Data Protection
The future of data transfer rules in the aftermath of Schrems II
On 16th July 2020, in its landmark judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C- 311/18, Schrems II), the European Court of Justice (“ECJ”) invalidated the Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (“the Privacy Shield Decision”). As a result, thousands of companies can no longer rely on the Privacy Shield Decision as a legal basis for transferring personal data from the EU to the US. In its judgment, the ECJ also affirmed the validity of Standard Contractual Clauses (“SCCs”) as a data transfer mechanism for international data transfers, but with a few conditions: companies are required to assess the data importer’s ability to comply with the contractual arrangements embedded in SCCs and adduce «additional safeguards» where appropriate. The implications of the case are much wider than just the invalidation of the Privacy Shield Decision. The judgment has important implications on the other tools that compose the data transfer toolbox offered by the GDPR and has raised uncertainties on the future of international data transfer more broadly.