Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:
the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;
adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);
a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).
On 23 July 2020, the European Data Protection Board (EDPB) released a FAQ on the consequences of the CJEU’s judgement of 16 Juley 2020 (Schrems 2)
This judgment invalidates the Privacy Shield, an EU-US data transfer mechanisms, and conditions the validity of the Standards contractual clauses (SCCs), another transfer mechanisms, to the prior analysis of the level of protection provided by the third country recipient and the implementation of additional measures where necessary.
This FAQ provides a glimpse of the position of the Authorities following the CJEU Decision that calls into question the possibility to transfer any personal data to the US. However, the EDPB remains relatively unspecific as it is currently working on more detailed guidance that should be released shortly.
By a judgment of 16 July 2020 (Case C‑311/18 – Schrems 2), the Court of Justice of the European Union (CJEU) upholds the decision of the European Commission adequacy decision on the Standard Contractual Clauses (SCCs) but declares the Privacy
Following the judgement in Schrems of October 6, 2015, invalidating the Safe Harbor decision, the CJEU is now requested by the same party to rule on the validity of the decision 2010/87 instating the Standard Contractual Clauses (SCCs) and indirectly,