The Court of Justice of the EU (CJEU) has delivered its landmark judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II), essentially declaring the EU-US Privacy Shield invalid and, most importantly, questioning and putting into perspective the extent to which EU based organisations can still rely on the European Commission’s Standard Contractual Clauses (SCC) for data processing outsourced to providers in the US and globally.
The CJEU found that, before a transfer of data may occur, there must be a prior assessment of the context of each individual transfer, that evaluates the laws of the country where the recipient is based, the nature of the data to be transferred, the privacy risks to such data, and any additional safeguards adopted by the parties to ensure that the data will receive adequate protection, as defined under EU Law. Further, the data importer is required to inform the data exporter of any inability to comply with the standard data protection clauses. If such protection is lacking the parties are obligated to suspend the transfer, or terminate the contract. While the SCC remain valid, their continued validity is subject to an additional step: the obligation to conduct the equivalent of a data protection impact assessment to ensure that the adequate protection is and will be provided and, subsequently, continuously monitored.
It is expected that the Greek and generally the EU/EEA member state data supervisory authorities will publish useful guidance on how to react to the decision. Some have already published comments and provided guidance.
This is a game changer; for more details on how this major development affects your organisation and for immediate compliance actions, you may contact the Data Privacy Practice of Ballas, Pelecanos & Associates L.P.C.
Due to the importance of the issue, the Lexing network (with Ballas, Pelecanos & Associates L.P.C. being it’s sole Greek representative), has already set up a working group of members in Europe and the USA in order to monitor developments in this issue.
