DPA and government guidance on ‘Schrems II’

On July 16, 2020, the Court of Justice of the European Union handed out its decision on Case C311-18 Data Protection Commission vs. Facebook Ireland, Max Schrems. The historic ruling invalidated the EU-U.S. Privacy Shield framework and validated standard contractual clauses with an additional layer of requirements when exporting EU citizens’ data to a third country. The invalidation of Privacy Shield and the additional requirements for SCCs have created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out. The IAPP will continue to update this page as new guidance emerges.

If you are aware of existing DPA or government guidance not yet included on this page, please let us know.

  European Commission

  European Data Protection Board

  European Data Protection Supervisor

  Czech Republic

  Denmark

  Estonia

  France

  Germany (Berlin)

  Ireland

  Italy

  Liechtenstein

  Lithuania

  Netherlands

  Norway

  Poland

  Slovenia

  Spain

  Switzerland

  United Kingdom

  U.S. Department of Commerce