The Luxembourg Data Protection Authority (CNPD) welcomes the judgement from the Court of Justice of the European Union (CJEU) in the case Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), rendered on July 16, 2020.
The CJEU has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, as it found that it does not ensure a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental rights.
The CJEU has also ruled that the Standard Contractual Clauses (SCCs) transfer mechanism remains, in principle, valid. However, the Court underlined that the SCCs impose an obligation on a data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned. The SCCs also require the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer.
On 23 July, the EDPB adopted a document aiming at presenting answers to some frequently asked questions (“FAQ”)received by supervisory authorities. This document is available below and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union.