In exactly one week, on the 16th of July, one of the most anticipated cases in data protection, case C-311/18 — Facebook Ireland versus Schrems — will be delivered by the EU Court of Justice (ECJ). What’s at stake is if international flows of personal data to and from the EEA can continue as is now, or if major changes will be required. The verdict in the groundbreaking "Schrems 2.0" case will dictate whether the widely used Standard Contractual Clauses (SCCs) and the EU/USA Privacy Shield will remain a valid means of transferring personal data to countries outside the EEA under the EU’s GDPR. As these mechanisms are used for a large majority of international data transfers, this may in turn have a large impact on organisations around the globe. In preparation for the case, we analyse the road so far, and what the possible outcomes could mean for your organisation in regard to data privacy.
The COM(2016) 117 document issued today by the Commission clarifies the EU U.S. Privacy Shield agreed on February 2. Its first part reads like an advertising brochure for the new Regulation (GDPR) which is not issued yet and will take another two years to become effective. Its current relevance to the demised Safe Harbour agreement is not at all clear. It seems more of an attempt to emphasise how serious the Commission’s