As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.
Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.
What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.
Two questions still remain:
1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.
2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.
Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?
Hopefully, answers are yet to come.