On July 16, 2020, the Court of Justice of the European Union handed out its decision on Case C311-18 Data Protection Commission vs. Facebook Ireland, Max Schrems. The historic ruling invalidated the EU-U.S. Privacy Shield framework and validated standard contractual clauses with an additional layer of requirements when exporting EU citizens’ data to a third country. The invalidation of Privacy Shield and the additional requirements for SCCs have created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out. The IAPP will continue to update this page as new guidance emerges.
If you are aware of existing DPA or government guidance not yet included on this page, please let us know.
DPA and government guidance
European Commission
European Data Protection Board
European Data Protection Supervisor
Czech Republic
Denmark
Estonia
Finland
France
Germany (Berlin)
- Baden-Württemberg: View Guidance
- Berlin: View Guidance
- Federal: View Guidance
- Hamburg: View Guidance
- Rhineland-Palatinate: View Guidance, View FAQ
- Thuringia: View Guidance
- Conference of German DPAs: View Guidance
Ireland
Italy
Liechtenstein
Lithuania
Netherlands
Norway
Poland
Slovenia
Spain
Switzerland
United Kingdom
U.S. Department of Commerce