JUDGMENT OF THE COURT (Grand Chamber)
On 16 July 2020, the Court of Justice of the EU, in Case C‑311/18, Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, made the judgement (Schrems2) on the:
– the interpretation of the first indent of Article 3(2), Articles 25 and 26 and Article 28(3) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), read in the light of Article 4(2) TEU and of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (‘the Charter’);
– the interpretation and validity of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46 (OJ 2010 L 39, p. 5), as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ 2016 L 344, p. 100) (‘the SCC Decision’); and
– the interpretation and validity of Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46 on the adequacy of the protection provided by the EU-US Privacy Shield (OJ 2016 L 207, p. 1; ‘the Privacy Shield Decision’).
The request has been made in proceedings between the Data Protection Commissioner (Ireland) (‘the Commissioner’), on the one hand, and Facebook Ireland Ltd and Maximillian Schrems, on the other, concerning a complaint brought by Mr Schrems concerning the transfer of his personal data by Facebook Ireland to Facebook Inc. in the United States.
In short, the Court declared the EU-US Privacy Shield is invalid, while standard contractual clauses can be used, upon assessment, on case by case basis.
At this point, it is more crucial than ever to examine business cooperations and determine the role in personal data processing activities. Data controllers have to able to prove compliance with the General Data Protection Regulation (GDPR) and are responsible for personal data transfers and choosing data processors.
It is no longer possible to use Privacy Shield mechanism for transferring personal data to third countries, so it is important to ensure compliance with the GDPR by using other adequate safeguards.
EUROPEAN DATA PROTECTION BOARD
In order to clarify impacts of the Judgement, European Data Protection Board published frequently asked questions and answers that can help data controllers-data exporters to determine necessary steps.
We understand that this situation has caused lots of compliance burden to our clients. For this reason, we made simple workflow/decision tree that you can follow in order to asses your situation.