On 16 July 2020, the Court of Justice of the European Union issued its decision in the case Data Protection Commissioner v Facebook Ireland and Max Schrems (Schrems II). The decision invalidates the European Commission’s adequacy decision for the EU-US Privacy Shield, which is relied on by thousands of US companies in relation to their compliance with EU data protection rules.
The first Schrems decision of the European Court (2015) involved a complaint by an Austrian privacy advocate, Max Schrems, about Facebook transferring his personal data to the US under EU law, relying on the Safe Harbour arrangement between the EU and the US in place at the time. In that case, the Court invalidated the arrangement due to a lack of adequate safeguards required under EU law.
The recent Schrems II decision was concerned with the validity of the EU-US Privacy Shield. The Court has now declared this EU/US arrangement is also invalid.
The Court in Schrems II also examined the validity of standard contractual clauses as a means of transferring personal data. While the decision upholds the validity of standard contractual clauses, it requires businesses and organisations to conduct case-by-case analyses to determine whether foreign protections meet EU standards. The Court stated that the test to assess whether foreign protections provide an appropriate safeguard is that of “essential equivalence”.
Although this decision does not directly affect personal data transfers between the EU and New Zealand, the Court’s decision is a significant development in the context of international data transfers. For New Zealand businesses and organisations dealing with the EU, it remains important to consider what data transfers will occur and what safeguards are in place to protect that data. This will be particularly significant if the New Zealand business or organisation has operations in relation to the EU that mean it is subject to the EU’s data protection laws (the GDPR) and the transfer is to a country that does not have adequacy status. Transfers to New Zealand are permitted due to New Zealand’s adequacy status.
How we can help
Lane Neave has a specialist technology and privacy law team. From start-ups and SMEs to large corporates, we are keen to work with you and your technology projects. If you want to understand how we can help your business, or you would like to discuss this article in the context of your business, please get in touch.
Click here for other Corporate Law articles.