In July, the European Court of Justice (ECJ) issued a shock verdict in the Schrems II court case, invalidating the Privacy Shield, a mechanism by which EU and UK businesses can transfer data to the US. Although the full implications of this ruling are still uncertain, it will impact businesses across the economy.
What is Schrems II?
The ‘Schrems II’ court case was originally brought by privacy rights activist Max Schrems, challenging data transfers from Facebook Ireland to Facebook US through Standard Contractual Clauses (SCCs), a mechanism by with EU member states can transfer data to third countries under the GDPR.
The ECJ upheld the validity of SCCs, but businesses and Data Protection Authorities (DPAs) will have to scrutinise their use much more:
- For businesses: data exporters and importers will have to verify that the safeguards offered by SCCs can be enforced in third country – essentially amounting to a case-by-case assessment of data transfer