GDPR CERTIFICATIONS AFTER SCHREMS II

After the Schrems II ruling of 16 July 2020, companies transferring personal data to the US can not use the EU-US Data Protection Shield to do so. Together with EIPACC experts, alternative solutions can be put in place (please contact EIPACC, in case you need assistance).

In Schrems II the European Court of Justice of the European Union (CJEU) has ruled that the protection provided by the EU-US Data Protection Shield is not adequate and is therefore no longer a legal instrument for the transfer of personal data from the EU to the US.

However, Standard Contractual Clauses for the transfer of personal data to data controllers and/or processors established in third countries remain valid.

In Schrems II the CJEU has ruled that the EU-US Data Protection Shield (the Safe Harbor’s replacement) is also not legally valid as “that data may be processed by the authorities of the third country in question for the purposes of public security, defence and State security.”

In short this means that the “level of protection essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the EU Charter of Fundamental Rights” cannot be guaranteed. The decision continues that the “requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” In addition, the US “surveillance programmes based on those provisions are not limited to what is strictly necessary.”

The protections for EU citizens in the US are weak because US “provisions do not grant data subjects actionable rights before the courts against the US authorities.”

Finally, the CJEU ruled that US Ombudsman, intended to help EU citizens make their case, does not have sufficient binding authority over the US intelligence services.

Click here for the full text of the CJEU Schrems II Ruling.