The Schrems 2 Judgment is here, in the typical the good, the bad and the ugly style the court has ruled:
The good: The SCCs remain a valid mechanism for the export of personal information from EU companies to organisations overseas.
The bad: Privacy shield, unpopular since birth, has been shot down. This is owing to the primacy of US surveillance and security laws, which the CJEU found to be disproportionate and undermining of data subjects rights. Note that the EU-US privacy shield mechanism has been invalidated.
The ugly: The CJEU has made it crystal clear that it is up to controllers to determine whether the SCCs will sufficiently protect personal information transferred to third countries in light of the third country's surveillance laws .
The plot thickens:
- Companies transferring to the US under Privacy Shield will now need to do a re-papering exercise towards the contractual protections in the SCCs or take a practical step to host personal information in more secure jurisdictions. But the question still remains: will having SCCs in place still be good enough to transfer data to the US (considering the US’ surveillance is what shot down the Shield)?; and
- How does this affect other big players (for example, China) who also have extensive surveillance laws?
More details to follow.
You may also be interested in this related article: EDPB releases an international transfers FAQ document in response to Schrems II