Schrems II Judgment on Cross Border Personal Data Flows Under EU-US Privacy Shield Mechanism: Good Diagnosis, Vague Prescription
Abstract
In the case of Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems [C-311/18] decided on July 16, 2020, the Court of Justice of the European Union with immediate effect invalidated the EU-US Privacy Shield mechanism for failing to provide protection equivalent to the EU GDPR regime. The EU-US Privacy Shield mechanism was a framework that was negotiated by the US Department of Justice and the European Commission as being adequate for enabling organizations to transfer personal data from the EU to the US. This article critically analyzes the judgment and its impact on various stakeholders - the EU based data exporter; the data recipient based in the US/third party country; national data protection authorities in the various EU nations; the US Government and the data owners based in the EU. This article also reviews the adequacy of other mechanisms for data transfer (like Binding Corporate Rules) and recommends certain additional safeguards that corporate organizations can consider to mitigate the risk of personal data transfer being invalidated on the ground of inadequacy of protection in the recipient country.