Judgment of the CJEU on Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems

In its judgment in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd. and Maximilian Schrems delivered on 16 July 2020, the Court of Justice confirmed the high standard of personal data protection with regard to the transfer of personal data to third countries.

The CJEU invalidates Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. Consequently, from the date of delivery of the judgment, i.e. 16 July 2020, the transfer of data to importers in the United States of America can no longer take place on this basis.

At the same time, the CJEU confirmed the continued validity of the Commission Decision 2010/87 on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries. However, the Court stipulated that data subjects whose personal data are transferred to a third country pursuant to standard contractual data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by the GDPR read in the light of the Charter of Fundamental Rights of the European Union.

This means that controllers need to make an individual assessment of the level of protection afforded for such cross-border transfers, which must take into account not only the contractual provisions agreed between data exporters and importers, but also the laws in a third country, in particular those relating to possible access by the public authorities of that third country to the personal data transferred. Where, in the light of the assessment, the level of protection of personal data is not essentially equivalent to the level guaranteed in the EU, the transfer of data may be conditional on ensuring an equivalent level of protection by other means.

The President of the Personal Data Protection Office underlines the necessity of a coherent approach to the assessment of the consequences of the CJEU judgment throughout the European Union and the necessity of joint actions in this respect by national supervisory authorities cooperating within the European Data Protection Board (EDPB), in which the President of the Office is involved.

At its 34th plenary session on 17 July 2020, EDPB discussed the main issues related to the consequences of the judgment of the CJEU and announced the publication of further clarifications.

To read the press release of the EDPB click here.

2020-07-21 Metadane artykułu