Support Centre

Europe: Data protection authorities react to Schrems II judgment [updated 28 July 2020]

Following the publication of the Court Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), various European data protection authorities have issed statements in response to the judgment.

Croatia

The Personal Data Protection Agency ('AZOP') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Croatian, here.

Cyprus

The Office of the Commissioner for Personal Data Protection ('the Commissioner') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Greek, here

Czech Republic

The Office for Personal Data Protection ('UOOU') issued, on 16 July 2020, its statement on the Schrems II Case.

You can read the Statement, only available in Czech, here.

Denmark

The Danish data protection authority ('Datatilsynet') issued, on 17 July 2020, a statement on the Schrems II Case, outlining that it will work with the European Data Protection Board ('EDPB'), together with other EU data protection authorities, in order to carry out a detailed analysis of the judgment and its implications for the transfer of personal data to third countries and international organisations.

You can read the press release, only available in Danish, here.

EDPB

The European Data Protection Board ('EDPB') issued, on 17 July 2020, a statement on the Schrems II Case, welcoming the CJEU's judgment and highlighting the need to conduct adequacy assessments prior to transferring data under the SCC mechanism. 

You can read the full story here.

EDPS

The The European Data Protection Supervisor ('EDPS') issued, on 17 July 2020, a statement on the Schrems II Case, welcoming the CJEU's judgment and calling for federal US privacy reform.

You can read the full story here

Estonia

The Data Protection Inspectorate ('DPI') issued, on 17 July 2020, a statement on the Schrems II Case in which it highlighted that an adequacy assessment must be carried out when transferring data under SCCs, and published guidance in relation to the same.

You can read the full story here

Finland

The Office of the Data Protection Ombudsman issued, on 16 July 2020, a statement on the Schrems II Case, noting that the EDPB will assess the implications of the ruling at its plenary session on 17 July 2020, and will release more information on the effects of the ruling in the near future.

You can read the press release, only available in Finnish, here

France

The French data protection authority ('CNIL') issued, on 17 July 2020, a statement in which it stated that it will carry out and in-depth analysis of the Schrems II Case and assess impact for EU-US data transfers. 

You can read the full story here.

Germany: Berlin

The Berlin data protection authority ('Berlin Commissioner') issued, on 17 July 2020, a statement in which it, among other things, asked controllers to stop data transfers to the US.

You can read the full story here

Germany: Federal

The Federal Commissioner for Data Protection and Freedom of Information ('BfDI') issued, on 16 July 2020, a statement in which it highlighted that there will be an onus on supervisory authorities and companies following the Schrems II Case.

You can read the full story here.

The German Data Protection Conference ('DSK') issued, on 28 July 2020, a statement including a first assessment on the impact the Schrems II Case has on data transfers to the US and other third countries.

You can read the full story here

Germany: Hamburg

The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI') issued, on 16 July 2020, a statement in which it highlighted inconsistencies with regard to Standard Contractual Clauses ('SCCs') and the expanding role of supervisory authorities with regard to international data transfers. 

You can read the full story here.

Germany: Rhineland-Palatinate

The Rhineland-Palatinate data protection authority ('LfDI Rheinland-Pfalz') issued, on 16 July 2020, a statement and frequently asked questions in which it emphasised the work needed for organisations to reassess data transfer practices in light of the Schrems II Case, and stressed organisations' audit obligations.

You can read the full story here.

Germany: Thuringia

The Thuringia State Commissioner for Data Protection and Freedom of Information ('TLfDI') issued, on 16 July 2020, a statement in which it expressed, among other things, concerns about the impact of the Schrems II Case on SCCs. 

You can read the full story here

Iceland

The Icelandic data protection authority ('Persónuvernd') issued, on 16 July 2020, a statement on the Schrems II Case, highlighting that the EDPB will discuss the judgment during its meeting on 17 July 2020, and that Persónuvernd will release further guidance in the coming days.

You can read the press release, only available in Icelandic, here.

Ireland

The Data Protection Commission issued, on 16 July 2020, a statement in which, among other things, it questioned the future validity of SCCs.

You can read the full story here.

Italy

The Italian data protection authority ('Garante') issued, on 29 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Italian, here.

Latvia

The Data State Inspectorate ('DVI') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Latvian, here.

Liechtenstein

The Liechtensteiner data protection authority ('DSS') issued, on 17 July 2020, a statement in which it highlighted that, until a new agreement with the US on data transfers is agreed, organisations will have to rely upon appropriate safeguards under Article 46 of the GDPR, and in particular upon SCCs, and updated its guidance on international data transfers in light of the same.

You can read the full story here

Luxembourg

The National Commission for Data Protection ('CNPD') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in French, here.

Norway

The Norwegian data protection authority ('Datatilsynet') issued, on 16 July 2020, a statement in which it noted, among other things, that any companies currently using the EU-US Privacy Shield framework must consider other bases for transferring data to the US, and that it will collaborate with other supervisory authorities in the EEA in order to provide further guidance to assist companies' compliance with the decision.

You can read the full story here.

Datatilsynet published, on 27 July 2020, Questions & Answers on the Schrems II Case.

You can read the full story here.

Romania

The National Supervisory Authority for Personal Data Processing ('ANSPDCP') issued, on 20 July 2020, its statement on the Schrems II Case.

You can read the statement, only available in Romanian, here.

Slovenia

The Information Commissioner issued, on 16 July 2020, a statement in which it highlighted, among other things, that organisations that export data to the US and have so far relied on the recipient company to be included in the EU-US Privacy Shield List, they must ensure that transfers are justified on another basis as soon as possible (e.g. SCCs, Binding Corporate Rules ('BCRs'), and exceptions), otherwise personal data may not be transmitted in the US.

You can read the full story here.

Slovakia

The Office for Personal Data Protection of the Slovak Republic ('ÚOOÚ') issued, on 16 July 2020, its statement on the Schrems II Case.

You can read the Statement, only available in Slovak, here.

Spain

The Spanish data protection authority ('AEPD') issued, on 22 July 2020, its statement on the Schrems II Case, calling for a common European approach to international data transfer regulation going forward. 

You can read the full story here

Switzerland

The Federal Data Protection and Information Commissioner ('FDPIC') issued, on 16 July 2020, a statement in which, among other things, it stated that the Schrems II Case is not directly applicable to Switzerland.

You can read the full story here.

UK

The Information Commissioner's Office ('ICO') issued, on 16 July 2020, a statement in which it announced its intentions to support UK organisations following the Schrems II Case, as well as work with government and international agencies to ensure the continuation of international data transfers.

You can read the full story here.

In addition, the UK Government, issued, on 17 July 2020, a statement in which, among other things, it expressed its disappointment that the Privacy Shield had been invalidated. 

You can read the full story here