In its Frequently Asked Questions published on Friday 24 July (see EUROPE 12529/2), the European Data Protection Board (EDPB) states that the judgment of the Court of Justice in Case C-311/18, the so-called Schrems II judgment, has immediate consequences for the transfer of data outside the EU.
The document states that the judges’ decision makes data transfers between the EU and the US on the basis of the Privacy Shield illegal.
It adds that transfers carried out on the basis of standard contractual clauses (SCCs) or binding corporate rules (BCRs) are also affected by the judgment. The Board notes that “if you come to the conclusion that, taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data”.
The independent European body stresses that the transfer of data to third countries is not prohibited per se, but must comply with a series of requirements laid down by European law, particularly the General Data Protection Regulation (GDPR). The EDPB sets out a series of reminders to clarify the ways in which Article 49 of the GDPR may be applied, as the Regulation contains provision for exemptions in specific situations.
The EDPB undertakes to assess the consequences of the judgment on the other transfer tools, in the light of Article 46 of the GDPR. The FAQs can be found at: https://bit.ly/3hDxTD2 (Original version in French by Sophie Petitjean)