Schrems II: Statement on international data transfer

On Thursday, the Advocate General of the Court of Justice of the European Union (CJEU) delivered his opinion on data transfers in the so-called "Schrems II" legal case.

 

Why are international data transfers important?

Data transfer between the EU and the USA is more at stake than ever. The European GA is questioning the validity of the Privacy Shield. It proposes, and the EU generally follows these proposals, to decide that the Standard contractual clauses are generally valid, but that if a data importer is unable to provide the guarantees given by signing the model clauses, the importer is contractually obliged to notify the exporter of the data so that the data transfer is stopped and the data subjects are notified. This is particularly the case if national security regulations prevent an adequate level of data protection and make it impossible to provide the guarantees that the data importer has undertaken to provide. This applies to importers such as Microsoft, Amazon, Google, Facebook, ... who must comply with the Foreign Intelligence Surveillance Act (FISA).

The GC indicated that the CJEU does not have to rule on the Privacy Shield in the context of this decision, but nevertheless set out his opinion in the event that the Court should also rule on the Privacy Shield. It made it quite clear that the Privacy Shieldas well as the Safe Harbor certification, is still more of a marketing label than providing the protections required by the EU courts in the Safe Harbor decision, and that he would suggest that the Privacy Shield be declared invalid again.