Schrems II case

24 November 2020 – Linda Eijpe

Consequences for the transfer of personal data to the US


Last summer, the European Court of Justice ruled in the Schrems II case that US national law does not provide a level of protection essentially equivalent to that guaranteed in the EU. National law allows US government authorities to access personal data transferred from the EU to the US for national security purposes. This national legislation leads to a limitation of the protection of the personal data that does not meet the level of protection guaranteed within the EU. Moreover, the data subjects have no rights enforceable in court against the US authorities under this legislation.

As a result, the Court declared the Privacyshield invalid. This means that transfer of personal data to US companies on the legal ground of this Privacyshield is no longer permitted. It is unsure whether it is still allowed to transfer personal data on the basis of the EU Standard Contractual Clauses (SCC). This has to be assessed on a case-by-case basis. Such assessment has to take into account the circumstances of the transfer of the personal data and supplementary safeguards that are put in place to ensure that the personal data enjoy a level of protection that is equivalent to that guaranteed in the EU.

Last week the European Data Protection Board has published recommendations (including a roadmap) of the steps that the data exporter must take to find out which supplementary measures it needs to put in place to be able to transfer data outside the EEA. The recommendations also contain a list of examples of supplementary measures. The recommendations will be submitted to public consultation. We will inform you when these become final. In the meantime, we would of course be happy to assist you carry out the assessment regarding the additional safeguards.

Linda Eijpe