Privacy Shield was based on the European Commission’s position that the US legal system provides an adequate level of protection of personal data for EU citizens. The EU/US Privacy Shield Framework was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States.
With the Schrems II decision, the CJEU has ruled that the Commission's data protection adequacy finding for Privacy Shield is invalid, which will have a huge impact on companies that transfer personal data from an EU country to the US. The decision also impacts standard contractual clauses (SCCs): while they are still valid, companies must conduct case-by-case analyses to determine whether the protections in the destination country regarding government access to the data transferred meet EU standards. Schrems II is the sequel to 2015' Schrems 1, which invalidated the Safe Harbour Framework.
This important and long-awaited judgement is of strong interest to many of our members, including several on Beltug's Privacy Council. They therefore met virtually to discuss the issues around SCCs, the definition of ‘adequate’ protection', supply chain identification, Article 49 of the GDPR, and Transfer Impact Assessments.
Amongst others, they concluded that Schrems II is unlikely to be the last episode in the saga of international data transfers. While it invalidates the Privacy Shield, it does not invalidate Standard Contractual Clauses (SCCs) – but it does raise many questions regarding them. SCCs should be ‘handled with care’, not only with respect to transfers to the US, and should be preceded by a Transfer Impact Assessment assessing the adequacy of the destination country’s level of protection.
Beltug has put together a Paper for our members (available after log-on) with highlights of the discussions on the above topics and more, and the conclusions from the participating members of the Privacy Council. We will continue to follow-up on evolutions, primarily through the Privacy Council, and will keep our members informed. We will be looking for joint initiative opportunities, so that our members do not need to find solutions individually and alone.
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login