International data transfers: CNPD statement following invalidation of “Privacy Shield”

The Luxembourg Data Protection Authority (CNPD) welcomes the judgement from the Court of Justice of the European Union (CJEU) in the case Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), rendered on July 16, 2020.

The CJEU has invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, as it found that it does not ensure a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental rights.

The CJEU has also ruled that the Standard Contractual Clauses (SCCs) transfer mechanism remains, in principle, valid. However, the Court underlined that the SCCs impose an obligation on a data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned. The SCCs also require the data  importer to  inform  the  data  exporter  of  any  inability  to  comply  with  the standard  data  protection  clauses, and  where  necessary  with  any supplementary  measures to those  offered  by  those  clause,  the data  exporter then  being,  in  turn,  obliged  to  suspend  the transfer of data and/or to terminate the contract with the data importer.

On 23 July, the EDPB adopted a document aiming at presenting answers to some frequently asked   questions (“FAQ”)received   by supervisory authorities. This document is available below and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union.

Dernière mise à jour