Germany: BfDI highlights increased onus on supervisory authorities and companies following Schrems II judgment
The Federal Commissioner for Data Protection and Freedom of Information ('BfDI') issued, on 16 July 2020, its statement ('the Statement') on the Court of Justice of the European Union's ('CJEU') judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). In particular, the BfDI highlighted that international data transfers remain possible, but that special protective measures must now be taken for data exchanges with the US as companies and authorities can no longer transmit data on the basis of the EU-US Privacy Shield, which the CJEU has invalidated. In addition, the BfDI noted that the Judgment had placed high demands on special protective measures, such as Standard Contractual Clauses ('SCCs'), which companies and authorities must adopt and which supervisory authorities must examine.
Furthermore, the BfDI stated that the CJEU had confirmed and strengthened the role of data protection supervisory authorities as they will have to verify whether each individual data processing activity meets the CJEU's requirements, and as they will have to prohibit exchange of data if the requirements are not met. Moreover, the BfDI noted that companies, authorities, as well as the supervisory authorities now have the complex task of acting in accordance with the Judgment. Moreover, the BfDI stipulated that it will push for rapid implementation in particularly pertinent cases.
Finally, the BfDI stated that it will make further comments following the publication of the entire Judgment and the discussions in the European Data Protection Board, and that the main focus will be on the revision of SCCs by the European Commission, as well as the need for the US to ensure that the basic rights of the European population are assimilated to those of US nationals.
You can read the Statement, only available in German, here