Beruflich Dokumente
Kultur Dokumente
5 Minutes Insight
July 2020
Schrems II Judgment | Invalidity of Privacy Shield
The current judgment has its roots in 2013, when Maximillian Schrems originally brought a complaint before
the Irish Data Protection Commissioner claiming that personal data transfers under the EU-US Safe Harbor
Programme were unsafe
BACKGROUND
2008 … 2012 2013 2014 2015 2016 2017 2018 2019 2020
SCHREMS II DECISION
Main Reasons
• CJEU found that U.S. surveillance programs are not limited to what is strictly necessary and proportional as required by EU law and hence do not
meet the requirements of Article 52 of the EU Charter on Fundamental Rights.
Privacy Shield
• Furthermore, the court determined that, with regard to U.S. surveillance, EU data subjects lack actionable judicial redress and, therefore, do not
have a right to an effective remedy in the US, as required by Article 47 of the EU Charter.
• The CJEU reaffirmed the validity of SCCs but stated that organisations must verify, on a case-by-case basis, whether the law in the recipient
country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t, that organisations must
provide additional safeguards or suspend transfers.
Standard Contractual Clauses
• The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent
protection can not be ensured.
1
Data Transfers Assessment Analysis of Supervisory Authorities’ guidance
Organisations should assess international data flows (and When the CJEU invalidated EU-US safe harbor in 2015, supervisory
specially to US) and on what basis - Privacy Shield, Standard authorities recognised that organisations needed guidance and time
2
Contractual Clauses or Binding Corporate Rules as well as to implement such decision. It is expected that supervisory
analysis of the local laws in the recipient country. authorities take the same approach this time and provide clear
guidance on organisations’ necessary measures and timings.
3
Develop a Data Transfer Risk Assessment Model Adjustment from Privacy Shield to alternative
Subject to guidance from supervisory authorities, safeguards
organisations shall define and implement a Data Transfer Where the Privacy Shield was used to legitimize the international
Risk Assessment Model in order to understand to which
4
data transfer, organisations should take steps now to ensure
countries personal data is being transferred, if public coverage under another safeguard such as Standard Contractual
authorities in that country could be entitled to access the Clauses.
data and its lawful basis, the security measures
implemented or to be implemented in transit.