»Schrems II« judgement – The Court of Justice declares invalidity of the decision on adequacy of protection, provided by the EU-U.S. Privacy Shield

30 July, 2020

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a judgment in »Schrems II« case (DPC Ireland v. Facebook Ireland and Schrems), by which it declared invalidity of the decision no. 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, which served as one of the grounds for the transfer of personal data from the EU to the U.S., while declaring that the standard contractual clauses (SCCs) for the transfer of personal data to third countries remain valid.

Under the General Data Protection Regulation (GDPR), the transfer of personal data to third countries is only permitted if the latter ensure an adequate level of personal data protection. This can be established by the European Commission in an adequacy decision (such as a »Privacy Shield«); in the absence of such a decision, data transfers to a third country are only permitted if the data exporters, established in the EU provide appropriate safeguards and provided that the data subjects have enforceable rights and effective legal remedies, e.g. using standard contractual clauses or binding corporate rules (Article 46 of the GDPR) or on the basis of the exceptions provided in Article 49 of the GDPR.

After the Court of Justice declared invalid the decision on the adequacy of protection on the basis of the so-called "Safe Harbor" agreement in 2015 (»Schrems I« judgment), the EU and the U.S. concluded the »Privacy Shield« Agreement. The adequacy of this agreement was confirmed by Commission in its Decision no. 2016/1250, thus eliminating the need for a special permit, safeguards under Article 46 or compliance with the special conditions of Article 49 of the GDPR when transferring personal data to US companies that were self-certified on the basis of the »Privacy Shield«.

In its »Schrems II« decision, the Court of Justice declared the decision no. 2016/1250 invalid. It justified the decision by stating that the protection of personal data as provided by U.S. law is not equivalent to the level of protection in the EU. It highlighted, in particular, the excessive powers of public authorities in accessing transferred personal data and the inadequacy of the powers of the institution of the U.S. Ombudsman, which is supposed to guarantee the right to a legal remedy.

At the same time, the court decided that the transfer of personal data on the basis of standard contractual clauses, enforced by the Commission Decision no. 2010/87, remains in force. That Decision contains effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection required by European Union law and to suspend or prohibit transfers of personal data in the event of an infringement pursuant to such clauses. In that regard, it emphasized that it is the obligation of both the data exporter and the recipient to verify that the required level of protection is respected in the third country. In the event that the recipient in unable to provide an adequate level of protection of personal data, he is obliged to inform the data exporter.

The declaration of invalidity of the Decision no. 2016/1250 does not therefore mean that the transfer of personal data to the U.S. will no longer be possible, as only one of the legal bases provided for in the GDPR ceased to apply. It is important, however, that controllers who have been transferring data to the U.S. under the Privacy Shield agreement justify the transfer on one of the remaining valid legal bases. At the same time, they will have to ensure that appropriate safeguards are in place to protect the privacy and fundamental rights and freedoms of individuals.

The full text of the judgment is available at this link.


  • in News 2024

    SAVE THE DATE: second Artificial Intelligence and Law conference

    On November 11 and 12, 2024, the second conference titled Artificial Intelligence and Law will take place in Portorož, organized by GV Publishing....
  • in News 2024, SELA

    SELA Regional News Q2 2024

    The latest overview of the most important regional legislative developments recently announced in the jurisdictions of SELA coverage is available....
  • in News 2024

    Finalisation of the AI Act

    On May 21, 2024, the EU Council gave the final approval to the AI Act, which was the final step in the legislative process that started in 2021. The final text will be published in the Official Journal of the EU in the coming weeks and will enter into force twenty days after the publication....