“Schrems II”: Impacts on agreements involving processing personal data outside the EEA

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (the Schrems II Decision). The judgment invalidates the EU-U.S. Privacy Shield adequacy decision from the European Commission (the Privacy Shield Decision). It also requires EU data exporters relying on the European Commission’s Standard Contractual Clauses to transfer personal data to any third country to verify, prior to undertaking such transfer, that the level of protection granted by the recipient in such country will be adequate.

One week later, the European Data Protection Board (EDPB) issued a Frequently Asked Questions document on the Schrems II Decision (the FAQ), which clarifies some of the consequences regarding processing arrangements that involve reliance on the Privacy Shield, Standard Contractual Clauses, Binding Corporate Rules and the EU’s General Data Protection Regulation (GDPR) Article 49 derogations.

Read Elisa Henry’s summary on some of the key effects of the Schrems II Decision and its immediate impact for organizations processing personal data outside of the European Economic Area (EEA). The EDPB is expected to issue further guidance shortly, and the European Commission indicated it is working closely with its U.S. counterpart to find an alternative to the Privacy Shield, to provide a strengthened and durable transfer mechanism.

This content has been updated on July 31, 2020 at 9 h 00 min.