You Want Answers? EDPB FAQ on CJEU Schrems II Decision

Following the recent judgment of the Court of Justice of the European Union in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, the European Data Protection Board (EDPB) has adopted a ‘Frequently Asked Questions’ document to provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Content Assessment: EDPB FAQ on CJEU Schrems II Judgment

Information - 95%
Insight - 95%
Relevance - 100%
Objectivity - 100%
Authority - 100%

98%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent post highlighting the EDPB FAQ on Schrems II.

Editor’s Note: The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Recently, in response to the Court of Justice of the European Union (CJEU) judgment in the landmark Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) case, the EDPB published a frequently asked questions (FAQ) document designed to provide initial clarification and preliminary guidance on the judgment. Provided for your review and use is a complete copy of this recently published FAQ.

Taken from the European Data Protection Board (EDPB), Chair Andrea Jelinek

European Data Protection Board Publishes FAQ Document on CJEU Judgment C-311/18 (Schrems II)

Document Extract

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

The judgment C-311/18 can be found here, and the press release of the Court may be found here.

What did the Court rule in its judgment?

In its judgment, the Court examined the validity of the European Commission’s Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it is valid. Indeed, the validity of that decision is not called into question by the mere fact that the standard data protection clauses in that decision do not, given that they are contractual in nature, bind the authorities of the third country to which data may be transferred.

However, that validity, the Court added, depends on whether the 2010/87/EC Decision includes effective mechanisms that make it possible, in practice, to ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR and that transfers of personal data pursuant to such clauses are suspended or prohibited in the event of the breach of such clauses or it being impossible to honor them.

In that regard, the Court points out, in particular, that the 2010/87/EC Decision imposes an obligation on a data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, and taking into account the circumstances of the transfer, whether that level of protection is respected in the third country concerned, and that the 2010/87/EC Decision requires the data importer to inform the data exporter of any inability to comply with the standard data protection clauses, and where necessary with any supplementary measures to those offered by those clause, the data exporter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the data importer

The Court also examined the validity of the Privacy Shield Decision (Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield), as the transfers at stake in the context of the national dispute leading to the request for preliminary ruling took place between the EU and the United States (“U.S.”).

The Court considered that the requirements of U.S. domestic law, and in particular certain programs enabling access by U.S. public authorities to personal data transferred from the EU to the U.S. for national security purposes, result in limitations on the protection of personal data which are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, and that this legislation does not grant data subjects actionable rights before the courts against the U.S. authorities.

As a consequence of such a degree of interference with the fundamental rights of persons whose data are transferred to that third country, the Court declared the Privacy Shield adequacy Decision invalid.


Review the Complete FAQ Document (PDF)

FAQ on CJEU Schrems II Judgment – 24 July 2020

Read the original FAQ from the European Data Protection Board 


Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.

This fictionalized branding approach was developed from the intellectual exercise of trying to figure out a reasonable and memorable way to descriptively highlight the promise and capabilities of offerings typically delivered by full-service eDiscovery providers. It may not be completely comprehensive or fully normalized. However, the hope of sharing this branding example is that it might help those involved in the branding and communication of eDiscovery provider services and solutions.

eDiscovery Mergers, Acquisitions, and Investments in 2020

Since beginning to track the number of publicly highlighted merger, acquisition,...

Relativity Acquires VerQu

According to Relativity CEO Mike Gamson, "It's imperative that the legal...

eDiscovery Mergers, Acquisitions, and Investments in Q4 2020

From Nuix and DISCO to Exterro and AccessData, the following findings,...

DISCO Closes Funding Round of $100 Million

According to DISCO CEO Kiwi Camara, “Legaltech is booming now, and...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

Only a Matter of Time? HaystackID Launches New Service for Data Breach Discovery and Review

According to HaystackID's Chief Innovation Officer and President of Global Investigations,...

It’s a Match! Focusing on the Total Cost of eDiscovery Review with ReviewRight Match

As a leader in remote legal document review, HaystackID provides clients...

From Proactive Detection to Data Breach Reviews: Sensitive Data Discovery and Extraction with Ascema

A steady rise in the number of sensitive data discovery requirements...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

A Lifting of the Fog? Winter 2021 eDiscovery Business Confidence Survey Results

This is the twenty-first quarterly eDiscovery Business Confidence Survey conducted by...

Orion Nebula
A Nebulous Outcome? The Winter 2021 eDiscovery Business Confidence Survey

The eDiscovery Business Confidence Survey is a nonscientific quarterly survey designed...

High Five? An Aggregate Overview of Five Semi-Annual eDiscovery Pricing Surveys

As we are in the midst of a pandemic that has...

Balancing Relevance and Reality? Winter 2021 eDiscovery Pricing Survey Results

Based on the complexity of data and legal discovery, it is...