which invalidated the Safe Harbour Framework.


The impact for international data transfers and SCCs


This important and long-awaited judgement is of strong interest to many of our members, including several on Beltug's Privacy Council. They therefore met virtually to discuss the issues around SCCs, the definition of ‘adequate’ protection', supply chain identification, Article 49 of the GDPR, and Transfer Impact Assessments.


Amongst others, they concluded that Schrems II is unlikely to be the last episode in the saga of international data transfers. While it invalidates the Privacy Shield, it does not invalidate Standard Contractual Clauses (SCCs) – but it does raise many questions regarding them. SCCs should be ‘handled with care’, not only with respect to transfers to the US, and should be preceded by a Transfer Impact Assessment assessing the adequacy of the destination country’s level of protection.


Beltug has put together a Paper for our members (available after log-on) with highlights of the discussions on the above topics and more, and the conclusions from the participating members of the Privacy Council. We will continue to follow-up on evolutions, primarily through the Privacy Council, and will keep our members informed. We will be looking for joint initiative opportunities, so that our members do not need to find solutions individually and alone.



Beltug meets with Cabinet De Backer and DPA: Brexit and Schrems II


Beltug was invited to meet the Cabinet De Backer and the Data Protection Authority, and discussed several important issues. In summary:



  • The transition period ends 31 December 2020. The UK wants to conclude negotiations by 15 October to avoid a no-deal situation. It needs the remaining time to draft the implementation legislation.
  • Data transfers
    • An adequacy decision would be the most favourable option. The Federal administration presumes that such a decision is ready for publication, but this is still to be confirmed.
    • Without an adequacy decision, companies will need to consider Standard Contractual Clauses (SCCs) or Binding Corporate Rules.


Schrems II

  • The Belgian government and DPA prefer a pragmatic approach, rather than bluntly stopping data transfers. In line with the decision of the Court of Justice of the European Union, they are starting from the SCCs, which they still consider a valid and viable option. The Belgian DPA is convinced that the current legal framework offers everything necessary to solve this issue.
    • DPA acknowledges that it is difficult for controllers to make an adequacy assessment themselves. Shifting responsibility for this assessment from the European Commission to the controller is only a hypothetical, not a realistic, option.
      • ‘Inadequacy’ decisions are not considered, the system only accounts for adequacy decisions.
    • Within the European Data Protection Board, a task force (of which the DPA is a member) is currently working on the additional measures to complement SCCs. The task force already has a clear idea of the direction in which it wishes to take this:
      • Data minimisation will feature prominently. The underlying message is: 'Start from the basics of data protection law’.
      • Contractual measures:
        • Notification of data disclosure (sometimes prohibited by law)
        • Mandatory legal recourse against a data disclosure request by the data recipient (whether controller or processor)
      • Technical measures
        • Anonymisation
        • (Reliable) Encryption
        • Pseudonymisation
    • The DPA is also available for preceding consultations on Data Protection Impact Assessments; here, they could be of assistance to controllers as well.
    • The nature of the data processing operation will determine the necessary additional means. Storage of data will be considered differently compared to advanced data analytics. The DPA highlighted the principle of risk-based approach of the GDPR.
  • Negotiations are ongoing regarding the successor to Privacy Shield. The upcoming presidential elections in the USA complicate this process, and make for an uncertain outcome.





Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview