Schrems II judgment – despite its wording was easy to predict – surprised many entities transfering personal data to third countries. Most of such cases concern USA, because in that country are located servers of global corporations which offer many services also in Poland.
Summarizing that judgment it has to be said that a mechanism of data transfer based on “Privacy Shield” was questioned. In practice it means that the only legal instrument making such transfer possible are currently standard contractual clauses. However, in the judgment it was reserved that executing standard contratual clauses with an American entity does not by itself ensure the legality of data transfer. In order to achieve such legality, a data controller should assess whether a third country ensures proper security and whether on its territory there are efficient legal measures for protection of personal data subjects. In the light of the above, a data controller bears possible negative effects of an assessment which subsequently appears to be not consistent with an assessment made by a regulatory entity. It happens when services which such transfers concern, cannot be substituted by local services. As an example can be given a resignation from Facebook as an advertising platform and substituting it by…? Many data controlers transfer data on the basis of standard contractual clauses, because there is no other leagal ground and stopping using of some services is not possible. Such state is far from legal security.
Trying to solve the above problem, the European Data Protection Board, on November 10th, 2020, adopted:
- recommendations on supplementary measures in order to ensure a level of protection equivalent to that guaranteed within the EU and
- recommendations on essential guarantees for supervisory means.
The above documents are not yet avaliable (https://edpb.europa.eu/edpb). However, it seems that they are a step in good direction. We will be able to say more after reading that recommendations.