Nandini Singh, GLA University
ABSTRACT
The Personal Data transfers between the European Union and the United States were primarily covered by the Safe Harbor Agreement and Standard Contractual Clauses (SCC), but this cross-border data transfer between the EU and the US faced a backlash after the Court of Justice of the European Union (CJEU) gave a landmark judgment in the case of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Schrems II). CJEU, via this decision, invalidated the EU-US Privacy Shield Regulation and upheld the Standard Contractual Clauses (SCCs), provided it must be accompanied by specific “supplementary measures” to reach the bar of EU legal data protection. Unfortunately, the CJEU missed the opportunity to specify the directives to be considered supplementary measures. To fix this loophole, the European Data Protection Board (EDPB) took charge and framed a 6-steps approach to be counted as supplementary measures. Furthermore, the European Commission, in the wake of the Schrems II decision, updated the previous SCCs, formulated during Data Protection Directives 95/46, and introduced new SCCs in 2021 in greater compliance with the GDPR. These resulting developments increased the security and privacy level regarding the international flow of personal data. This article discusses the current cross-border data flow in the EU and third countries post-Schrems II verdicts.
Keywords: CJEU, Data Protection, GDPR, International Transfer, Schrems II.
Comments