DLP Insights

Privacy Shield: European Data Protection Board (EDPB) publishes a FAQ document on Court of Justice of the European Union (CJEU) judgement (Schrems)

Categories: DLP Insights, Practice | Tag: Data Protection Authority, GDPR, Privacy Shield

31 Aug 2020

On 16 July 2020, the Court of Justice of the European Union (“CJEU” or “Court”) in its ruling “Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, invalidated Decision no. 2016/1250 and the Agreement between the European Union and the United States of America on the protection and regulation of the European citizens’ personal data transfer to recipients located in the United States (“Privacy Shield”).

The European Data Protection Board or “EDPB”) has prepared “Frequently Asked Questions” (“FAQ“) which the Italian Data Protection Authority (“Garante”) translated into Italian.

These FAQs underlined that the other tools provided for by EU Regulation 2016/679 on the protection of personal data (“Regulation“) such as the Standard Contractual Clausesor SCC and “Binding Corporate Rules” or “BCR” can still be considered adequate to legally transfer personal data to recipients outside the European Union.  It is highlighted that it was the parties’ responsibility to assess transfers on a case-by-case basis with the clarification that: “The European Data Protection Board is analysing the Court’s judgement to determine additional measures whether legal, technical or organisational, could be provided with SCC or BCR, to transfer data to third-party countries where SCC or BCR cannot provide sufficient guarantees.”

The FAQs refer to an additional tool as the legal basis for such transfers – data subject consent. It is reiterated that consent language must be simple and clear and must transparently inform data subjects about the possible risks that a transfer to the US or other foreign jurisdictions could entail.

Further tools provided by the Regulation as legal bases to legitimise transfers abroad are: (i) an adequacy decision on European requirements on personal data protection and (ii) compliance with Codes of Conduct or certification mechanisms which must be applied by the party to whom the data are transferred.

◊◊◊◊

In the light of the Court’s ruling and the EDPB’s FAQs, it will be the task of any organisation that transfers data to recipients outside the EU to carry out processing assessments and identify related risks, and the appropriate tool to legitimise the transfer.

Others Insights correlati:

Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement

More insights