NEWSFLASH: The “Schrems II” decision

Last Updated on August 12, 2020

With decision no. C-311/18, so-called “Schrems II”, the European Court of Justice has declared the invalidity of EU Commission decision no. 2016/1250, which established the adequacy of the protection granted to personal data imported from the EU to the US by the so-called Privacy Shield EU-US.

In particular, the EUCJ reported that, due to certain characteristics of the US internal legislative system, its level of protection of personal data cannot be considered equivalent to that granted by EU countries.

On the other hand, with the same decision, the Court declared the validity of EU Commission decision no. 2010/87/CE on standard contractual clauses. 

However, the Court reported that, considering that the level of personal data protection in the US is not equivalent to the European one, when transferring data from the EEA to the US, an evaluation must be performed in order to verify if, considering the factual situation and the specific measures in place, the level of data protection can be considered adequate. If the outcome of the evaluation is negative, then the necessary actions must be taken in order to guarantee an adequate level of protection of the data or, where this is not possible, the data transfer must be stopped immediately.

The FAQs of the European Data Protection Board 

On July 23, 2020 the EDPB also issued a series of FAQs regarding this decision clarifying that the same reasoning used by the Court for the SCCs is applicable to the transfers performed on the basis of Binding Corporate Rules and to the transfers from the EEA to third countries different from the US: the adequacy and effectiveness of the data protection in the importing country, to sum up, must always be verified by the data exporter and the data importer and cannot be simply assumed by them.

The impact of the decision

The above confirms, should it still be necessary, that GDPR and data protection rules are far from being just a series of formal obligations; they have a huge and immediate impact on the data transfers to countries outside the EEA and necessitate a series of thorough controls and evaluations when performing such transfers. It necessarily involves data exporters and data importers, data controllers and data processors/sub-processors (if any) and the assistance of privacy legislation experts (both in the exporting and the importing country).

What happens now

In light of the above, the advisable next steps for companies are:

  • a review of the transfers carried out to countries outside the EEA, a review of the basis for the transfers and a review of the subjects involved;
  • an evaluation (possibly issuing a written document) of the level of protection of personal data in the importing country, together with the importing entity if different from the exporter;
  • in case of a positive outcome of the evaluation, the transfer can continue. But in case of a negative outcome, the company must take all the necessary measures to render the protection of data adequate or stop the transfer.