2 minute read
6. Developments Post Judgment in Schrems II
6. Developments Post Judgment in Schrems II
29. The judgment of the CJEU in Schrems II was undoubtedly a very significant one. All
Advertisement
parties were agreed on that. In correspondence with Mr. Schrems’ solicitors, Ahern Rudden Quigley (“ARQ”), after the judgment, the DPC’s solicitors, Philip Lee, described the judgment as being “transformative of the law as it relates to EU/US data transfers” (letter
from Philip Lee to ARQ dated 24th July, 2020). That description was repeated in the DPC’s letter to ARQ dated 10th September, 2020.
30. The DPC issued a statement on the day of the CJEU judgment which included the
following comments:-
“Reflecting the complexity of many of the legal issues it addresses, the judgment (and,
indeed, the case as a whole) has many layers, each of which will require careful
consideration in the coming days and weeks.
So, while in terms of the points of principle in play, the Court has endorsed the DPC’s
position, it has also ruled that the SCCs transfer mechanism used to transfer data to
countries worldwide is, in principle, valid, although it is clear that, in practice, the
application of the SCCs transfer mechanism to transfers of personal data to the
United States is now questionable. This is an issue that will require further and
careful examination, not least because assessments will need to be made on a case by
case basis.
As well as providing clarity on points of substance, today’s judgment also contains
important statements of position relating to matters of process, to include the
allocation of responsibility between data controllers and national supervisory
authorities when it comes to ensuring that the rights of EU citizens are protected in
the context of EU/US data transfers. While noting the Court’s reference to the fact
that a supervisory authority could not suspend data transfers while an adequacy
decision – such as Privacy Shield – was in force, the DPC acknowledges the central
role that it, together with its fellow supervisory authorities across the EU, must play
in this area. In that regard, we look forward to developing a common position with
our European colleagues to give meaningful and practical effect to today’s
judgment.”
31. The EDPB (which was established under Article 68 of the GDPR and consists of
representatives of the supervisory authorities in each Member State, as well as the European
Data Protection Supervisor) issued a document on 23rd July, 2020 which answered a number
of questions arising from the CJEU’s judgment in Schrems II (the “FAQ document”). It is
only necessary to refer to a few of the questions in the FAQ document. In response to
Question 5 which asked: “I am using SCCs with a data importer in the US, what should I
do?”, the EDPB stated:-
“The Court found that US law (i.e., Section 702 FISA and EO 12333) does not ensure
an essentially equivalent level of protection.
Whether or not you can transfer personal data on the basis of SCCs will depend on
the result of your assessment, taking into account the circumstances of the transfers,
and supplementary measures you could put in place. The supplementary measures
along with SCCs, following a case-by-case analysis of the circumstances surrounding
the transfer, would have to ensure that U.S. law does not impinge on the adequate
level of protection they guarantee.
