DPA and government guidance on ‘Schrems II’

On July 16, 2020, the Court of Justice of the European Union handed out its decision on Case C311-18 Data Protection Commission vs. Facebook Ireland, Max Schrems. The historic ruling invalidated the EU-U.S. Privacy Shield framework and validated standard contractual clauses with an additional layer of requirements when exporting EU citizens’ data to a third country. The invalidation of Privacy Shield and the additional requirements for SCCs have created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out. The IAPP will continue to update this page as new guidance emerges.

If you are aware of existing DPA or government guidance not yet included on this page, pl ease let us know.

European Commission

View Guidance

European Data Protection Board

European Data Protection Supervisor

View Guidance

Czech Republic

View Guidance

Denmark

View Guidance

Estonia

View Guidance

France

View Guidance

Germany (Berlin)

Baden-Württemberg: View Guidance
Berlin: View Guidance
Federal: View Guidance
Hamburg: View Guidance
Rhineland-Palatinate: View Guidance, View FAQ
Thuringia: View Guidance
Conference of German DPAs: View Guidance

Ireland

View Guidance

Italy

View Guidance

Liechtenstein

View Guidance

Lithuania

View Guidance

Netherlands

View Guidance

Norway

View Guidance

Poland

View Guidance

Slovenia

View Guidance

Spain

View Guidance

Switzerland

Swiss Data Protection and Information Commissioner Statement

United Kingdom

View Guidance

U.S. Department of Commerce

Tags: , , , ,

EU-US Privacy Shield

This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering the EU-U.S. Privacy Shield....

Schrems, Ustaran react to CJEU's ruling on Privacy Shield, SCCs

Privacy professionals are now operating in a different world following the Court of Justice of the European Union's ruling in the "Schrems II" case. The EU-U.S. Privacy Shield agreement is now invalid. The CJEU upheld standard contractual clauses; however, third countries must have the proper prot...

Read More Save This

Infographic: The impact of the CJEU’s decision on 'Schrems II'

The Court of Justice of the European Union declared the EU-U.S. Privacy Shield arrangement is invalid. However, it did uphold the validity of standard contractual clauses, with a caveat: the third country to which EU data is transferred must have protections in place, particularly around access by...

Read More Save This

Dixon, Serwin discuss 'Schrems II,' future of data transfers

There's never a dull moment in the world of privacy. This was proven again July 16 with the Court of Justice of the European Union shaking up the space with its decision to invalidate the EU-U.S. Privacy Shield and uphold standard contractual clauses with more explicit provisions on adequacy and pro...

Read More Save This

What does 'Schrems II' mean for EU-UK data flows?

Escaping the jurisdiction of the Court of Justice of the European Union has long been a battle cry of Brexit-supporting politicians and voters. However, the idea that the CJEU would no longer have influence over the post-Brexit U.K. was always fanciful, and the CJEU's seismic judgment in the “Schrem...

Read More Save This

ResourceCenter

All the privacy tools and information you need in one easy-to-find place

Ready to Get Certified?