On 16 July 2020, after months of anticipation, the Court of Justice of the European Union (CJEU) delivered its decision in Schrems II. The eagerly-awaited ruling is the latest milestone in the tug-of-war launched by Austrian privacy advocate Max Schrems that was touched off by Edward Snowden’s revelations about the vast reach of the US surveillance apparatus.
The CJEU decision determined that the Privacy Shield framework is inadequate to provide EU-equivalent safeguards for personal information when it is transferred to the US; that EU citizens have no right of recourse in the US; that, while other data transfer mechanisms might still be valid, their validity must be determined on a case-by-case basis; and that data controllers must determine if the risk to personal information would be too great in the destination country. As well, national data protection authorities must ‘suspend or prohibit a transfer of personal data to a third country,’ if safeguards for personal information in the receiving country are less than essentially equivalent to the protections afforded under EU law.
The Schrems II decision also underscores the global reach of the GDPR, and the importance of “data importers” around the world understanding the positions that Data Protection Authorities have taken in light of the Schrems II decision.
Denmark — Data Protection Agency (Datatilsynet) — View Statement/Guidance
Estonia — Data Protection Inspectorate (Andmekaitse Inspektsioon) — View Statement/Guidance
European Commission — View Statement/Guidance
European Consumer Organisation’s (BEUC) — View Statement/Guidance
European Data Protection Board — View Statement/Guidance
European Data Protection Supervisor (Contrôleur européen de la protection des données) —View Statement/Guidance
Germany — German supervisory authorities (Datenschutzkonferenz) View Statement/Guidance
United States of America — Chairman of the U.S. Senate Committee on Commerce, Science, and Transportation — View Statement/Guidance