On 16/07/2020 the Court of Justice of the European Union (CJEU) issued a very important ruling in the context of the examination of Case C311/18 ‑ Data Protection Commissioner of Ireland v. Facebook & Max Schrems’ (Schrems II).
In that decision, the CJEU ruled the EU-US Privacy Shield (Commission Decision 2016/1250) invalid.
By the same decision, the CJEU considered that standard contractual clauses 2010/87 (hereinafter SCC) for the transfer of personal data to processors established outside the EU (Commission Decision 2010/87) remain valid for the transfer of personal data to the US, subject to specific conditions. In particular, prior to any transfer based on the SCC, the exporter – with the help of the data importer – must examine whether the level of data protection guaranteed by the GDPR is ensured in the third country concerned, taking into account the circumstances of the particular transfer and any additional measures the exporter can take. If the exporter concludes that an adequate level of protection is not provided, they must suspend the transfer and/or terminate the contract with the importer.
The European Data Protection Board, representing the European Supervisory Authorities, has issued a statement and then a text of Frequently Asked Questions on the Schrems II Decision, which will be supplemented as long as the EDPB continues its analysis of the CJEU decision.
In addition, the EDPB has decided to set up a task force to draw up recommendations to controllers and processors concerning appropriate complementary measures that they can take to ensure that the level of protection required by EU law is respected when they transfer personal data to third countries.