“Schrems II”: Impacts on agreements involving processing personal data outside the EEA

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (the Schrems II Decision). The judgment invalidates the EU-U.S. Privacy Shield adequacy decision from the European Commission (the Privacy Shield Decision). It also requires EU data exporters relying on the European Commission’s Standard Contractual Clauses to transfer personal data to any third country to verify, prior to undertaking such transfer, that the level of protection granted by the recipient in such country will be adequate.

One week later, the European Data Protection Board (EDPB) issued a Frequently Asked Questions document on the Schrems II Decision (the FAQ), which clarifies some of the consequences regarding processing arrangements that involve reliance on the Privacy Shield, Standard Contractual Clauses, Binding Corporate Rules and the EU’s General Data Protection Regulation (GDPR) Article 49 derogations.

This content has been updated on May 2, 2024 at 13 h 41 min.