On 16 July 2020, after months of anticipation, the Court of Justice of the European Union (CJEU) delivered its decision in Schrems II. The eagerly-awaited ruling is the latest milestone in the tug-of-war launched by Austrian privacy advocate Max Schrems that was touched off by Edward Snowden’s revelations about the vast reach of the US surveillance apparatus.
The CJEU decision determined that the Privacy Shield framework is inadequate to provide EU-equivalent safeguards for personal information when it is transferred to the US; that EU citizens have no right of recourse in the US; that, while other data transfer mechanisms might still be valid, their validity must be determined on a case-by-case basis; and that data controllers must determine if the risk to personal information would be too great in the destination country. As well, national data protection authorities must ‘suspend or prohibit a transfer of personal data to a third country,’ if safeguards for personal information in the receiving country are less than essentially equivalent to the protections afforded under EU law.
The Schrems II decision also underscores the global reach of the GDPR, and the importance of “data importers” around the world understanding the positions that Data Protection Authorities have taken in light of the Schrems II decision.
Croatia — Data Protection Agency — View Statement/Guidance
Cyprus — Personal Data Protection Commissioner — View Statement/Guidance
Czech Republic — Office for Personal Data Protection (Urad Pro Ochranu Osobnich Udaju) — View Statement/Guidance
Denmark — Data Protection Agency (Datatilsynet) — View Statement/Guidance
Estonia — Data Protection Inspectorate (Andmekaitse Inspektsioon) — View Statement/Guidance
European Commission — View Statement/Guidance
European Consumer Organisation’s (BEUC) — View Statement/Guidance
European Data Protection Board — View Statement/Guidance
European Data Protection Supervisor (Contrôleur européen de la protection des données) —View Statement/Guidance
Finland — Data Protection Ombudsman (Tietosuojavaltuutetun Toimisto) — View Statement/Guidance
France — National Commission for Informatics and Liberties (Commission Nationale de l’Informatique et des Libertés) — View Statement/Guidance
Germany — German supervisory authorities (Datenschutzkonferenz) View Statement/Guidance
Germany — Berlin: Data Protection and Freedom of Information Commissioner (Beauftragter für Datenschutz und Informationsfreiheit) — View Statement/Guidance
Germany — Hamburg: Data Protection Commissioner (Hamburgischer Datenschutzbeauftragter) — View Statement/Guidance
Germany — Rhineland Palatinate: Data Protection Commissioner (Landesbeauaftragte für den Datenschutz Rheinland-Pfalz) — View Statement/Guidance, View FAQ
Germany — Thuringer: Data Protection Commissioner (Thüringer Landesbeauftragte für den Datenschutz) — View Statement/Guidance
Guernsey — Office of the Data Protection Authority — View Statement/Guidance
Iceland — Data Protection Authority — View Statement/Guidance
Ireland — Data Protection Commissioner (An Coimisinéir Cosanta Sonraí)— View Statement/Guidance
Latvia — State Data Inspectorate (Datu Valsts Inspekcija)— View Statement/Guidance
Liechtenstein — Data Protection Commissioner — View Statement/Guidance
Lithuania — State Data Protection Inspectorate (Valstybine Duomenu Apsaugos Inspekcija)— View Statement/Guidance
Luxembourg — National Data Protection Commission (Commission nationale pour la protection des données)— View Statement/Guidance
Netherlands —Autoriteit Persoonsgegevens— View Statement/Guidance
Norway — Data Inspectorate (Datatilsynet) — View Statement/Guidance
Poland — Bureau of the Inspector General for the Protection of Personal Data – GIODO— View Statement/Guidance
Romania —National Supervisory Authority for Personal Data Processing— View Statement/Guidance
Slovakia — Office for Personal Data Protection of the Slovak Republic— View Statement/Guidance
Slovenia — Information Commissioner— View Statement/Guidance
Spain — Data Protection Commissioner (Agencia de Protección de Datós)— View Statement/Guidance
Switzerland — Federal Data Protection and Information Commissioner (Préposé féderal à la protection des données et à la transparence) — View Statement/Guidance
United Kingdom — Information Commissioner’s Office—View Statement/Guidance
United Kingdom Government — View Statement/Guidance
United States of America — U.S. Secretary of Commerce — View Statement/Guidance — FAQs on Swiss-U.S. Privacy Shield
United States of America — Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation — View Statement/Guidance
