In the ground-breaking judgement of DPC v Facebook Ireland & Schrems, also known as Schrems 2.0, the Court of Justice of the EU declared the European Commission's EU-US Privacy Shield Decision invalid, making the majority of EU-US data transfers in violation of EU Privacy law. The reason? US mass surveillance making the level of protection of personal data to the US not “adequate” to that in the EU. While the CJEU upheld the use of Standard Contractual Clauses ('SCCs'), Privacy Shields most obvious alternative, it clarified some extensive considerations that organisations and authorities should assess when they use these model clauses.
Since then, a lot has happened, but uncertainty remains. Now that the dust has settled somewhat, this blog post aims to clear up some of the uncertainties through an overview of relevant events.
What is happening?
Current events can be summed up in a couple of key episodes:
- The CJEU case itself
- Frequently Asked Questions on the judgment by the EDPB
- Guidance by national supervisors
- Reactions to the lack of enforcement action by supervisors, for example by nyob, the organisation of Mr. Schrems
- An European Parliament Committee on Civil Liberties, Justice and Home Affairs meeting (2 and 3 September)
- Guidance on the use of SCCs by the EDPB (soon)
What is clear is that the Court invalidated the Privacy Shield. That practically means that organisations relying on it need to switch to another ground for transferring personal data to the US, or stop it completely.
In it’s FAQ the EDPB answered that question by ruling out a ‘grace period’. Therefore: immediately.
And to which ground?
BCRs remain possible, but only for transfers within a group. One of the most obvious transfer grounds therefore are SCCs, but a lot remains unclear as to how this is done in practice.
As the CJEU judgement emphasised the task of national supervisors of suspending or prohibiting data transfers based on SCCs, based on the level of data protection in the recipient country, the ball is now in their court.
Some supervisors, like that of the German state of Baden-Württemberg, have published their own practical steps to, in their eyes, comply with the judgement and let data flows continue.
Others’, like the Dutch AP, refer to the European Data Protection Board ('EDPB'), which is examining the practical consequences of the ruling and what possible follow-up steps can be taken.
In the meantime, individuals and organisations like that of Mr. Schrems are expected to file complaints on the use of organisations that transfer data to the US. Possibly, private action will take an upturn as well.
On the 3rd of September, 2020, an European Parliament Committee on Civil Liberties, Justice and Home Affairs (including EC Commissioner for Justice Reynders) meeting will discuss the judgement and its implications, which might give away some clues on what’s to happen next.
In the short to medium term future, the EDPB will provide guidance on additional measures that organizations can include in model contracts. In the meantime, please consult guidance by your national supervisor.