- Privacy Shield invalidated and use of appropriate safeguards (including Standard Contractual Clauses) require case by case assessments (Facebook Ireland and Schrems)
- What are the practical implications of this case?
- Role of supervisory authorities
- Privacy Shield
- Other ‘appropriate safeguards’
- Personal data transfers to the US
- Personal data transfers to other jurisdictions
- Next steps
- What was the background?
- What did the court decide?
- Case details
Information Law analysis: Chapter V of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the European Economic Area (EEA) (which is deemed to include the UK during the Brexit implementation period), unless one of a number of specified transfer mechanisms is in place. On 16 July 2020 the Court of Justice, in the case known as Schrems II or Schrems 2, invalidated the widely used EU-US Privacy Shield mechanism and ruled that use of commonly relied on Standard Contractual Clauses (SCCs) requires organisations to have verified that the SCCs provide an adequate level of protection for personal data in practice based on a case by case assessment. The courts’ ruling on SCCs has implications for other appropriate safeguards, including Binding Corporate Rules (BCRs). Written by Bridget Treacy, partner, and James Henderson, associate, at Hunton Andrews Kurth.
Sign in or take a trial to read the full analysis.
To continue reading this news article, as well as thousands of others like it, sign in to LexisPSL or register for a free trial