SCHREMS II Summary Our remarks The case was brought by Max Schrems, an Austrian • Before transferring personal data to a third country privacy activist, who challenged the transfer of his like the US, one should assess the risk of the transfer personal data by Facebook Ireland to servers located and evaluate the adequacy of the protection in the United States. Schrems argued that U.S. laws did offered by the recipient country. This is done not provide sufficient protection for the personal data through a Transfer Impact Assessment (TIA). We of European Union citizens, and that EU citizens had no have made a roadmap for doing this, which you effective legal remedies in the U.S. courts. can read here. The case was referred to the Court of Justice of the • When assessing the adequacy of the level of data European Union (CJEU), which examined the legality of protection in the third country, the following needs the transfer of personal data from the EU to the United to be assessed: States under the EU-U.S. Privacy Shield Framework. ° The adequacy of the legal framework. This can The decision of the European Court of Justice involve assessing the comprehensiveness of the legal framework, as well as the enforcement mechanisms In its ruling, the CJEU invalidated the Privacy Shield, in place to ensure compliance. finding that it did not provide adequate protection for the personal data of EU citizens transferred to ° The practice conducted by the legal entities of the United States. The Court stated that U.S. laws did the country. For example, should the possibility not offer EU citizens adequate protection from U.S. of government surveillance be conducted. This intelligence agencies, and that EU citizens had no can involve evaluating the legal framework for effective legal remedies in the U.S. courts. surveillance, as well as any known instances of government surveillance or censorship. • At the time of writing the agreement the transatlantic data transfer agreement, named the EU-US Data Privacy Framework (DPF), has been approved by the European Commission. This means that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. You can read more about it here:safe third countries still apply. You can read more about it here. Published: 16-07-2020, Journal number: C-311/18 Tags: 06 Transfers to third countries 137