Schrems II: The CJEU Declares EU-U.S. Privacy Shield Invalid, Upholds the SCCs and Calls on 27 Supervisory Authorities to Ensure Their Compliance

In a highly-anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems has:

• invalidated the European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Data Protection Shield (the “EU-US Privacy Shield”) for transfer of personal data from the EU to entities certified under the mechanism located in the United States;
• upheld the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established outside the EU (the “SCCs”); and
• reminded that a transfer of data based on SCCs may be challenged before the competent supervisory authority, which has to “suspend or prohibit”, on a case-by-case basis, any such transfer when, in its view, the SCCs “are not or cannot be complied with.”

Click here, to continue reading on the Cleary Cybersecurity and Privacy Watch blog.