The European Court of Justice (“ECJ”) has ruled in its judgment in the Data Protection Commissioner v Maximillian Schrems and Facebook Ireland case (C-311/18) that the Privacy Shield agreement (“Privacy Shield”) does not provide an adequate level of protection, according to the standards of the Charter of Fundamental Rights of the European Union (the “Charter”) and the General Data Protection Regulation (the “GDPR”). In its ruling, the ECJ considered, on one hand, the validity of the European Commission’s Decision 2010/87 on standard contractual clauses, and, on the other hand, the validity of the Privacy Shield agreement itself.
With respect to the validity of European Commission Decision 2010/87 on standard contractual clauses, the ECJ declared that, in its opinion, it complies with the guarantees set out in the Charter and in the GDPR, but noted that there are certain obligations that both the exporter and the importer of data must fulfil, such as, for example, and by way of illustration, checking that the country of destination of the data complies with minimum-security standards.
The entire content of the Legal Briefing can be found in the PDF.